Blog
Articles on compliance strategy, breach economics, AI risk, and the security decisions that matter most for small healthcare teams.
276 million Americans had health data exposed in 2024. Medical records sell for 10x the value of credit cards. AI amplified exploit value by up to 30%. Here are the numbers — and what they mean.
Most HIPAA compliance software is designed for hospitals and large healthcare systems — not independent practitioners. This comparison analyzes 19 platforms to help you find a solution that actually fits your practice.
For real-time breach alerts, enforcement actions, and compliance intelligence — visit HIPAA Pulse — updated multiple times daily.
All articles
The enforcement discretion that permitted non-compliant telehealth ended May 2023. Five violations define most of the current exposure — consumer platforms, session recordings in personal cloud, unencrypted home devices, and more.
COVID-era enforcement discretion ended May 2023. Every telehealth session since must comply with HIPAA in full. This guide covers platforms, home offices, recordings, multi-state practice, and the complete compliance path.
Optometry practices face a compliance challenge structurally distinct from other specialties: the retail-clinical interface creates specific HIPAA vulnerabilities that generic guides never address.
We did not start by asking independent providers to trust another compliance platform. We started by building the tools, datasets, guides, apps, and research we believed should already exist. This is what we have published.
Optometry practices face structurally unique HIPAA challenges: the retail-clinical access boundary, optical lab BAA gaps, dual-billing insurance coordination, and vision-medical record crossover. Here's the complete guide.
A 24-point evaluation framework — eight criteria pulled directly from the 2026 Security Rule NPRM and OCR's expanded enforcement focus — for scoring any HIPAA compliance platform you are evaluating, including ours.
The HIPAA violations that hit PT practices hardest are shaped by how PT is delivered — in homes, with rotating staff, through exercise apps most practices have never assessed for compliance.
Physical therapy practices face specific HIPAA risks most guides never address: home visit ePHI, PRN staff access gaps, workers' comp records, and exercise app BAAs. Here's the complete compliance path.
Seven patient communication platforms that will sign a BAA, ranked by fit for independent practices. Where each is strong, where each is thin, and the workflow gap behind most communication breaches.
In 2022, small medical and dental practices accounted for 55% of OCR financial penalties. Five violations drive most of the exposure — here's what they are and what to do about them.
Salesforce can be HIPAA compliant — but only on Health Cloud and specific paid editions with a signed BAA. Sales Cloud and Marketing Cloud are not covered, and the gap is where most practices create exposure.
Twilio can be HIPAA compliant on its HIPAA-eligible product set with a signed BAA. SMS, Voice, Video, and SendGrid Email are eligible when contracted correctly. Default accounts are not.
HubSpot can be HIPAA compliant on Enterprise tiers with a signed BAA. Lower plans are not HIPAA-eligible. Here is what is covered, what is not, and how to configure it.
ServiceNow can be HIPAA compliant on enterprise contracts with a BAA. The Healthcare and Life Sciences product line provides healthcare-specific data models. Standard tenants are not HIPAA-eligible by default.
Zapier does not sign BAAs. That alone disqualifies it for any workflow involving PHI. Practices that use Zapier to glue together healthcare tools are creating compliance exposure they may not see until an audit.
OneDrive can be HIPAA compliant on Microsoft 365 commercial plans with a signed BAA. Personal OneDrive accounts and home subscriptions are not. The configuration after the BAA is where most practices create exposure.
Stripe does not sign Business Associate Agreements. Most card transactions are not PHI under HIPAA — but billing context, descriptors, and integrations can introduce PHI. The line is narrower than most practices realize.
Adobe Acrobat Sign can be HIPAA compliant on Enterprise tiers with a signed BAA. Acrobat Pro DC and individual plans are not HIPAA-eligible. Confusion between Acrobat the PDF tool and Acrobat Sign the e-signature service is common.
Loom does not sign BAAs on any plan. That alone disqualifies it for any video that captures or discusses PHI. Here is the gap and what to use instead.
