Atlantic Health Strategies

Hidden HIPAA and OIG Risks for Group and Private Behavioral Health Practices: What Owners Miss Until the Letter Arrives

Table of Contents

Ready to See Results?

From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.

The short answer: three findings drive almost every federal enforcement action against small practices

Group and private behavioral health practices most often get hit by federal regulators for three things: a missing or stale HIPAA Security Risk Analysis, a failure to give patients timely access to their own records, and billing patterns that do not match the documentation. Every OCR resolution agreement and DOJ press release I read this year traces back to one of those three failures.

Owners of two-location groups in Florida, Tennessee, and New Jersey tell me the same thing after a knock on the door. They thought federal enforcement was for hospitals. It is not. Attorneys tracking OCR activity documented that in December 2024 alone, OCR issued a $1.19 million CMP against Gulf Coast Pain Consultants, a $548,265 CMP against Children’s Hospital Colorado, and a $250,000 settlement with Inmediata Health Group. Named respondents on OCR’s 2024 and 2025 enforcement list include a family medicine office, a dental practice, and a pain-management group.

Small entities are on the menu. OCR is not just chasing hospitals.

Who actually paid in 2024 and 2025

The pain-management case is the one every private practice owner should read twice. On December 3, 2024, OCR made final a $1,190,000 civil monetary penalty against Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute, a Florida-based practice with locations in Alabama, Delaware, Maryland, New Jersey, and Pennsylvania. OCR found four Security Rule violations, including a failure to conduct an accurate and thorough risk analysis and a failure to implement procedures to terminate former workforce members’ access to ePHI. A former contractor accessed the ePHI of approximately 34,310 individuals on three occasions, and OCR did not confirm a HIPAA-compliant risk analysis had been performed until September 30, 2022. That second finding, terminated staff still holding EMR credentials, is a finding I catch on almost every mock survey we run for a group practice.

The behavioral health example is even closer to home. On July 7, 2025, OCR announced a $225,000 settlement with Deer Oaks – The Behavioral Health Solution, a psychological and psychiatric services provider serving long-term care and assisted living residents, after concluding Deer Oaks had failed to conduct a comprehensive and accurate risk analysis under 45 C.F.R. § 164.308(a)(1)(ii)(A). The underlying breach affected 171,871 individuals following an August 2023 ransomware attack. Two years of corrective action plan monitoring came with the check.

The Right of Access Initiative keeps producing penalties too. In November 2024, OCR imposed a $100,000 penalty against a mental health center for failing to provide timely access to patient records, which was OCR’s 51st Right of Access enforcement action. Owners who cannot produce a records-request log within the 30-day window should assume they are the next respondent.

OCR leadership is not being subtle about where the agency is pointing. Announcing the Gulf Coast penalty, then-OCR Director Melanie Fontes Rainer said, “Current and former workforce can present threats to health care privacy and security.” Announcing the Deer Oaks settlement, current OCR Director Paula M. Stannard said “identifying potential risks and vulnerabilities to ePHI is a key step in preventing or mitigating breaches.” If the last time anyone touched your Security Risk Analysis was during EMR implementation, you are the target profile.

OIG and DOJ are watching behavioral health billing, not just hospital fraud

The OIG Work Plan should sit on every behavioral health owner’s desk. Behavioral health is squarely inside it, with active OIG projects covering Medicaid Claims for Opioid Treatment Program Services and Medicare Part B Payments for Psychotherapy Services. If your group runs a telehealth-heavy PHP or IOP referral pipeline, you are inside the frame.

The DOJ numbers explain the incentive. DOJ recovered more than $2.9 billion in False Claims Act settlements and judgments in fiscal year 2024, with over $1.67 billion tied to healthcare, representing 57 percent of recoveries. Whistleblowers filed 979 qui tam lawsuits that year, averaging 18 new cases every week and breaking the prior record of 757 filings set in FY2013. That volume is not tapering.

Behavioral health did not escape. Under a September 2024 settlement, Acadia Healthcare agreed to pay $16,663,918 to the United States to resolve False Claims Act liability for allegedly billing Medicare, Medicaid, and TRICARE for medically unnecessary inpatient behavioral health services between 2014 and 2017, plus $3,186,082 to Florida, Georgia, Michigan, and Nevada. Principal Deputy Assistant Attorney General Brian M. Boynton tied the case to the population directly, saying providers must satisfy medical-necessity requirements “when providing services to a vulnerable patient population, such as residents of an inpatient behavioral health facility.”

