Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The short answer for behavioral health operators
Behavioral health operators mitigate breaches by pairing HIPAA Security Rule discipline (risk analysis, access controls, audit logs, multi-factor authentication) with 42 CFR Part 2 consent and redisclosure controls, and by rehearsing the 60-day breach notification clock before an incident forces the issue. That is the whole game. Everything else is detail.
The numbers say the pressure is not abstract. In calendar year 2024, the HHS Office for Civil Rights received 663 reports of large breaches, and hacking/IT incidents comprised 81% of those breaches. In the same reporting cycle, OCR collected $7,813,831 in penalties from breach-related enforcement, plus a further $950,000 penalty from a media-triggered investigation. And OCR called out its priorities plainly: risk analysis, risk management, information system activity review, audit controls, and person or entity authentication as the standards where regulated entities keep coming up short.
If you run a substance use disorder or mental health facility in Florida, Texas, Arizona, or any state where behavioral health has consolidated fast, that finding is your operating manual. The Joint Commission surveyors will ask for the same artifacts. So will CARF. So will state licensing.
What the HIPAA Breach Notification Rule actually demands
The Breach Notification Rule lives at 45 CFR §§ 164.400–414, enforced by the HHS Office for Civil Rights. Operators need to internalize three deadlines and one definition.
- Individuals: A covered entity must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of a breach.
- HHS: If a breach affects 500 or more individuals, covered entities must notify the Secretary without unreasonable delay and in no case later than 60 days following the breach; smaller breaches may be reported to the Secretary on an annual basis.
- Media: Covered entities that experience a breach affecting more than 500 residents of a State or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the State or jurisdiction.
The definition that ends careers is “discovery.” A covered entity is deemed to have knowledge of a breach if it is known, or by exercising reasonable diligence would have been known, to any workforce member or agent of the covered entity. Translation for a treatment center CEO: the 60-day clock does not start when your general counsel gets the email. It starts when the intake tech sees the anomaly and shrugs.
42 CFR Part 2 changed on February 16, 2026. If you missed it, catch up now
SUD programs live under a second regime on top of HIPAA, jointly administered by SAMHSA and the HHS Office for Civil Rights. On February 8, 2024, HHS OCR announced a final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2. The rule went into effect on April 16, 2024, with a two-year implementation period, and enforcement for the updated Part 2 rules started on February 16, 2026.
What operators should have already changed:
- Patient Notice language and single-consent workflows for treatment, payment, and health care operations.
- Breach handling. The final rule applies the HITECH Act breach notification provisions currently implemented in the HIPAA Breach Notification Rule to breaches of records by Part 2 programs.
- Complaint intake. The final rule adds a right to file a complaint directly with the Secretary for an alleged violation of Part 2, and patients may also concurrently file a complaint with the Part 2 program.
If your compliance officer cannot show you an updated Notice, an updated consent form, and a Part 2 breach playbook that reads like your HIPAA one, you have unfinished work. And when DOJ pursues a False Claims Act theory tied to Part 2 disclosures, the same documentation is what your outside counsel will beg for.
The five OCR findings that keep showing up in behavioral health
Behavioral health facilities do not get investigated by OCR because ransomware is exotic. They get penalized because the basics were skipped. The agency’s own commentary on 2024 investigations names “risk analysis, risk management, information system activity review, audit controls, and person or entity authentication” as the recurring failure points. OCR investigators also documented weak authentication practices, such as default passwords and single-factor remote access, rather than multifactor authentication.
A concrete example that should hit close to home for any multi-site behavioral health operator: Clearway Pain Solutions Institute, a Florida pain management practice, agreed to settle its HIPAA case with OCR for $1,190,000 after failing to terminate the access rights of a former contractor when the contractor stopped working for the company. Termination access, in other words, was the finding. Not a hacker in a hoodie. A former contractor who still had a login.
Operator translation:
- Run a current, written risk analysis. Update it when you open a site, buy a program, or swap EMRs. The Joint Commission and CARF surveyors will ask to see it during your EOC tour.