Notion offers a BAA on Enterprise plans, but Notion AI features are explicitly excluded from that coverage. Using AI on a HIPAA workspace breaks the BAA. The boundary is narrow and easy to miss.
Independent practices carry the same HIPAA obligations as hospital systems — with a fraction of the resources. This guide covers EHR gaps, the 2025 Security Rule amendments, and the step-by-step path to continuous compliance.
Ten cloud storage providers that will sign a BAA, ranked by fit for independent healthcare practices. What each is built for, where each falls short, and the configuration trap behind most cloud breaches.
Chiropractic practices face a HIPAA violation landscape shaped by personal injury records, open treatment environments, and high-volume billing — patterns most compliance guides miss. Here are the five violations OCR cites most.
Today we publish the inaugural Q1 2026 State of Compliance — drawn from seven authoritative sources after the OCR portal alone showed almost no March activity. The headline finding is concentration: four upstream vendor breaches drove 67.6% of all Q1 patient impact.
Seven practice management platforms used by independent practices, ranked by fit. Each handles scheduling, billing, and patient flow differently — and each leaves a different slice of HIPAA work back to the practice.
Chiropractic practices face specific HIPAA challenges most guides never address: personal injury records, open treatment environments, and high-volume billing vendor ecosystems. Here's the complete path to compliance.
Mental health records command $280–$310 per record on dark markets. Here are six violations OCR cites most in behavioral health — including two unique to therapy that most guides never address.
Many HIPAA violations don't come from sophisticated attacks — they come from a sticky note under a monitor, a saved password, or a workstation left open during a five-minute coffee break.
Therapy practices handle the most sensitive category of protected health information. This guide covers psychotherapy notes, telehealth BAAs, 42 CFR Part 2, and the step-by-step path to full compliance.
OCR's enforcement data is a public dataset of what actually goes wrong. These are the 10 most-frequently cited violation categories — and the operational gaps behind each one.
You can have ten HIPAA-compliant tools and zero HIPAA compliance. The Franken-stack is what you get when operational pressure meets the absence of a compliance architecture.
Most HIPAA compliance software was built for hospital systems. The pricing reflects it. Independent practices face identical regulatory requirements with a fraction of the resources. Here is where the real value floor is in 2026.
There is a version of HIPAA compliance that looks right and works wrong. You complete the forms, generate the policies, train the staff. Then a breach happens anyway. This is the gap most compliance software was not built to close.
A HIPAA compliance checklist is a starting point, not a destination. This checklist covers the core requirements organized by category, with regulatory citations and what done actually means in practice.
Zoom offers a HIPAA-compliant option, but the free plan does not qualify. Here is what you need to set up before using Zoom with patients.
Free Gmail fails HIPAA requirements. Google Workspace paid plans with a BAA and the right configuration can work — here is the full breakdown.
Google Workspace supports HIPAA compliance on paid plans with a BAA — but the default settings leave gaps. Here is the full configuration guide.
Microsoft Teams can meet HIPAA requirements — but only with the right Microsoft 365 plan, a BAA, and admin configuration. Here is the full guide.
Dropbox offers HIPAA-eligible plans for healthcare — but only on Business tiers with a BAA. Here is what to configure before storing patient data.
Slack can be HIPAA compliant — but only on Enterprise Grid with a signed BAA and specific admin settings. Most Slack plans do not qualify.
Vendors sell HIPAA certification. The government does not offer one. Understanding the difference protects your practice from false confidence.
Faxing gets a pass under HIPAA that email does not — but cloud fax, online fax services, and email-to-fax gateways create compliance obligations most practices overlook.
Every HIPAA-covered entity must designate a privacy officer and a security officer. For independent practices, that is often one person wearing both hats.
AWS provides HIPAA-eligible infrastructure — Patient Protect runs on it. But using AWS does not automatically make your practice compliant.
HIPAA does not prohibit voicemail. But voicemail messages containing PHI must follow minimum necessary rules, and voicemail systems must meet security requirements.
Eight EHR platforms that sign BAAs and serve independent practices, ranked by fit. The compliance gap most practices miss: an EHR's BAA is the floor, not the ceiling.