The through-line in these cases is not exotic fraud. It is documentation that does not match the CPT code, sessions that do not meet the psychotherapy definition, and supervision that cannot be substantiated on the chart. Owners treat that as an operational problem. DOJ treats it as a legal one.

What owners actually miss until the letter arrives

Three specific gaps produce most of the exposure I see in group and private practices in Florida, Ohio, and Tennessee.

The Security Risk Analysis is missing, boilerplate, or dated. OCR Director Paula M. Stannard put it plainly in the Deer Oaks announcement: “Common deficiencies include lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies or expanding operations that affect the security of ePHI.” OCR launched its Risk Analysis Initiative in October 2024 to press the point.

Termination workflows are broken. When a therapist resigns on a Friday, most small practices do not deprovision EMR, email, and remote access until the following Tuesday. That gap is exactly what OCR cited in the Gulf Coast matter, where the practice did not implement compliant termination procedures until April 10, 2020, years after the underlying breach.

Owners underestimate timing. Practices sell, restructure, or take PE capital during long OCR investigation windows with no idea a matter is open. Sellers who miss this in diligence hand the buyer a ticking file. Buyers who miss it inherit it.

Two more issues we catch on nearly every readiness review: no monthly LEIE exclusion screen of clinicians and vendors, and SUD records shared under HIPAA-only consent language rather than 42 CFR Part 2-compliant consent. And a billing-side finding worth calling out on its own: psychotherapy add-on codes billed without time documentation, or 90837 billed when the note only supports 90834. OIG has an active Work Plan project on Medicare Part B Payments for Psychotherapy Services. If you cannot show time on the face of the note, you cannot bill the code.

How AHS handles this before the regulator does

At Atlantic Health Strategies, our team runs mock OCR and OIG readiness reviews against the same elements the regulators cite in their published resolution agreements. We start with the Security Risk Analysis, because that is where OCR starts. Our reviewers check EMR termination logs, patient-access request logs, and psychotherapy documentation against ASAM Criteria 4th Edition levels of care and CPT time thresholds. Our team screens your workforce against the LEIE and confirms your Part 2 consents actually say what Part 2 requires.

Owners in Florida and New Jersey call us for two reasons: they got a letter, or they are about to sell and their buyer’s counsel is asking questions they cannot answer. Both problems have the same root cause. Owners never built an operational backbone designed to survive a federal file review.

Our team builds it, stress-tests it, and hands it back as a compliance program the owners can actually run. If you are within twelve months of a transaction, or you have not touched your SRA in eighteen months, you are already behind. Start there.

Frequently asked questions

Does OCR actually enforce HIPAA against small group and private practices, or just large hospitals?

Small practices are directly in scope. OCR imposed a $1,190,000 civil monetary penalty on Gulf Coast Pain Consultants, a multi-state pain-management group, in December 2024. In November 2024, OCR imposed a $100,000 penalty against a mental health center for failing to provide timely records access, its 51st Right of Access enforcement action. Family medicine offices and dental practices are also on the enforcement list.

What is the single most common HIPAA finding against practices right now?

A missing or inadequate Security Risk Analysis. OCR launched its Risk Analysis Initiative in October 2024, and OCR Director Paula M. Stannard has publicly said the covered entity or business associate under investigation “will often have deficient risk analysis practices,” including lacking a risk analysis entirely or failing to update it when adding new technology.

How exposed is a behavioral health operator to a False Claims Act case?

More exposed than most owners realize. DOJ recovered more than $2.9 billion in FCA settlements and judgments in FY 2024, with over $1.67 billion (57 percent) tied to healthcare, and whistleblowers filed a record 979 qui tam lawsuits that year, averaging 18 new cases every week. Acadia Healthcare’s September 2024 settlement of $16,663,918 to the United States (plus $3,186,082 to Florida, Georgia, Michigan, and Nevada) shows that behavioral health providers are being pursued for medical necessity, documentation, and staffing failures.

How is OIG different from OCR for a behavioral health practice?

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules. OIG oversees federal healthcare program integrity: False Claims Act cases, the Anti-Kickback Statute, Medicaid billing accuracy, and exclusion screening. The OIG Work Plan currently lists active projects covering Medicaid Claims for Opioid Treatment Program Services and Medicare Part B Payments for Psychotherapy Services, both of which sit squarely on behavioral health operators. Both agencies can hit the same practice for different reasons.

Request a Free Consultation

Scroll to Top