Compliance and Security

You already know HIPAA matters. But here’s what you might not know: most fines don’t come from hackers or sophisticated attacks. They come from everyday mistakes that happen in busy clinics just like yours. Lost laptops. Emails sent to the wrong person. Staff checking charts they shouldn’t. The good news? Every single one could have […]

Every year, the Office for Civil Rights releases a new crop of enforcement actions. Each one reads like a cautionary tale, but the plot doesn’t change. Laptops go missing. Emails go unencrypted. Staff snoop. And organizations pay in dollars and in trust. For leaders in behavioral health, the lesson is clear: most HIPAA fines stem […]

Key Takeaway: Vendor risk is unavoidable but manageable. Proactive governance, testing, and continuity planning protect care and revenue during outages. The Monday Morning Crisis You arrive at 7:45 AM. Your EHR won’t load. The vendor sent an overnight email: “Experiencing technical difficulties.” Your first patient arrives in fifteen minutes. Your crisis line has been routing […]

You arrive Monday morning to discover your EHR is down. Not slow. Down. The vendor sent an overnight email: “Experiencing technical difficulties. No estimated restoration time.” Your first client arrives in 15 minutes. This scenario moved from theoretical to inevitable after the Change Healthcare incident. A cyberattack on Change Healthcare in February 2024 disrupted healthcare […]

The Change Healthcare cyberattack in February 2024 exposed a vulnerability that every behavioral health executive understands but few want to confront: the growing portion of your operations that depends entirely on vendors you cannot directly control. When a single clearinghouse goes down, claims stop flowing. When an EHR vendor gets compromised, patient care documentation becomes […]

Key Takeaway: OCR enforcement of 42 CFR Part 2 begins February 2026. Organizations must map coverage, update policies, and train staff to avoid penalties and build trust. The Final Bell for 42 CFR Part 2 Enforcement and Organizational Readiness February 16, 2026. Your intake coordinator sits across from a patient seeking substance use treatment. The […]

In 90 days, one of your intake coordinators will sit across from a patient seeking substance use treatment. The patient will ask a straightforward question: “Who can see my records?” Your coordinator’s answer, and the consent form they present, could determine whether your organization faces federal enforcement action. Starting February 2026, 42 CFR Part 2 […]

Most behavioral health leaders know 42 CFR Part 2 exists. Far fewer know whether their organization is actually covered by it. And almost none have stress-tested their systems to see if they could survive an OCR audit. That gap is about to become expensive. Starting February 16, 2026, the Office for Civil Rights (OCR) gains […]

Managing access in behavioral health is not just an IT task. It’s a daily balancing act between clinical urgency, compliance, and security. Dormant logins and shared credentials may seem harmless at the time, but they create dangerous blind spots. Over time, those small gaps can become major breaches. Ghost access occurs when former employees still […]

In behavioral health, trust is everything. It’s the backbone of the therapeutic relationship, the heart of clinical care, and the foundation of every interaction. But behind every note, appointment, and secure message, systems and credentials quietly carry that trust forward. When those systems aren’t well managed, they become invisible vulnerabilities. Ghost access is when login […]

Whether you’re managing a program, supporting the front desk, fixing system issues, or chasing down billing codes, the changes to HIPAA and 42 CFR Part 2 are coming straight for your workflow. The Final Rule went into effect in April 2024, and full compliance is required by February 2026. That may sound like plenty of […]

In behavioral health, regulatory change is a constant pressure. It rarely arrives with clarity or simplicity. But it does arrive, and and with it comes real implications for patient privacy, organizational trust, and operational continuity. In 2025, two regulatory shifts are redefining how behavioral health organizations must handle protected health information. The first is already […]