A single stolen laptop. An unencrypted email sent to the wrong address. A former employee whose system access was never revoked. These are the kinds of everyday slip-ups that turn into six-figure HIPAA violations, and they happen far more often than most healthcare organizations want to admit.
For small and mid-sized healthcare practices across Long Island, New York City, Connecticut, and New Jersey, keeping up with HIPAA’s technical safeguards feels like a moving target. The regulations haven’t changed dramatically in recent years, but the threat landscape has. Ransomware gangs now specifically target healthcare providers because they know patient data is valuable and that many smaller organizations lack the IT infrastructure to fight back.
The Gap Between Policy and Practice
Most healthcare organizations have a HIPAA compliance policy sitting in a binder somewhere. Maybe it’s a PDF on a shared drive. The problem isn’t that the policy doesn’t exist. The problem is that the day-to-day reality of how staff actually handle protected health information (PHI) rarely matches what’s written down.
Consider a busy medical office where a front desk employee needs to send patient records to a specialist. The secure portal is slow, the patient is waiting, and it’s easier to just attach the file to a regular email. That one shortcut, repeated across dozens of staff members over months, creates a pattern of non-compliance that no written policy can fix on its own.
Security experts who work with healthcare clients often point out that compliance isn’t a checkbox exercise. It requires ongoing technical controls, regular training, and continuous monitoring. A risk assessment performed once and filed away does very little to protect an organization when threats evolve every quarter.
Technical Safeguards That Actually Matter
HIPAA’s Security Rule breaks down into administrative, physical, and technical safeguards. While all three categories matter, the technical side is where many smaller healthcare organizations fall short. They simply don’t have the in-house IT expertise to implement and maintain the controls that regulators expect.
Encryption at Rest and in Transit
Encryption is one of HIPAA’s “addressable” requirements, which leads some organizations to mistakenly believe it’s optional. It’s not. “Addressable” means an organization must either implement the safeguard or document why an equivalent alternative is reasonable. In practice, there’s almost never a good reason to skip encryption. Every device that stores or transmits PHI, from workstations and laptops to mobile phones and email servers, should use encryption. If a device is lost or stolen and the data on it was properly encrypted, the incident may not even qualify as a reportable breach under the HIPAA Breach Notification Rule. Without encryption, that same lost laptop becomes a nightmare of notifications, investigations, and potential fines.
Access Controls and Authentication
The principle of least privilege sounds straightforward. Give people access only to the data they need to do their jobs. But in a healthcare setting with rotating staff, part-time workers, and multiple locations, managing access rights gets complicated fast. Multi-factor authentication has become a baseline expectation, not a luxury. Regulatory guidance from the U.S. Department of Health and Human Services increasingly emphasizes MFA as a critical defense against credential theft, which remains one of the most common attack vectors in healthcare breaches.
Audit Logs and Monitoring
HIPAA requires organizations to track who accesses PHI and when. Yet many practices run systems that either don’t generate proper audit logs or generate them but never actually review the data. Without active monitoring, an unauthorized access event can go undetected for weeks or months. By the time someone notices, the damage is done. Managed security services that provide 24/7 log monitoring have become increasingly popular among healthcare organizations that can’t afford to staff a dedicated security operations team.
Ransomware Changed the Conversation
Five years ago, HIPAA compliance discussions focused mainly on preventing accidental disclosures and keeping up with documentation. Ransomware has fundamentally shifted that conversation toward active defense.
Healthcare was the most targeted industry for ransomware attacks in 2024 and 2025, according to data from multiple cybersecurity firms. Attackers know that healthcare providers face enormous pressure to restore systems quickly because patient care depends on it. That pressure makes victims more likely to pay ransoms, which makes the sector even more attractive to criminal groups.
The HHS Office for Civil Rights has made it clear that a ransomware attack resulting in encrypted or exfiltrated PHI is presumed to be a reportable breach unless the organization can demonstrate that the data was already encrypted before the attack. This puts an enormous burden on organizations to prove they had proper safeguards in place before an incident occurred.
Regular data backups, network segmentation, endpoint detection and response tools, and tested incident response plans are no longer “nice to have” items. They’re essential components of a defensible HIPAA security program.
Risk Assessments Need to Be Living Documents
The HIPAA Security Rule requires a thorough risk assessment, and this is the single most cited deficiency in HHS enforcement actions. Organizations that conduct risk assessments tend to treat them as one-time projects rather than ongoing processes.
A proper risk assessment identifies where PHI lives, how it moves through the organization, what threats exist, and what controls are currently in place to mitigate those threats. It should be updated whenever there’s a significant change to the IT environment, such as adopting a new electronic health record system, migrating to cloud infrastructure, or opening a new office location.
Many IT professionals who specialize in healthcare compliance recommend conducting formal risk assessments annually at minimum, with informal reviews happening quarterly. The documentation from these assessments serves a dual purpose. It guides the organization’s security investments and provides evidence of good faith compliance efforts if a breach does occur.
The Business Associate Blind Spot
Healthcare providers sometimes forget that HIPAA compliance extends beyond their own walls. Any vendor that handles PHI on behalf of a covered entity, from cloud hosting providers and IT support firms to billing companies and shredding services, qualifies as a business associate and must have a signed Business Associate Agreement (BAA) in place.
But a signed BAA alone doesn’t eliminate risk. Organizations should be vetting their business associates’ security practices before handing over access to patient data. Questions about encryption standards, incident response capabilities, employee background checks, and data backup procedures should all be part of the vendor evaluation process. A breach at a business associate is still the covered entity’s problem when it comes to patient notifications and regulatory scrutiny.
Training That Goes Beyond Annual Slide Decks
Annual HIPAA training is a regulatory requirement, but once-a-year awareness sessions don’t do much to change behavior. The organizations with the strongest compliance track records tend to take a layered approach to training. Short, frequent reminders work better than long, infrequent lectures.
Simulated phishing exercises, for example, have proven effective at reducing click rates on malicious emails over time. Brief monthly security tips sent via internal channels keep security awareness fresh. And role-specific training that addresses the actual workflows people use every day is far more impactful than generic presentations about password hygiene.
Staff turnover in healthcare adds another layer of complexity. New employees need to be trained before they access any systems containing PHI, not during their second week on the job when they’ve already been using workarounds to get things done.
Where Things Are Heading
HHS has proposed updates to the HIPAA Security Rule that would make many currently “addressable” safeguards explicitly required. Encryption, multi-factor authentication, network segmentation, and vulnerability scanning are all expected to become mandatory rather than recommended. Organizations that have been treating these controls as optional will face a potentially costly scramble to catch up.
For healthcare providers across the Long Island, NYC, and tri-state area, the message is clear. HIPAA compliance isn’t just about avoiding fines. It’s about building an IT security posture that actually protects patient data against real-world threats. The organizations that treat security as an ongoing operational priority, rather than a periodic compliance exercise, are the ones that will be best positioned when the next breach attempt comes knocking.