You are probably less compliant than you think

Here is a number that should concern every practice owner: in OCR investigations, the most common finding is not a specific technical failure. It is the absence of a comprehensive security risk assessment. Practices that believed they were compliant — that had policies, training records, and signed BAAs — were found deficient because their entire compliance program rested on assumptions rather than evidence.

This is not about bad intentions. Independent healthcare providers are focused on patient care, as they should be. But the gap between perceived compliance and actual compliance is where regulatory exposure, financial liability, and patient data risk all converge.

The compliance blind spot most practices do not see

Compliance blind spots persist because the most visible compliance activities are also the least meaningful:

"We have an EHR, so we are covered"

An EHR is a tool, not a compliance program. Your EHR vendor is responsible for the security of their platform (assuming you have a BAA in place). You are responsible for everything else: how staff access the EHR, who has credentials, whether those credentials use multi-factor authentication, how data exported from the EHR is handled, where backups are stored, and how ePHI moves between the EHR and every other system in your practice.

A practice with a certified EHR and no access controls, no audit logging, no encryption on workstations, and no documented risk assessment is not compliant. It has one secure system surrounded by an ocean of exposure.

"We do annual training"

Annual training satisfies one requirement of the HIPAA Security Rule — workforce training (45 CFR 164.308(a)(5)). It does not satisfy the other 50+ requirements. And if the training itself is a generic online module that staff click through in 20 minutes, it is meeting the letter of the requirement while missing the intent entirely.

OCR looks for training that is relevant to each workforce member's role, that addresses current threats (not threats from 2018), and that is reinforced throughout the year — not delivered once and forgotten.

"We have a privacy policy on our website"

A website privacy policy is not a Notice of Privacy Practices (NPP). These are different documents with different requirements, different distribution rules, and different legal implications. Having a web privacy policy is good practice for any business. It does not satisfy the HIPAA Privacy Rule requirement to provide an NPP to every patient at the first delivery of service.

Even if you do have a proper NPP, it covers the Privacy Rule. The Security Rule — which governs technical protections for ePHI — is an entirely separate set of requirements that a privacy notice does not address.

"Our IT guy handles security"

If "our IT guy" is a part-time consultant who manages your network, updates your software, and troubleshoots printer issues, that person is providing IT support. IT support and HIPAA security are overlapping but distinct disciplines.

HIPAA security requires a designated Security Officer (which can be an existing staff member), a documented security management process, formal risk analysis, sanction policies for violations, information system activity review, and dozens of other administrative and technical safeguards. Keeping Windows updated is necessary but not sufficient.

What OCR actually looks for

When OCR investigates a practice — whether through a complaint, a breach report, or a random audit — they follow a structured protocol. Here is what they examine:

Risk analysis and risk management

The foundation. OCR wants to see a thorough, current security risk assessment that identifies threats to ePHI, evaluates vulnerabilities, assesses likelihood and impact, and documents the safeguards in place to address each risk. "Current" means updated when the environment changes — new technology, new vendors, new office locations, staff turnover — not just annually.

The risk assessment must be documented. A practice that says "we thought about security" cannot prove it. A practice that produces a dated, signed risk assessment with identified risks and remediation plans can.

Policies and procedures

OCR checks for written policies covering every standard in the Security Rule. These cannot be generic templates downloaded from the internet. They must reflect your practice's actual environment, technology, and workflows. A policy that references systems you do not use or omits systems you do use is a red flag.

Business Associate Agreements

Every vendor that touches ePHI needs a BAA. OCR will ask for a complete inventory of business associates and corresponding agreements. Common gaps: IT support, cloud storage (Google Drive, Dropbox), email providers, billing services, answering services, and shredding companies. Read about HIPAA acronyms and what BA and BAA mean if these terms are unfamiliar.

Access controls and audit logs

Who can access ePHI? How are they authenticated? Is access logged? Are logs reviewed? OCR expects unique user IDs (no shared logins), multi-factor authentication, automatic session timeouts, and regular review of access logs for anomalies.

Encryption

While technically "addressable," encryption is effectively required for any practice that cannot document an equivalent alternative protection. OCR has settled multiple cases specifically citing the failure to encrypt ePHI on portable devices and in email.

Training documentation

Not just that training occurred, but what was covered, who attended, when it happened, and how it addressed current threats relevant to each person's role.

Incident response

Does the practice have a documented plan for responding to a security incident or breach? Has the plan been tested? Does staff know what to do if they suspect a breach? The plan must include breach investigation procedures, notification timelines, documentation requirements, and mitigation steps.

The gap between perceived and actual compliance

Studies and audit findings consistently reveal the same pattern:

• The majority of healthcare organizations report confidence in their HIPAA compliance
• Yet OCR investigations routinely reveal significant compliance gaps in the majority of practices examined
• The #1 gap is the security risk assessment — either missing, incomplete, or outdated
• The #2 gap is access controls — shared passwords, no MFA, no automatic logoff
• The #3 gap is business associate management — missing BAAs, no vendor inventory

These gaps persist not because practices do not care, but because the compliance activities that feel productive — buying software, attending a webinar, posting a policy — are not the activities that OCR measures.

The practices that get into trouble are not the ones that ignored HIPAA entirely. They are the ones that did just enough to feel compliant without doing enough to actually be compliant.

Take our free 5-minute HIPAA assessment

We built the free risk assessment specifically for this problem. It does not ask you to read a 200-page guide or hire a consultant. It asks targeted questions about the controls that matter most — the same controls OCR evaluates — and gives you an immediate, clear picture of where your practice stands.

The assessment covers:

• Risk analysis status — Do you have a current, documented SRA?
• Access controls — Are you using unique credentials and MFA?
• Encryption — Is ePHI encrypted at rest and in transit?
• Business associates — Do you have a complete inventory and current BAAs?
• Training — Is your training current, role-specific, and documented?
• Incident response — Do you have a plan, and does staff know it?

No login required. No credit card. No sales call. Just a clear-eyed view of your compliance reality.

For practices that want to go deeper, the ePHI data flow mapper traces exactly where patient data moves in your environment, and the HIPAA roadmap provides a step-by-step path to full compliance.

Why this matters now

Attacks on independent healthcare providers have risen 6x since 2021. The average cost of a healthcare breach is $9.8 million. An estimated 35-40% of small practices that suffer a major breach close within two years.

The OCR enforcement pipeline is expanding. The 2025 HIPAA Security Rule amendments are tightening requirements and expanding audit authority. State attorneys general are pursuing HIPAA-adjacent enforcement under state privacy laws.

The question is not whether your practice will face scrutiny. It is whether your compliance program will hold up when it does.

Find out now. Not after the breach. Not after the audit letter. Now.