SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

Common HIPAA Compliance Issues in Healthcare Organizations

Healthcare Assessments | HIPAA Express

Ever seen an Olympic runner trip during their race? They’re on the biggest stage, having done all that work, and then somehow, something goes wrong and their shining moment ends in heartbreak for whatever reason—an errant pebble on the track, accidental tangling with another competitor, too much or too little momentum.

No matter what you’re doing, it’s a terrible thing to be tripped up, and your HIPAA compliance is no exception. As HIPAA assessors, we’ve seen many organizations stumble in their attempts—several aspects continue to elude most businesses, which is unfortunate, as failing to address the full HIPAA requirements puts healthcare organizations at risk of breaches and fines.

But that’s why we’re going to outline seven common HIPAA compliance issues and how to proactively address them. With this extra guidance, you can then pivot to ensure your organization isn’t caught in the same pitfalls.

7 HIPAA Compliance Issues and How to Avoid Them

1. Failure to Perform and Maintain an Organization-Wide Risk Analysis

 

Despite being the first step to ensuring compliance with the HIPAA Security Rule, one of the most common HIPAA violations to result in a financial penalty—as in, six-figure settlements—is the failure to perform an organization-wide risk analysis.

HIPAA requires you to conduct a risk analysis annually, or whenever there are changes to your business operations, but making sure you do perform thorough risk assessments periodically will help with more than just compliance and identifying gaps and vulnerabilities in your organization’s security practices.

If a patient files a HIPAA complaint, the first thing the government will ask for when investigating is your most recent risk analysis. Lack of risk analysis, or a lack of one that is up to date, has been prominently cited as the justification for sanctioning large fines when a substantial data breach occurs. 

Avoid This HIPAA Issue By:

  • Implementing an in-house risk analysis; or
  • Contracting a reputable third-party auditor to perform the task for you.

 

2. Failure to Manage Security Risks / Lack of a Risk Management Process

 

Performing a risk analysis is essential, but perhaps even more importantly, healthcare organizations must then take the yielded recommended action to remediate any security risks and vulnerabilities as soon as possible or risk even more severe fines.

Knowing about risks to electronic protected health information (ePHI) and failing to address them is another common HIPAA violation often penalized by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

Avoid This HIPAA Issue By:

Subjecting any identified risks to a risk management process. Prioritize, document, and address them in a reasonable time frame.

 

3. Failure to Audit and Regularly Verify HIPAA Compliance

 

Anothercommon HIPAA pitfall is the simple failure to audit and verify your ongoing compliance. While many healthcare organizations and providers do have departments dedicated to remaining compliant, smaller operations can be out of step.

HIPAA also requires that healthcare organizations regularly audit their systems for intrusions and have policies and procedures for how and when that monitoring will occur, without which someone could hack you and you wouldn’t even know it. 

Avoid This HIPAA Issue By:

  • Cross-checking internal policies and practices for security vulnerabilities.
  • Implementing a comprehensive plan to address gaps.
  • Regularly reviewing audit logs for anomalous activity.
  • Frequently checking for the latest HIPAA regulations.

 

4. Failure to Enter into a HIPAA-Compliant Business Associate Agreement (BAA)

 

All vendors that are provided with or given access to PHI are required to enter into a HIPAA-compliant business associate agreement, but in fact, this is another common HIPAA violation. Oftentimes, many organizations fail to conduct adequate due diligence when considering new vendors—when organizations fail to enter a BAA, it results from a lack of oversight or organizations simply not understanding the HIPAA laws and requirements.

But your vendors’ vulnerabilities are ultimately your vulnerabilities, and when you fail to vet these third-party organizations, the OCR will hold you liable should your vendor experience a breach.

Avoid This HIPAA Issue By:

  • Sending your vendors a risk analysis much like the one you’re required to complete.
  • Completing a signed business associate agreement with your vendor before sharing PHI with them.
  • Appointing a specific individual or department to oversee managing all third-party contracts and ensure that the entire BAA process is complete and compliant with HIPAA.
    • You can also use third-party risk management (TPRM) solutions to help oversee vendors, contractors, and other third parties within your supply chain.

 

5. Insufficient ePHI Access Controls

 

Though the HIPAA Security Rule requires covered entities and their business associates to limit access to ePHI to authorized individuals, failure to implement appropriate ePHI access controls is also another regular HIPAA violation—one that has resulted in several financial penalties.

These “appropriate,” more advanced security controls that can help prevent unauthorized access to ePHI may include:

  • Encryption to prevent unauthorized users from accessing data
  • Access controls to designate different levels of access to data based on an employee’s job role
  • Audit controls to track access to data

Avoid This HIPAA Issue By:

  • Ensuring that your organization has robust information system monitoring protocols in place.
  • Exploring different security measures such as multi-factor authentication, and determining which ones will maintain HIPAA compliance without being an excessive burden on your authorized employees.

 

6. Denied Patients’ Access to Health Records Within the Required Timeframe

 

The HIPAA Privacy Rule gives patients the right to access their medical records and obtain copies on request, allowing them to check their records for errors and share them with other entities and individuals. Despite this, many healthcare organizations deny patients copies of their health records, overcharge for copies, or fail to provide those records within 30 days—all violations of HIPAA.

OCR has made this area one of its key enforcement objectives in recent years, so here’s what you need to know to comply:

  • You must provide copies in the format requested by the patient if you can do so. For most situations, this means that if you have electronic medical records (EMRs) and a patient requests a digital copy (such as a PDF), you must do so if your current system has that capability. 
  • When providing records to a patient, a provider may only charge a “reasonable, cost-based” fee for copies. Be aware that charging a per-page copy fee to a patient—typical with paper records—may no longer be considered reasonable or cost-based with EMRs.
    • You may not deny a patient a copy of their medical records because of unpaid charges for services received.
    • Additionally, in some cases, you may not charge a fee for searching and retrieving medical records. Refer to your state-specific laws related to copying fees.  

Avoid This HIPAA Issue By:

Establishing clear and strict procedures for responding to patient requests within the 30-day timeframe, including those that enable their administration to respond to patient requests and distribute the records on time.

 

7. Failure to Report a Breach in Time

 

The HIPAA Breach Notification Rule requires covered entities to issue notifications of breaches without unnecessary delay, and certainly no later than 60 days following the discovery of a data breach, yet exceeding that timeframe is a common HIPAA violation that carries serious potential penalties.

Avoid This HIPAA Issue By:

  • Ensuring that you transmit relevant breach details to the OCR and the individual(s) in the event that their ePHI is breached.
  • Identifying, fixing, and taking responsibility/reporting for any committed infractions, and committing to that three-part process so that the final step of reporting becomes second nature.

This all may seem like an obvious solution, but reporting can easily be forgotten.

Ensuring Your Ongoing HIPAA Compliance

If you discover an aspect of your organization that is in breach of HIPAA compliance and you fail to address it within a timely manner, you are in violation, and the longer you’re in breach of HIPAA compliance, the harsher the final penalties will be that are levied against you.

As such, once you identify an issue, you should get to correcting it immediately—now, you have 7 different areas you can take proactive measures to solidify your HIPAA compliance and avoid being that Olympic runner who trips on track.

Should you be interested in getting an independent third party’s opinion on your current standing, Schellman may be the right firm for you, as we perform complete HIPAA audits as well as an abbreviated service called HIPAA Express that is geared toward healthcare organizations and focused on risk. If you’d like to learn more, please contact us so that we can answer any questions you may have.

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.