A HIPAA violation by a therapist or counselor can result in civil monetary penalties against the covered entity, criminal charges against the individual workforce member responsible, disciplinary action by the relevant state licensing board, and reputational damage to the practice that affects client retention and referral relationships. The Office for Civil Rights enforces HIPAA through complaint-based and breach-triggered investigations, and behavioral health practices are not exempt from that enforcement process regardless of their size or the number of clients they serve. A solo practitioner who impermissibly discloses a client’s psychotherapy notes, a billing coordinator who accesses records outside the scope of their role, and a counselor who shares client information through an unsecured consumer messaging application each create potential enforcement exposure for themselves and for the practice in which they work.
Civil Monetary Penalties and the Tiered Penalty Structure
OCR applies a four-tier civil monetary penalty structure based on the degree of culpability associated with a violation. Violations where the covered entity did not know and could not have known of the breach carry penalties from $100 to $50,000 per violation, with an annual cap of $25,000 for identical violations. Violations attributable to reasonable cause rather than willful neglect carry penalties from $1,000 to $50,000 per violation, with an annual cap of $100,000. Violations constituting willful neglect that are corrected within thirty days carry penalties from $10,000 to $50,000 per violation with an annual cap of $250,000. Violations constituting willful neglect that are not corrected carry mandatory penalties of $50,000 per violation with an annual cap of $1.9 million. A therapy or counseling practice that has never provided workforce training, or that cannot produce training records when OCR requests them, faces the highest culpability assessment because the absence of training is itself evidence of willful neglect.
Criminal Penalties for Individual Therapists and Counselors
Section 1177 of the Social Security Act imposes criminal penalties on individuals who knowingly obtain or disclose individually identifiable health information in violation of HIPAA. A therapist or counselor who accesses a former client’s records without authorization, shares client information for personal reasons, or discloses psychotherapy notes without the required written authorization can face criminal prosecution as an individual, not only as a representative of the covered entity. Penalties range from fines and up to one year imprisonment for basic offenses, to fines and up to ten years imprisonment where the violation involves intent to sell, transfer, or use protected health information for commercial advantage, personal gain, or malicious harm. These criminal provisions apply to the individual workforce member directly and do not require the covered entity to have failed its compliance obligations first.
Licensing Board Consequences and Professional Sanctions
A HIPAA violation by a licensed therapist or counselor can trigger a complaint to the relevant state licensing board in addition to any federal enforcement action. State licensing boards for licensed clinical social workers, licensed professional counselors, marriage and family therapists, and licensed mental health counselors each maintain their own codes of professional conduct, and an impermissible disclosure of client information that violates HIPAA will also typically violate the confidentiality provisions of those professional codes. Licensing board investigations operate independently of OCR investigations and can result in formal reprimand, mandatory remediation, suspension of licensure, or permanent revocation. A therapist who faces both a licensing board investigation and an OCR enforcement action simultaneously confronts consequences in two separate regulatory forums, each with its own timeline, documentation requirements, and potential outcomes.
Practice-Level Financial and Reputational Impact
A HIPAA enforcement action against a therapy or counseling practice produces consequences that extend beyond the penalty itself. OCR resolution agreements routinely require corrective action plans that mandate the implementation of new policies, workforce retraining, and periodic compliance reporting to OCR for a defined period, typically two years. The administrative burden of a corrective action plan falls on the practice, including any sole practitioner who must fulfill those obligations while continuing to provide client care. Client notification following a reportable breach damages the therapeutic relationship at the point where confidentiality is most valued by clients, and in small behavioral health practices that operate on personal reputation and referral networks, a public breach notification can produce client loss that no financial penalty figure captures. Practices that maintain documented training programs, conduct annual refresher training, and retain training records for the required six-year period are better positioned in any OCR investigation to demonstrate a good-faith compliance effort that may reduce the severity of the enforcement outcome.
HIPAA Training for Therapists and Counselors
HIPAA Training for Therapists and Counselors from The HIPAA Journal includes a dedicated module on the consequences of HIPAA violations for individual employees and for covered entities, using scenarios drawn from behavioral health practice settings to show staff the direct personal and professional consequences of specific compliance failures. The course covers the Privacy Rule, Security Rule, and Breach Notification Rule alongside specialist behavioral health content, and produces a dated accredited certificate with 5.0 CEUs from the Compliance Certification Board that serves as documented evidence of training in any OCR investigation or licensing board proceeding.


