Navigating the new Illinois AI therapy law HB 1806, the Wellness & Oversight for Psychological Resources Act
Summary
Understand what is considered a HIPAA violation, including administrative violations (failing to implement safeguards), civil violations (unintentional breaches), and criminal violations (intentional or malicious breaches)
Learn who can violate HIPAA—including covered entities (health care providers, health plans, clearinghouses), business associates, and all employees within these organizations, regardless of their role
Discover common HIPAA violation examples including unauthorized access or disclosure of PHI, not securing patient records, failing to train staff, and not reporting known violations
Explore consequences of violations ranging from $100 to $1.5 million in annual penalties for civil cases, or up to 10 years imprisonment and $250,000 fines for criminal cases
Get clarity on what determines violation severity—including intent, awareness of HIPAA rules, response time, and whether the violation could have been reasonably prevented
If you’re wondering what is considered a HIPAA violation or what is a HIPAA violation, this article explains HIPAA, as well as what constitutes a HIPAA violation.
The Health Insurance Portability and Accountability Act, or HIPAA, was designed to keep protected health information (PHI) safe. HIPAA compliance is required of any health care providers who are considered “covered entities,” including therapists—and failing to comply can lead to a host of consequences, from financial penalties to legal action.
This is why it’s so important to understand what non-compliance looks like—or, in other words, what it means to violate HIPAA.
Let’s take a look at everything you need to know about HIPAA violations, including what is considered a HIPAA violation, the different types of HIPAA violations (along with some examples), and what happens if you violate HIPAA.
Who can violate HIPAA?
While what is considered a HIPAA violation is an important question to address, it’s also important to answer the question of who can violate HIPAA.
There are a few different categories of individuals, organizations, and agencies subject to HIPAA laws—and, as such, they are subject to potential violations.
Unsure whether you or your practice are considered covered entities?
If you’d like to verify if you’re a covered entity under HIPAA, please consult with your malpractice insurance provider, seek legal counsel, or check with your local licensing board (search for your state and license type, or the state-wide directory for your specialty, such as the directory for professional counselors).
You may be required to follow HIPAA regulations if you:
Accept insurance or bill insurance companies for services
Use a clearinghouse to submit claims
Accept public funding for health care (such as Medicare or Medicaid)
Use services that facilitate your clinical work and handle PHI (also known as business associates—such as practice management software, billing services, or cloud storage providers)
Important note: Even if you're not technically a covered entity or business associate, many licensing boards and state or local municipalities have similar security and privacy rules and regulations to HIPAA—so it's always in your best interest to keep your practice HIPAA compliant.
“The potential for violations of HIPAA exists for both covered entities and business associates,” says Brittany Astrom, LMFT, Clinical Supervisor at OC Revive.
So what, exactly, are covered entities and business associates?
There are three types of covered entities, including:
Health care providers (like a therapist or doctor)
Health plans (like a health insurance company)
Health care clearinghouses, which the HHS defines as “entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.”
HHS defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” That might include, for example, a practice management software or EHR platform.
So, can a non-medical person violate HIPAA? Yes—if they work for a covered entity or business associate. HIPAA compliance is required for anyone who has access to PHI in a healthcare setting, regardless of whether they're clinical or administrative staff.
This means receptionists, billing coordinators, office managers, and other non-clinical employees must all follow HIPAA regulations.
For example, if a receptionist at a doctor’s office accidentally shared a patient’s PHI, that practice would be in violation of HIPAA.
What is a HIPAA violation?
Next, let’s touch on the basic, most foundational question: What is a HIPAA violation?
Essentially, a HIPAA violation occurs when a person or entity bound by HIPAA fails to comply with HIPAA rules and regulations.
“When health information is utilized, disclosed, and/or released in ways that are not in alignment with the law, a HIPAA violation is said to have occurred,” says Astrom.
Now that you know what a HIPAA violation is, let’s dig into the specific examples of what is considered a HIPAA violation.
When it comes to what constitutes a HIPAA violation, violations fall into one of three categories: administrative violations, civil violations, and criminal violations.