There is no government agency that issues a HIPAA compliant stamp. HIPAA compliance is a continuous obligation. This guide covers the ten steps to achieve it and the system to maintain it.
OCR enforcement actions reveal which HIPAA violations are most common and most costly. The consistent finding is not malice — it is that compliance was treated as a one-time event rather than an ongoing system.
Dental offices are covered entities under HIPAA — subject to the same rules as hospitals. This guide covers what the law requires, where dental practices are most exposed, which vendors need BAAs, and the step-by-step path to full compliance.
Most HIPAA violations at dental practices start with a missing document, an expired agreement, or a staff member who texted a patient. Here are the five violations OCR cites most — with real cases and what to do about them.
Most compliance platforms hand you a questionnaire and wish you luck. Patient Protect covers ~70% of HIPAA requirements before you write a single policy. Here's the minute-by-minute breakdown.
Most compliance software was designed to pass an audit. Patient Protect was designed to survive an attack. This is a walkthrough of every architectural decision — from input validation to on-premises AI — and why they matter for independent healthcare practices.
OCR investigators don't fish for sophisticated vulnerabilities. They look for predictable operational gaps. These are the ten signs they find most often — visible to the practice long before the audit notice arrives.
The Security Rule's technical safeguards are the controls that actually protect ePHI inside your systems. This is the complete reference — every standard, every implementation specification, and what each one means for your practice.
Most HIPAA compliance platforms cannot enforce what they do not contain. If the platform lacks secure messaging, it cannot prevent staff from texting patients. If it lacks real-time monitoring, it cannot detect drift between audits. The gap between what compliance software covers and what HIPAA actually requires is the platform deficit — and it is where most breaches start.
A signed BAA is HIPAA's required floor — but most BAAs that practices sign protect the vendor far more than the practice. These are the six clauses that separate a real contract from a checkbox.
Most HIPAA compliance platforms make you do the work. The best ones in 2026 satisfy 25 critical requirements before you lift a finger.
These six violations account for the majority of OCR enforcement actions against independent practices. Every one is preventable.
Signal has the strongest encryption of any consumer messenger. It is still not HIPAA compliant. Encryption protects messages in transit — HIPAA requires protection of the entire lifecycle of PHI, and Signal provides none of the organizational controls that demands.
Ten mistakes that recur across independent practices — not exotic security failures, but predictable operational gaps. Each one shows up repeatedly in OCR enforcement actions and breach reports.
DocuSign supports HIPAA compliance — but only on Business Pro and Enterprise plans with a signed BAA and correct configuration. Lower-tier plans do not qualify.
HIPAA requires workforce training. Most practices know that much. What they don't know: exactly what topics must be covered, when training must happen, what documentation OCR expects, and what changes with the proposed 2026 Security Rule amendments.
OCR investigations start somewhere. Knowing the triggers that begin the process — and the inputs the practice controls — is the difference between a managed program and a reactive one.
Google Forms is only HIPAA compliant on paid Google Workspace plans with a signed BAA. Free Gmail accounts are never covered. Here is exactly what you need to configure and where Forms falls short for patient intake.
A front desk coordinator pastes chart notes into ChatGPT. A medical assistant summarizes a referral. A biller drafts an appeal. Nobody flagged any of it as a problem. Because it didn't feel like a breach. It felt like being resourceful.
Notion can be HIPAA compliant — but only on the Enterprise plan with a signed BAA and the right workspace settings. Most healthcare practices using Notion are on plans that do not qualify.
Google does not sign a Business Associate Agreement for Google Analytics. Using GA4 on a healthcare website that collects or transmits PHI is a HIPAA violation — and enforcement is active.
The Breach Notification Rule has specific requirements for who you notify, when, and how. Getting this wrong compounds the original violation.
Patient Protect Signal puts breach intelligence, compliance tools, and community threat awareness in your pocket — free, with no PHI collected.
Encryption is HIPAA's strongest single safeguard — and the only one with a statutory safe harbor. Eight standards, ranked by where independent practices most need them.
