The compliance gap
Your EHR covers about 4 of 75 HIPAA requirements.
Dentrix, athenahealth, SimplePractice, AdvancedMD — they all secure their own infrastructure and sign a BAA with you. That handles their obligations. It does not handle yours. The other 70+ requirements — risk assessments, policies, training, vendor management, breach response, physical safeguards — are still on your desk.
What your EHR handles
The requirements your EHR vendor actually satisfies.
These are real, important controls. Your EHR vendor does cover them. The problem is that there are 75+ requirements total.
Encrypted data storage
Your patient records are encrypted inside the EHR database.
§164.312(a)(2)(iv)
Encrypted data transmission
Data moving between your browser and the EHR uses TLS encryption.
§164.312(e)(1)
Vendor BAA with your practice
The EHR vendor signs a BAA with you — making them a compliant business associate.
§164.308(b)
Audit logging (within the EHR)
Access to records inside the EHR is logged. But only inside their system.
§164.312(b)
This is not nothing — but it is about 5% of HIPAA.
What’s left on your desk
The 70+ requirements your EHR vendor explicitly does not cover.
Every EHR vendor’s documentation says the same thing: “The covered entity remains responsible for its own HIPAA compliance.” Here is what that means in practice.
Security Risk Assessment
Required annually. Your EHR vendor does their own SRA — they do not do yours. You need a documented assessment of your practice’s risks.
§164.308(a)(1)(ii)(A)
Written security policies and procedures
48+ policies covering how your practice handles ePHI, access, incidents, and sanctions. Your EHR has their policies — not yours.
§164.316(a)
Workforce training and documentation
Every employee needs documented HIPAA training with completion records. Your EHR doesn’t train your staff.
§164.308(a)(5)
Access management across your practice
Who can access what, role-based permissions, access reviews, and termination procedures — across all systems, not just the EHR.
§164.308(a)(4)
Business Associate Agreements with all vendors
Every vendor touching ePHI needs a BAA — your IT contractor, cloud backup, billing service, phone system, shredding company. The EHR covers only itself.
§164.308(b)
Physical safeguards
Locked server rooms, workstation placement, visitor logs, device disposal procedures. None of this comes from software.
§164.310(a)
Incident response and breach notification
Documented procedures for when something goes wrong — who to notify, within what timeline, how to contain it. Your EHR reports their breaches, not yours.
§164.308(a)(6)
Device and media controls
Tracking all devices with ePHI, disposal procedures, and removable media policies. Your EHR doesn’t know about the laptop in your back office.
§164.310(d)
Contingency planning and disaster recovery
Backup plans, recovery testing, and emergency access procedures for your practice — not just your EHR’s uptime guarantee.
§164.308(a)(7)
Workforce termination procedures
Revoking access across all systems when someone leaves. Your EHR handles one login — what about the rest?
§164.308(a)(3)(ii)(C)
Ongoing compliance evaluation
Regular audits confirming your practice’s controls are still working. Your EHR evaluates their own compliance, not yours.
§164.308(a)(8)
Privacy Rule compliance
Notice of Privacy Practices, minimum necessary standard enforcement, patient rights management, and complaint procedures. Operational, not software.
§164.530
If your only compliance measure is “we use a HIPAA-compliant EHR,” you have the same exposure as a practice with no compliance program at all.
OCR does not ask “what software do you use?” They ask for your risk assessment, your policies, your training records, your BAA inventory, and your incident response plan. Your EHR cannot produce any of these for you.
By vendor
What specific EHR vendors cover — and what they leave to you.
Dental PMS
Dentrix / Eaglesoft
Covers
Encrypted storage, role-based access within the app, signed BAA.
Does not cover
Does not provide risk assessments, policies, staff training, BAA management for other vendors, breach response procedures, or compliance documentation.
Cloud EHR
athenahealth
Covers
HIPAA-compliant hosting, encryption, audit trails within athena, signed BAA.
Does not cover
Explicitly states in their BAA that compliance obligations remain with the practice. Does not cover your workforce training, your policies, your risk assessment, or your vendor management.
Behavioral health
SimplePractice
Covers
Encrypted telehealth, secure messaging within the platform, signed BAA.
Does not cover
Covers communication within their system only. Does not address 42 CFR Part 2 compliance planning, psychotherapy note separation policies, or your practice’s SRA.
Multi-specialty
AdvancedMD
Covers
Cloud hosting, encryption, access logging, BAA.
Does not cover
Practice-level compliance — workforce training, physical safeguards, incident response planning, vendor BAA tracking, and policy documentation — remains entirely your responsibility.
Dental (on-premise)
Open Dental
Covers
Database encryption (if configured). No hosting — you manage the server.
Does not cover
On-premise means your practice owns the physical security, backup encryption, server patching, access controls, and network security. Higher compliance burden than cloud EHRs.
General
DrChrono / EHR vendors generally
Covers
Their infrastructure, their BAA with you, their audit logs.
Does not cover
Every EHR vendor’s compliance documentation says the same thing: “The covered entity remains responsible for its own HIPAA compliance.” That’s you.
Closing the gap
Patient Protect covers the 70+ requirements your EHR leaves behind.
Not instead of your EHR — alongside it. Your EHR handles clinical data. Patient Protect handles everything HIPAA requires on top of that.
330+ item SRA
Guided risk assessment mapped to the 2026 Security Rule. Not a checkbox — NIST 800-30 methodology.
48 CFR-mapped policies
Policies and procedures pinned to specific regulations with versioning and workforce acknowledgment.
80+ training modules
Privacy, security, breach response, patient rights — with completion tracking and certificates.
BAA lifecycle for all vendors
Track every vendor touching ePHI — not just your EHR. Expiration alerts, e-sign, audit trail.
Incident response workflows
When something goes wrong, documented procedures with notification timelines and OCR reporting.
Continuous compliance scoring
Three-dimensional score (Setup + Compliance + Security) that updates as your posture changes.
FAQ
Common questions about EHR compliance.
Does using a HIPAA-compliant EHR make my practice HIPAA compliant?
No. A HIPAA-compliant EHR means the vendor has secured their infrastructure and signed a BAA with you. It does not satisfy your practice’s independent obligations under the Security Rule, Privacy Rule, or Breach Notification Rule — including risk assessments, workforce training, policies, physical safeguards, and vendor management.
What does my EHR vendor’s BAA actually mean?
It means the EHR vendor agrees to protect ePHI in their system and report breaches to you. It does not mean they’re responsible for your practice’s compliance. Their BAA explicitly states that your obligations remain yours.
How many HIPAA requirements does my EHR actually cover?
Typically 3–5 of 75+ requirements: encrypted storage, encrypted transmission, audit logging within their app, and a BAA. The remaining 70+ requirements — risk assessments, policies, training, vendor management, physical safeguards, breach response — are your practice’s responsibility.
What happens if I get audited and only have an EHR?
OCR will ask for your Security Risk Assessment, your written policies and procedures, your workforce training records, your BAA inventory, and your incident response plan. Your EHR cannot produce any of these for you. The finding will be the same as having no compliance program at all.
How does Patient Protect fill the gap?
Patient Protect covers the 70+ requirements your EHR doesn’t touch: guided SRA with 330+ items, 48 CFR-mapped policies, workforce training with completion tracking, BAA lifecycle management for all your vendors, incident response documentation, and continuous compliance scoring. Starting at $39/month.
Stop assuming. Start verifying.
Find out what your practice actually needs — in 5 minutes.
The free risk assessment shows you exactly where your practice stands — independent of what your EHR covers. No login. No credit card. Just clarity.