Administrative violations
Administrative violations involve failing to comply with HIPAA’s administrative safeguards. For example, this includes neglecting to implement policies and procedures that protect PHI or not training your practice staff on HIPAA regulations.
Civil violations
Civil violations result when HIPAA is violated unintentionally. For example, leaving a file open and accidentally exposing a patient’s PHI or sending a medical file using email instead of a HIPAA-compliant communications platform.
Criminal violations
Criminal violations result when HIPAA is violated on purpose. For example, selling a patient’s PHI to an ad company and pocketing the money or accessing client records with malicious intent.
HIPAA violation examples
Now that you know the categories of HIPAA violations, let’s get more specific and take a look at some examples.
Here are examples of what is considered a HIPAA violation:
Unauthorized access of PHI (e.g., an employee reading a patient’s chart without authorization)
Unauthorized disclosure of PHI (e.g., sharing medical records without consent)
Not allowing patients to access their PHI
Not developing or implementing policies and procedures to protect PHI
Not securing PHI, either digitally (not using data encrypted software) or physically (leaving medical files in an unlocked cabinet)
Leaving PHI out and accessible (e.g., leaving a client file open on a computer that other people in the office can access)
Not providing privacy notices to patients/clients
Not reporting a known HIPAA violation
Real-world examples of what is considered a HIPAA violation
HIPAA violations happen more often than you might think—and often in surprisingly mundane ways.
In one case, a mental health practice faced enforcement action after storing client records in cloud-based storage without a signed Business Associate Agreement (BAA) with the provider, leaving PHI vulnerable and the practice liable.
In another instance, a therapist posted on social media about a challenging session—without using names or identifying details—but included enough contextual information that community members could identify the client, resulting in a breach complaint.
Physical security failures are equally common. Practices have been cited for leaving paper files in unlocked cars overnight, failing to secure filing cabinets in shared office spaces, and allowing cleaning crews unsupervised access to areas where PHI was visible.
Even well-intentioned practices can stumble—one clinic received a violation notice after a staff member accidentally emailed a client's therapy notes to the wrong patient due to similar email addresses in their system.
These real-world examples underscore an important truth: HIPAA violations aren't just hypothetical risks or problems for "other practices"—they're daily realities that can happen to anyone who isn't consistently vigilant about protecting client information.
What happens if you violate HIPAA?
You now know what is considered a HIPAA violation, and who can violate these laws. The next big question is: What happens when you violate HIPAA?
There are consequences of varying degrees—and they largely depend on intent, whether you know what is considered a HIPAA violation, how long it took you to identify and report the violation, and whether it could have been reasonably avoided.
These factors also determine whether the violation is civil or criminal.
Civil HIPAA violations
Civil HIPAA violations are handled by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). When OCR finds a violation, the covered entity or business associate must take corrective action (aka fix the problem)—and also voluntarily comply with all HIPAA regulations moving forward.
Depending on the scope of the violation, they may also be required to enter into a resolution agreement, which the HHS defines as “a settlement agreement signed by HHS and a covered entity or business associate in which the covered entity or business associate agrees to perform certain obligations and make reports to HHS, generally for a period of three years.”
The resolution agreement may include:
Payment of civil penalties
Corrective action plans (like training for staff on what is a HIPAA violation, so they can identify what is considered a HIPAA violation and prevent another violation from occurring)
Demonstrated compliance with OCR oversight
Over those three years, the HIPAA violator is monitored by HHS to ensure compliance with the agreement.
If the entity or associate does not take the correct steps to address and fix the HIPAA violation, OCR may impose civil money penalties.
Penalties for civil HIPAA violations are as follows:
Unknowing HIPAA violations: Penalties range from $100 to $50,000 per violation—with an annual maximum of $25,000 for repeat violations.
Reasonable cause HIPAA violations: Penalties range from $1,000 to $50,000 per violation—with an annual maximum of $100,000 for repeat violations.
Willful neglect HIPAA violations (when the violation is corrected): Penalties, within the required time period, range from $10,000 to $50,000 per violation—with an annual maximum of $250,000 for repeat violations. The required time period is 30 days from when the covered entity knew, or would reasonably have known, a violation occurred.