Intuit does not sign Business Associate Agreements for QuickBooks — not Online, Desktop, Self-Employed, or Payroll. If your billing data contains PHI, QuickBooks is a compliance gap.
Square will sign a BAA — but it covers payment processing only. Square Appointments, Messages, Invoices, and Marketing are not HIPAA compliant and should never handle PHI.
HIPAA compliance software describes products that work in fundamentally different ways. Understanding the three categories — documentation platforms, guided compliance tools, and enforcement-based systems — is essential before choosing one.
Calendly does not sign Business Associate Agreements on any plan and explicitly prohibits PHI in its terms of service. No configuration makes it compliant for healthcare scheduling.
Business associate agreements are one of the most commonly violated HIPAA requirements. This checklist covers what a BAA must include, which vendors need one, and how to manage the entire lifecycle.
The HIPAA risk analysis is the single most-cited gap in OCR enforcement. Most independent-practice risk analyses fail in one of seven predictable ways — all visible before any audit.
Apple does not sign Business Associate Agreements for any consumer service. iCloud, iMessage, FaceTime, and Apple Health are all off-limits for PHI.
Mailchimp cannot be used for healthcare email marketing involving PHI. Intuit refuses to sign a BAA for any Mailchimp plan — Free, Essentials, Standard, or Premium.
Every year, thousands of independent healthcare providers download the free HHS Security Risk Assessment Tool, work through its 166 questions, generate a report, and file it away — believing they've completed their HIPAA security risk assessment requirement.
WhatsApp cannot be used for patient communication under HIPAA. Meta refuses to sign a BAA for any WhatsApp product — personal, Business, or API.
Search for 'HIPAA compliance cost' and you'll find estimates ranging from $5,000 to $150,000. Neither is particularly useful if you're an independent practitioner trying to figure out what you actually need to spend.
HIPAA compliance checklists run to hundreds of items. The eleven below are the ones independent practices most often skip — and the ones that surface most often in OCR enforcement actions.
Training is required, documented, and frequently audited. Six mistakes show up repeatedly in the practices that fail. Each is procedural — meaning each is fixable without new technology.
OCR enforcement isn't random. Eight patterns recur across the public settlement record — and each one is a preview of the audit findings a similar practice can expect.
The headlines blame ransomware. The root cause is simpler and more fixable: unencrypted patient data sitting exposed across practice networks, laptops, and email systems.
The proposed HIPAA Security Rule amendments would require MFA, mandate encryption, tighten incident response timelines, and eliminate the distinction between required and addressable specifications.
When Change Healthcare went down, it wasn't just a ransomware attack — it was a reminder that when healthcare data is breached, care itself is lost. AI has made the aftermath even worse.
Hundreds of thousands of patient records have been found exposed online — unencrypted and unprotected. The problem is not just theft — it is that attackers now have better intelligence than defenders.
Small healthcare practices carry the same HIPAA obligations as major hospital systems. The difference is that a single breach can end the practice entirely.
Most independent healthcare practices aren't short on integrity — they're short on infrastructure. Patient Protect was founded to change that, starting with free tools that raise awareness and build readiness.
HIPAA Pulse delivers daily curated intelligence on enforcement actions, breach notifications, and regulatory changes — built for independent healthcare providers.
The HIPAA Security Risk Assessment should not be a painful annual event. Patient Protect transforms compliance into continuous micro-assessments with real-time monitoring and instant documentation.
The breach economics facing independent practices are existential. One incident can consume 250 to 560 percent of annual revenue.
The biggest opportunity in healthcare is not another EHR or telehealth platform. It is the $164 billion in unfunded compliance and security infrastructure that independent providers cannot afford to ignore.
You don't need a law degree or an IT department to be HIPAA compliant. You need three things, one afternoon, and a plan that doesn't make your head spin.
HIPAA gives patients specific, enforceable rights over their health information. Most independent practices comply with some of them and overlook the rest.
An agentic AI vendor suffered a breach that exposed 480,000+ patient records. If your practice is evaluating AI tools, the questions you need to ask just changed.
