Every year, the U.S. Department of Health and Human Services publishes a list of healthcare data breaches affecting 500 or more individuals. It’s sometimes called the “Wall of Shame,” and it keeps growing. In 2025 alone, hundreds of healthcare organizations appeared on that list, exposing millions of patient records. The frustrating part? Many of those breaches were entirely preventable. The rules for protecting health data aren’t a mystery. They’re spelled out in HIPAA. But there’s a significant gap between knowing the rules exist and actually implementing them correctly.
HIPAA Isn’t Just a Checkbox Exercise
One of the most common mistakes healthcare organizations make is treating HIPAA compliance like a one-time project. They’ll hire a consultant, run through a risk assessment, check some boxes, and file everything away until the next audit. That approach might satisfy a surface-level review, but it does very little to actually protect patient data.
HIPAA’s Security Rule requires ongoing management. Threats change. Staff turns over. New systems get added. A risk assessment conducted two years ago doesn’t account for the cloud migration that happened last quarter or the new telehealth platform that launched six months ago. Organizations that treat compliance as a living process, rather than a binder on a shelf, tend to fare much better when incidents occur.
The Risk Assessment Gap
The Security Rule mandates that covered entities and business associates conduct a thorough risk assessment. Sounds straightforward enough. But many organizations either skip it entirely, do it poorly, or fail to act on what the assessment reveals.
A proper risk assessment identifies where electronic protected health information (ePHI) lives, how it moves through systems, and what vulnerabilities exist along the way. It’s not just an IT exercise. It involves administrative workflows, physical security, and human behavior. Does the front desk lock their workstation when stepping away? Are paper records being scanned and then left in an unsecured tray? Can a staff member access patient records they have no clinical reason to view?
Healthcare IT professionals often recommend that organizations map every system and device that touches ePHI. That includes the obvious ones like EHR platforms and billing systems, but also printers, mobile devices, and even voice systems that handle patient information. If it stores, transmits, or processes ePHI, it needs to be accounted for.
Acting on Findings
Conducting the assessment is only half the job. The other half is doing something about the gaps it uncovers. HHS investigators have made it clear in enforcement actions that simply identifying risks without implementing reasonable safeguards is not compliant. Organizations need a remediation plan with timelines, assigned responsibilities, and follow-up verification.
Access Controls Are Simpler Than People Think
Access control failures show up in breach reports with alarming regularity. An employee accesses records they shouldn’t be viewing. A former staff member’s credentials remain active weeks after termination. A shared login makes it impossible to determine who did what.
The fix doesn’t require expensive technology. Role-based access control, where users can only see information relevant to their job function, is a fundamental requirement under HIPAA. Unique user IDs for every person who touches a system should be non-negotiable. Automated deprovisioning when someone leaves the organization eliminates the lingering-credentials problem. Multi-factor authentication adds another layer that’s become standard practice across most industries.
Healthcare organizations in the Long Island, tri-state, and broader Northeast region sometimes struggle with these controls because they’re running legacy systems that don’t support modern authentication methods. That’s a real challenge, but it doesn’t eliminate the obligation. Compensating controls, system upgrades, or managed security services can help bridge the gap.
Encryption: The Safeguard That Pays for Itself
HIPAA classifies encryption as an “addressable” specification, which many organizations misinterpret as “optional.” It’s not. Addressable means an organization must implement it if reasonable and appropriate, or document why an equivalent alternative is in place. Given how accessible encryption technology has become, it’s hard to argue that it isn’t reasonable for most healthcare environments.
Here’s where encryption really proves its value. Under the Breach Notification Rule, if encrypted data is lost or stolen and the encryption key wasn’t compromised, the incident may not qualify as a reportable breach. That single distinction can save an organization from public disclosure, regulatory investigation, potential fines, and significant reputational damage. The cost of implementing full-disk encryption on endpoints and TLS for data in transit is trivial compared to those consequences.
Training That Actually Changes Behavior
Annual HIPAA training has become something of a corporate ritual. Employees sit through a presentation, sign an acknowledgment form, and promptly forget everything they heard. Research consistently shows that this kind of passive, infrequent training does very little to reduce human error.
Effective security awareness programs look quite different. They’re shorter, more frequent, and tied to real scenarios. Phishing simulations that test whether staff can spot a suspicious email. Quick monthly refreshers on topics like password hygiene or recognizing social engineering attempts. Immediate coaching when someone fails a simulation rather than waiting for the next annual session.
The human element remains the most unpredictable variable in any security program. Technology can block a lot of threats, but a well-crafted phishing email that tricks a staff member into entering their credentials can bypass even strong technical controls. Organizations that invest in ongoing, practical training see measurable improvements in their security posture.
Building a Culture, Not Just a Program
Security-aware organizations make it easy for employees to report suspicious activity without fear of punishment. They celebrate catches rather than just penalizing mistakes. When someone forwards a phishing email to IT instead of clicking the link, that’s a win worth recognizing. This kind of culture shift takes time, but it turns every employee into a potential line of defense.
Business Associate Agreements Still Get Overlooked
HIPAA doesn’t just apply to hospitals and clinics. Any vendor, contractor, or service provider that handles ePHI on behalf of a covered entity is considered a business associate and must comply with applicable requirements. This includes IT service providers, cloud hosting companies, billing services, shredding companies, and even some legal and accounting firms.
A signed Business Associate Agreement is required before any ePHI changes hands. Yet many healthcare organizations have vendors accessing patient data without a BAA in place, or they’re using outdated agreements that don’t reflect current services. This is a common finding in HHS audits and a frequent factor in enforcement actions. Maintaining a current inventory of all business associates and reviewing agreements annually is a straightforward practice that prevents a very avoidable compliance failure.
Incident Response: Planning for When, Not If
No security program is foolproof. Even organizations with strong controls experience incidents. What separates those that recover quickly from those that spiral into costly disasters is preparation.
HIPAA requires covered entities to have policies and procedures for responding to security incidents. A solid incident response plan spells out who does what during a breach, how containment happens, when legal counsel gets involved, and how the organization meets the 60-day breach notification deadline. Without a plan, organizations waste critical hours figuring out logistics while the breach expands and the clock ticks.
Tabletop exercises, where leadership and IT staff walk through a simulated breach scenario, are one of the most effective ways to test a plan’s viability. They expose gaps in communication, unclear roles, and unrealistic assumptions before a real incident forces those discoveries under pressure.
Getting It Right Takes Commitment
HIPAA compliance isn’t glamorous, and it doesn’t generate revenue. But the cost of getting it wrong is steep. Fines can reach into the millions. Class action lawsuits following breaches have become routine. And the loss of patient trust is harder to quantify but arguably the most damaging consequence of all.
Healthcare organizations that approach security as an ongoing operational priority rather than a regulatory nuisance consistently perform better in audits, experience fewer incidents, and recover faster when something does go wrong. The standards aren’t unreasonable. They just require attention, investment, and follow-through.