← All articles

Seven HIPAA Mistakes We See in Medical Practices Every Month

After auditing dozens of medical practice environments, the same mistakes keep showing up. Most have low-cost fixes — but only if you know to look for them.

🏥

HIPAA enforcement is increasing, and the Office for Civil Rights doesn't need a breach to investigate — patient complaints, vendor incidents, and even random audits can trigger an investigation. After looking at the inside of many medical and dental practices, certain gaps appear so frequently that we now check for them by default. Here are the seven we see most.

1. Missing or Outdated Business Associate Agreements

HIPAA requires a written Business Associate Agreement (BAA) with every vendor that creates, receives, maintains, or transmits PHI on your behalf. That includes your IT company, your email provider, your cloud storage, your EMR vendor, your billing service, your shredding company, and any third-party app that touches patient data.

In practice, most practices have BAAs with their EMR vendor and maybe their IT provider. Email providers, file storage, fax services, marketing tools, and patient communication apps frequently get missed. If patient information could pass through it, you need a BAA.

2. MFA Disabled or Inconsistent

Multi-factor authentication is one of the highest-impact controls you can deploy — and one of the most commonly disabled. Practices often enable MFA at first, then turn it off for specific users who complain. That undermines the security model entirely. Stolen credentials are the entry point for most breaches; MFA closes that door.

3. Old Employees Still Have Access

When staff leave, their accounts often remain active for months. Email forwarding rules they set up keep forwarding messages. Their device may still have cached credentials. Their access to the EMR may still work. HIPAA requires a formal termination process with documented account deactivation. If your practice doesn't have a written offboarding checklist, this is a gap.

4. Backups That Aren't Tested

Most practices have backups. Far fewer test whether the backups actually restore. The HIPAA Security Rule requires regular testing of backup integrity. If a ransomware attack hit tonight, would you know how long restoration would take? Would your backup actually contain what you need? Quarterly test restores answer those questions before you need to know.

5. Audit Logs Not Reviewed

EMRs and cloud platforms generate detailed audit logs of who accessed what, when, from where. HIPAA requires retention of these logs for at least six years and review for suspicious activity. In many practices, the logs run, but nobody looks at them. A failed audit happens when OCR asks for the logs and the practice produces them — only to discover they show unexplained access patterns that should have been investigated.

6. No Documented Incident Response Plan

When something happens — a phishing click, a lost laptop, a ransomware notification, a staff member sharing the wrong patient's records — the practice needs to know what to do. HIPAA requires a documented incident response plan with breach assessment procedures. "We'll call our IT company" is not a plan. A plan covers who decides, what gets documented, when and how to notify affected patients, and how to report to OCR.

7. Workforce Training That Doesn't Happen

HIPAA requires training for each workforce member, with refresher training as needed and documentation of completion. The most common gap is not the absence of training entirely — it's training that happened once when someone was hired in 2021 and was never repeated. Annual refresher training, documented per employee, with content covering current threats (phishing, social engineering, ransomware) is the standard.

The Common Thread

Notice that none of these requires expensive technology. They're operational gaps — policies that don't exist, procedures that aren't followed, controls that get disabled because they're inconvenient. HIPAA isn't primarily a technology problem. It's an operational discipline. The right technology supports the discipline, but it can't replace it.

Have questions?

Let's talk about your environment.

Every industry has its own compliance shape and operational rhythm. We'll help you sort out where you actually stand — no sales pressure, no scripted demo.