Willful neglect HIPAA violations (when the violation is not corrected): Penalties, not corrected within the required time period, are $50,000 per violation—with an annual maximum of $1.5 million. The required time period is 30 days from when the covered entity knew, or would reasonably have known, a violation occurred.
Criminal HIPAA violations
The main difference between civil and criminal HIPAA violations is the intent behind it.
Namely, if the members or staff of the covered entity were made aware of what is considered a HIPAA violation, or should know what is a HIPAA violation, and if they still deliberately violated HIPAA.
If the violation cannot be considered an accident or act of negligence, it may be subject to criminal charges.
When the HIPAA violation is committed intentionally and knowingly, under deceitful pretense, or for profit—there’s a good chance that it’s a criminal case, and therefore managed by the Department of Justice (DOJ).
Penalties for criminal HIPAA violations are as follows:
Covered entities and business associates who knowingly obtain or disclose individually identifiable health information face a fine of up to $50,000 and/or imprisonment for up to one year.
If the offense is committed under false pretenses, the penalties may be increased to a $100,000 fine and/or five years imprisonment.
If the offense is committed with the intent to sell, transfer, or use individually identifiable health information for personal gain, commercial advantage, or malicious harm, violators may face up to 10 years in prison and/or a $250,000 fine.
How to prevent HIPAA violations in your practice
Prevention is always easier—and less expensive—than dealing with the aftermath of a HIPAA violation.
Start by conducting annual HIPAA training for all staff members, including administrative employees, so everyone understands what constitutes a violation and how to protect PHI in their daily work.
Use HIPAA-compliant practice management software with proper encryption and security features—and ensure you have signed Business Associate Agreements (BAAs) with all your technology vendors.
Implement a clean desk policy that requires staff to lock away physical files at the end of each day and log out of computers when stepping away.
Create a written incident response plan so everyone knows exactly what to do if a breach occurs, reducing panic and ensuring a swift response.
Review and update your privacy policies at least annually, or whenever you make significant changes to your practice operations or technology.
Finally, conduct periodic security risk assessments—at minimum annually—to identify vulnerabilities in your physical space, digital systems, and workflows before they become problems.
These proactive steps create a culture of privacy and security in your practice, significantly reducing your risk of violations while building client trust.
What to do if you discover a HIPAA violation
If you discover something that fits the definition of what is considered a HIPAA violation in your practice, act quickly but methodically.
First, immediately contain the breach—stop any ongoing unauthorized access or disclosure of PHI.
Next, document everything about the incident: what happened, when you discovered it, what PHI was involved, and who was affected.
If you're part of a larger practice, report the incident to your HIPAA Privacy Officer right away; if you're in solo practice, you are the Privacy Officer and must take responsibility for the response.
Depending on the scope of the breach, you may need to notify affected individuals—breaches affecting 500 or more people require notification to those individuals, HHS, and sometimes the media.
For smaller breaches (fewer than 500 people), you must still document them and report annually to HHS. Most breaches must be reported to HHS within 60 days of discovery.
Finally, use the incident as a learning opportunity: review what went wrong, update your policies and procedures to prevent similar violations, and provide additional training to staff if needed.
Taking swift, transparent action not only demonstrates good faith compliance but can also significantly reduce potential penalties.
Sources
2024. The HIPAA Journal. What is a HIPAA Violation?
U.S. Department of Health and Human Services. Health Information Privacy: What to Expect.
U.S. Department of Health and Human Services. Health Information Privacy: Resolution Agreements.
U.S. Department of Health and Human Services. Health Information Privacy: Covered Entities and Business Associates.
U.S. Department of Health and Human Services. Health Information Privacy: Business Associates.
How SimplePractice streamlines running your practice
SimplePractice is HIPAA-compliant practice management software with everything you need to run your practice built into the platform—from booking and scheduling to insurance and client billing.
If you’ve been considering switching to an EHR system, SimplePractice empowers you to run a fully paperless practice—so you get more time for the things that matter most to you.
Try SimplePractice free for 30 days. No credit card required.