Most practices think physical security means locking the server room. It actually means controlling every point where someone could see, touch, or walk away with patient data.
Every device that touches ePHI is a potential breach vector. This step covers encryption, mobile device management, BYOD, patching, and the endpoint controls that keep patient data off the dark market.
If everyone in your practice can access every patient record, you do not have access controls. You have a breach waiting for a trigger.
HIPAA fines are just the visible cost. Legal fees, patient notification, reputation damage, and lost revenue make the real number far worse. We built a calculator to show you.
Before you can build a compliant practice, you need to know exactly what HIPAA requires of you — and that depends entirely on your entity classification.
A risk assessment is not a form you fill out once a year. It is a living map of every threat to the patient data your practice holds — and the foundation of every HIPAA safeguard you implement.
Policies without enforcement are just paper. This step covers how to designate HIPAA officers, build policies that reflect real operations, and train your workforce to follow them.
Most HIPAA checklists give you boxes to check. This one gives you a sequence to follow — from risk assessment through incident response — so your practice builds compliance that holds up under scrutiny.
PHI is not limited to medical records. It includes any individually identifiable health information — and the definition keeps expanding as technology evolves.
Corrective Action Plans are not just penalties. They are a public record of what goes wrong when practices skip the basics. The patterns are consistent and preventable.
Hacker-related breaches now account for the vast majority of exposed patient records. Independent practices are the fastest-growing target — and the least prepared.
The breach dashboard gives every healthcare provider — regardless of size — live access to HHS breach data, trend analysis, and geographic risk mapping.
Your email provider offers encryption. That does not make your email HIPAA compliant. The gap between encrypted email and compliant email is where violations happen.
HIPAA compliance is hard enough without decoding the alphabet soup. This guide defines every acronym you will encounter and explains why each one matters to your practice.
The compliance industry has spent a decade selling binders, templates, and consultant hours. The next generation of HIPAA platforms must actually prevent breaches.
Healthcare breaches do not just affect providers. Patients face identity theft, insurance fraud, and disrupted care. The security practices of your healthcare provider directly affect your personal risk.
If your marketing agency collects patient inquiries through web forms, they are handling PHI. Most practices have no BAA in place to cover this.
A HIPAA compliance vendor running jQuery 1.x and unpatched dependencies is not protecting your practice. It is introducing risk you cannot see.
The threat landscape, regulatory expectations, and cost of failure all escalated in 2025. Independent practices that operated on last year's assumptions are already behind.
Having an EHR, a privacy policy, and annual training does not make you HIPAA compliant. Here is what OCR actually looks for — and why most practices fall short.
Not all HIPAA compliance tools are created equal. Some barely scratch the surface of legal compliance — others offer automation without the security backbone. Here is what to demand in 2026.
Most HIPAA compliance tools generate binders, not security. Here is what to actually evaluate when choosing a platform — and the questions most vendors hope you do not ask.
The Change Healthcare breach was not just a corporate disaster. It froze billing, halted claims, and left independent practices unable to operate for weeks.
Email remains the most exploited communication channel in healthcare. Encryption is not a nice-to-have — it is the baseline that separates compliant practices from exposed ones.
HIPAA (Health Insurance Portability and Accountability Act) is a federal law that protects sensitive patient information. This guide explains how to get started with HIPAA compliance, the key components involved, and how you can make the process easier.
Electronic compliance does not have to be overwhelming. Start with five practical areas where most practices have gaps and fix them one at a time.
When security gets in the way of patient care, staff work around it. The solution is not more rules. It is security that fits the workflow instead of fighting it.
Patients are paying attention to how their data is handled. Practices that treat compliance as a trust-building tool — not just a legal requirement — outperform on retention, reputation, and referrals.
The knowledge is there. The implementation is not. Understanding why smart professionals skip email encryption is the first step to closing the gap.
HIPAA Pulse newsletter
Breach analysis, OCR enforcement updates, regulatory tracking, and the operational guidance for independent practices — synthesized into one editorial briefing. No spam. Unsubscribe anytime.
Every other Wednesday · Free · Unsubscribe anytime
