The cost of ignoring it

What HIPAA costs when you skip it.

Most ABA clinics treat HIPAA as a someday problem. It stays a someday problem right up until one of three moments arrives. In each of them, the bill for having ignored it comes due all at once. Here is what someday costs.

Moment one

When OCR comes knocking.

$145 to $2.19M per violation

That is the 2026 penalty range, and a single breach is counted as many violations. But the ceiling is not the real story. The real story is culpability.

OCR sorts every case into tiers, from did not know at the bottom to willful neglect at the top, and the penalty follows the tier. The one thing that decides where you land is whether you did the work before the breach. The most common finding OCR cites against providers your size is the absence of an accurate, thorough risk analysis. It is the centerpiece of OCR's current enforcement push, and behavioral health providers are squarely in scope.

No risk analysis is close to an automatic move toward the willful neglect tier, where the numbers stop being survivable. And the fine is not the end of it: a settlement brings a corrective action plan, which is years of federal monitoring, plus your clinic's name on the public breach portal for anyone to find.

Penalty range reflects the HHS civil monetary penalty inflation adjustment effective January 28, 2026. A single breach can involve multiple violation categories, each counted separately.
And when they ask for proof

Minutes, not a month of digging.

You do not build a real risk analysis in a panic after the letter arrives. You cannot. WiseUp keeps it current, so when OCR asks, you are not searching a shared drive for a month. You pull an honest board, red where red is true, and compile the audit file in minutes. The work was already done, which is exactly the point.

Compliance posture live
18 / 25 satisfied
Security risk analysisSatisfied
Workforce trainingSatisfied
Business associate agreementsPartial
Contingency planGap
Sanctions policySatisfied
Breach notificationPartial
Red where red is true. Every green earned by a signed attestation, frozen and kept six years.
Moment two

When you sell your clinic.

ABA is being rolled up. When you sell, the buyer's counsel runs a HIPAA diligence workstream as standard: your policies, your business associate agreements, your training records, your risk analysis. If that review finds gaps, it goes one of three ways, and none of them are good for you.

Outcome one

They walk

A messy compliance picture reads as hidden liability. Some buyers simply pass rather than take on what they cannot measure.

Outcome two

They discount

Gaps become leverage. Your multiple comes down so the buyer can price in the risk they are about to inherit from you.

Outcome three

They hold it back

Cash you earned sits in escrow for years against violations that might surface later, because a buyer can inherit your pre-sale HIPAA liability.

Clean, documented compliance does the opposite. It supports a higher valuation and a faster close, and it turns the diligence request into a package you already have. WiseUp keeps that package current from day one, so the day you decide to sell, it is already built.

Moment three, coming

When your payor contract catches up.

We will be straight about this one, because every operator knows the truth: no payor has ever asked you about HIPAA. Today it is not on the credentialing checklist. That is real, and we are not going to pretend otherwise.

But it is changing. Payors are under growing federal pressure over fraud and program integrity, and the checklist that verifies your license today is the checklist that will ask for your HIPAA posture tomorrow. This is not a threat for a sale. It is a shift we expect, and the reason to build a real program now is so you are ready before the column fills in.

Credentialing today
Active license checked
Malpractice history checked
Board certification checked
HIPAA posture not asked
Credentialing tomorrow
Active license checked
Malpractice history checked
Board certification checked
! HIPAA posture required

There is already a live edge to it: telehealth reimbursement requires a HIPAA-compliant platform, and Medicaid runs its own program-integrity checks with the power to claw back payments. The clinic that runs a real program never has to watch that column fill in. WiseUp is that program, built before you need it.

The bottom line

None of this is the point. The work is.

You do not do HIPAA to dodge a fine, pass a diligence review, or satisfy a contract. Those are just the moments the bill arrives. You do it because a clinic that handles patient data honestly is a safer, more valuable business. WiseUp makes that work something you can actually finish: everything is prepared for your clinic, you choose your risk profile, review, and attest. That is the whole job.