- Remove terminated workforce access in minutes, not on the next business day. Keep the audit log that proves it.
- Turn on MFA for every remote path into ePHI. No exceptions for the medical director.
- Review information system activity. If nobody looks at the logs, they do not exist for OCR purposes.
The operator playbook: what to build before the incident
Every behavioral health operator I work with wants a checklist. Fine. Here is one grounded in what OCR, DOJ, and CMS are actually citing.
- Written risk analysis, refreshed annually and after material changes. Risk analysis failures were by far the most commonly identified HIPAA violations in OCR enforcement actions.
- MFA on every remote and administrative account. Default passwords are a settlement waiting to happen.
- Real-time termination workflow. HR, IT, and clinical leadership on one channel. The clock is minutes, not hours.
- Business Associate Agreements with a shorter notification clock than the federal 60 days. If your BA takes 59 days, you have one day. Contract for 72 hours.
- A Part 2 playbook that matches your HIPAA one. Consent language, Patient Notice, redisclosure statement, complaint intake to SAMHSA and OCR.
- A tabletop drill. Run the breach scenario with the CEO, COO, compliance, IT, clinical leadership, and outside counsel in one room. Discover where your 60-day clock actually starts.
- Documentation. Six years, minimum. If it is not written down, OCR does not credit it, and neither will a DOJ civil investigator working a parallel False Claims Act theory.
Behavioral health operators who invest in this operational backbone before an incident spend less money, keep census, and preserve their accreditation with The Joint Commission or CARF. The ones who wait pay the $1.19M lesson.
Frequently asked questions
How fast must a behavioral health facility notify individuals after a HIPAA breach?
Under 45 CFR § 164.404, a covered entity must notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Discovery starts the day any workforce member knew, or with reasonable diligence should have known, about the incident. Not the day it reached the C-suite.
When did the updated 42 CFR Part 2 rule become enforceable, and what changed for SUD providers?
SAMHSA and the HHS Office for Civil Rights issued the final rule on February 8, 2024; it took effect April 16, 2024, with a two-year implementation period, and enforcement of the updated Part 2 rules began February 16, 2026. Key changes include a single patient consent for future uses and disclosures for treatment, payment, and health care operations; alignment of Part 2 breach notification with the HIPAA Breach Notification Rule; and a new right to file complaints directly with the HHS Secretary.
What HIPAA Security Rule failures does OCR cite most often in behavioral health enforcement?
In its 2024 report to Congress, OCR named risk analysis, risk management, information system activity review, audit controls, and person or entity authentication as the priority areas. Enforcement records also show weak authentication (default passwords, single-factor remote access), failure to terminate former workforce access, and missing risk analyses. A Florida pain practice, Clearway Pain Solutions Institute, settled for $1,190,000 in late 2024 largely over the failure to remove a former contractor’s access.
Do small behavioral health breaches (under 500 individuals) still have to be reported?
Yes. Under 45 CFR § 164.408, breaches affecting fewer than 500 individuals must be logged and reported to the HHS Secretary no later than 60 days after the end of the calendar year in which the breach was discovered. In 2024 alone, OCR received 74,299 reports of breaches affecting fewer than 500 individuals, so the small-breach track is not a place to hide from either OCR or state licensing authorities.
References
- HHS Office for Civil Rights, Annual Report to Congress on Breaches of Unsecured Protected Health Information for Calendar Year 2024
- HHS OCR, Breach Notification Rule (overview)
- eCFR, 45 CFR Part 164 Subpart D. Notification in the Case of Breach of Unsecured Protected Health Information
- Cornell LII, 45 CFR § 164.404. Notification to Individuals
- HHS OCR / SAMHSA, Fact Sheet: 42 CFR Part 2 Final Rule
- Federal Register, Confidentiality of Substance Use Disorder (SUD) Patient Records. Final Rule (Feb. 16, 2024)
- HIPAA Journal, OCR Reports to Congress on HIPAA Compliance and Data Breaches in 2024
- HIPAA Journal, December 2024 Healthcare Data Breach Report (Clearway Pain Solutions settlement)