Article Updated: July 10, 2026

The Consequences of HIPAA Violations for Therapists and Counselors

A HIPAA violation by a therapist or counselor can result in civil monetary penalties against the covered entity, criminal charges against the individual workforce member responsible, disciplinary action by the relevant state licensing board, and reputational damage to the practice that affects client retention and referral relationships. The Office for Civil Rights enforces HIPAA through complaint-based and breach-triggered investigations, and behavioral health practices are not exempt from that enforcement process regardless of their size or the number of clients they serve. A solo practitioner who impermissibly discloses a client’s psychotherapy notes, a billing coordinator who accesses records outside the scope of their role, and a counselor who shares client information through an unsecured consumer messaging application each create potential enforcement exposure for themselves and for the practice in which they work.

Civil Monetary Penalties and the Tiered Penalty Structure

OCR applies a four-tier civil monetary penalty structure based on the degree of culpability associated with a violation. Violations where the covered entity did not know and could not have known of the breach carry penalties from $100 to $50,000 per violation, with an annual cap of $25,000 for identical violations. Violations attributable to reasonable cause rather than willful neglect carry penalties from $1,000 to $50,000 per violation, with an annual cap of $100,000. Violations constituting willful neglect that are corrected within thirty days carry penalties from $10,000 to $50,000 per violation with an annual cap of $250,000. Violations constituting willful neglect that are not corrected carry mandatory penalties of $50,000 per violation with an annual cap of $1.9 million. A therapy or counseling practice that has never provided workforce training, or that cannot produce training records when OCR requests them, faces the highest culpability assessment because the absence of training is itself evidence of willful neglect.

Criminal Penalties for Individual Therapists and Counselors

Section 1177 of the Social Security Act imposes criminal penalties on individuals who knowingly obtain or disclose individually identifiable health information in violation of HIPAA. A therapist or counselor who accesses a former client’s records without authorization, shares client information for personal reasons, or discloses psychotherapy notes without the required written authorization can face criminal prosecution as an individual, not only as a representative of the covered entity. Penalties range from fines and up to one year imprisonment for basic offenses, to fines and up to ten years imprisonment where the violation involves intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm. These criminal provisions apply to the individual workforce member directly and do not require the covered entity to have failed its compliance obligations first.

Licensing Board Consequences and Professional Sanctions

A HIPAA violation by a licensed therapist or counselor can trigger a complaint to the relevant state licensing board in addition to any federal enforcement action. State licensing boards for licensed clinical social workers, licensed professional counselors, marriage and family therapists, and licensed mental health counselors each maintain their own codes of professional conduct, and an impermissible disclosure of client information that violates HIPAA will also typically violate the confidentiality provisions of those professional codes. Licensing board investigations operate independently of OCR investigations and can result in formal reprimand, mandatory remediation, suspension of licensure, or permanent revocation. A therapist who faces both a licensing board investigation and an OCR enforcement action simultaneously confronts consequences in two separate regulatory forums, each with its own timeline, documentation requirements, and potential outcomes.

Practice-Level Financial and Reputational Impact

A HIPAA enforcement action against a therapy or counseling practice produces consequences that extend beyond the penalty itself. OCR resolution agreements routinely require corrective action plans that mandate the implementation of new policies, workforce retraining, and periodic compliance reporting to OCR for a defined period, typically two years. The administrative burden of a corrective action plan falls on the practice, including any sole practitioner who must fulfill those obligations while continuing to provide client care. Client notification following a reportable breach damages the therapeutic relationship at the point where confidentiality is most valued by clients, and in small behavioral health practices that operate on personal reputation and referral networks, a public breach notification can produce client loss that no financial penalty figure captures. Practices that maintain documented training programs, conduct annual refresher training, and retain training records for the required six-year period are better positioned in any OCR investigation to demonstrate a good-faith compliance effort that may reduce the severity of the enforcement outcome.

HIPAA Training for Therapists and Counselors

HIPAA Training for Therapists and Counselors from The HIPAA Journal includes a dedicated module on the consequences of HIPAA violations for individual employees and for covered entities, using scenarios drawn from behavioral health practice settings to show staff the direct personal and professional consequences of specific compliance failures. The course covers the Privacy Rule, Security Rule, and Breach Notification Rule alongside specialist behavioral health content, and produces a dated accredited certificate with 5.0 CEUs from the Compliance Certification Board that serves as documented evidence of training in any OCR investigation or licensing board proceeding.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.