Compliance Is Not a Checkbox
Medical service providers across the United States commonly hold a widespread misunderstanding of HIPAA compliance: they believe they have met all compliance requirements merely by posting a privacy policy on their official website and arranging for their staff to complete a single online training course years ago. They remain unaware of their noncompliance until they undergo a compliance audit or experience a data breach, at
which point they discover their compliance practices are riddled with flaws. In recent years, the U.S. Office for Civil Rights (OCR) has continuously strengthened its enforcement efforts. Its fines are adjusted regularly to account for inflation, and serious violations can result in six- to seven-figure settlement sums. The severity of penalties imposed is strictly aligned with the actual severity of the violation committed.
Table of contents
- Compliance Is Not a Checkbox
- Blind Spot 1: The Risk Assessment You Never Did
- Blind Spot 2: Email Is Your Biggest Vulnerability
- Blind Spot 3: Your Business Associates Are Your Responsibility
- Blind Spot 4: No Incident Response Plan
- Blind Spot 5: Physical Security Gets Overlooked
- What Compliant Practices Do Differently
Blind Spot 1: The Risk Assessment You Never Did
Pursuant to the requirements set forth in the HIPAA framework, organizations that process electronic protected health information (ePHI) must conduct continuous, comprehensive, written security risk assessments. This requirement cannot be satisfied by a simple checklist or informal questionnaire. The U.S. Department of
Health and Human Services (HHS) notes that the absence of a compliant, up-to-date assessment of this kind is the most common compliance gap identified during enforcement actions.
A common misunderstanding is that EHR software handles this requirement. In reality, vendors are responsible for their own systems, while healthcare providers remain responsible for assessing risks across their entire environment, including networks, endpoints, email systems, physical security, and staff workflows.
Blind Spot 2: Email Is Your Biggest Vulnerability
Email remains one of the biggest cybersecurity vulnerabilities in healthcare. Phishing attacks, compromised accounts, and improperly handled messages containing patient information are among the most common entry points for breaches. Analysis of HHS OCR breach data found that email was involved in roughly 1 in 5 large healthcare breaches, and 85% of those email-related incidents involved hacked or compromised accounts.
If patient information is transmitted via standard email without appropriate safeguards, it may create a HIPAA compliance issue unless risk-based protections are in place, such as encryption, secure messaging systems, or patient-authorized communication methods.
Basic spam filtering alone is rarely sufficient. Healthcare organizations should implement layered email security controls such as phishing protection, multifactor authentication, domain authentication (DMARC), and encryption capabilities when handling sensitive data.
Blind Spot 3: Your Business Associates Are Your Responsibility
Any vendor that handles or accesses patient data is considered a Business Associate under HIPAA. This includes billing companies, IT providers, cloud storage services, scheduling platforms, and even phone system providers in some cases.
Covered entities are required to have signed Business Associate Agreements (BAAs) with these vendors and to perform reasonable due diligence to ensure they implement appropriate safeguards.
If a business associate experiences a breach involving your patient data, your organization may still be held accountable if proper agreements and oversight were not in place. Liability depends on compliance efforts, contractual arrangements, and the circumstances of the incident.
Blind Spot 4: No Incident Response Plan
HIPAA requires organizations to notify affected individuals, HHS, and in some cases the media within defined timelines after discovering a breach. For breaches affecting more than 500 individuals, notification obligations extend to media outlets as well.
Importantly, the clock starts when a breach is discovered, not when an investigation is completed.
Without a documented incident response plan, practices often lose critical time determining responsibilities, escalation steps, and communication procedures. This delay can increase both the impact of the breach and regulatory scrutiny. Regulators generally look more favorably on organizations that respond quickly, contain incidents effectively, and document their actions.
Blind Spot 5: Physical Security Gets Overlooked
HIPAA is not just about digital security. Workstations in exam rooms that auto-lock after two minutes, server closets that require badge access, printers in secured areas so patient documents are not sitting in open trays: these are all HIPAA requirements that get overlooked because practices focus exclusively on their EHR software. A proper cybersecurity and compliance services covers both digital and physical controls, giving you a complete picture of where your practice stands.
What Compliant Practices Do Differently
The practices that pass audits and avoid breaches have three things in common. First, they treat HIPAA compliance as an ongoing process, not an annual event. Second, they work with IT providers who understand healthcare-specific regulations and can implement the technical controls HIPAA requires. Third, they train their staff regularly, not just during onboarding, with realistic scenarios that reflect actual threats. If you manage a healthcare practice in Michigan and are not confident in your HIPAA posture, the smartest next step is to talk to an IT provider that specializes in healthcare IT compliance and cybersecurity. The cost of getting it right is always less than the cost of getting caught.
