The Most Common HIPAA IT Compliance Failures (And How to Fix Them)

After performing HIPAA risk assessments for healthcare practices across Nashville and Middle Tennessee for years, one thing is clear: the same HIPAA IT compliance failures show up again and again. They are not exotic attack scenarios. They are fundamental gaps — missing risk assessments, shared logins, unencrypted laptops — that the Office for Civil Rights (OCR) has been penalizing consistently and increasingly.

Most practices do not realize they have these gaps until OCR comes knocking or a breach forces the issue. This post breaks down the five most common HIPAA IT compliance failures we see in real practices, why OCR targets them, and what you can do to fix each one. If you want a broader view of what a solid compliance program looks like, our HIPAA IT compliance checklist covers the full scope. This post is the other side — what goes wrong, and what it costs when it does.

OCR enforcement is accelerating

Many smaller practices assume OCR focuses on large hospital systems and insurance carriers. That was arguably true a decade ago. It is not true now.

Settlement amounts range from $50,000 to over $2 million per violation category depending on negligence level. The Right of Access Initiative, launched in 2019, targets individual practices that fail to provide patients timely access to records — settlements have hit practices as small as a single provider.

Banner Health paid $1.25 million for a breach affecting nearly 3 million records. Anthem's $16 million settlement remains the largest in HIPAA history. But the trend that should concern Nashville healthcare practices is the growing number of six-figure settlements against small and mid-size organizations. A five-provider practice in Middle Tennessee is held to the same standards as a major health system.

The same handful of HIPAA IT compliance failures appear in case after case. Address these five areas and you eliminate the vast majority of the risk.

Failure #1 — No current risk assessment

This is the single most frequently cited deficiency in OCR enforcement actions. A missing or outdated risk assessment appears in nearly every settlement agreement OCR publishes, often as the lead finding.

The problem we see with Nashville practices is not that they have never done one. Many completed a risk assessment years ago — during EHR adoption or initial setup. The issue is they treat it as a one-time event. The assessment from 2019 is in a binder on a shelf, and the practice has since changed EHR vendors, added telehealth, and onboarded new staff. None of those changes were reflected.

OCR expects the risk assessment to be a living document — reviewed at least annually and updated after any significant change. A stale risk assessment is treated the same as no risk assessment at all.

How to fix it:

• Conduct a comprehensive risk assessment covering every system that touches ePHI, including cloud services and mobile devices
• Schedule annual reviews on a fixed date — tie it to your malpractice renewal so it does not slip
• Document mid-year changes that affect ePHI handling and update the assessment accordingly
• Use a structured methodology (NIST SP 800-30 is the framework OCR references most often) rather than a generic questionnaire
• Assign a specific person as responsible — if no one owns it, it will not happen

If your practice does not have the internal expertise to perform a thorough assessment, a vCISO engagement can provide the oversight and methodology without the cost of a full-time security hire.

Failure #2 — Missing or misconfigured access controls

Access control failures are the second most common finding in OCR enforcement actions. The principle is straightforward: only authorized individuals should access ePHI, and only the minimum necessary for their role. Here is what we see in nearly every small practice we assess across Middle Tennessee:

• Shared logins. Front desk staff sharing a single EHR account because "it is easier." This destroys your audit trail — you cannot determine who accessed what.
• No multi-factor authentication. Remote access to systems containing ePHI without MFA is an indefensible gap if OCR investigates.
• Excessive permissions. Billing staff with access to clinical notes they never need. Office managers with admin privileges on every system.
• No automatic logoff. Workstations in exam rooms sitting at active EHR sessions with no screen lock. HIPAA specifically requires automatic logoff.
• Terminated employee access not revoked. We routinely find active accounts for employees who left months ago. In one assessment, a practice had 14 active accounts for a staff of eight.

OCR settlements regularly cite these exact issues. When a breach occurs and the investigation reveals that basic access controls were absent, penalties are compounded significantly.

How to fix it:

• Eliminate every shared account — every user gets a unique login, no exceptions
• Enable MFA on all systems that support it, starting with EHR, email, and remote access
• Implement role-based access controls and review permissions quarterly
• Configure automatic session timeouts on all workstations (15 minutes for clinical environments)
• Build an offboarding checklist that includes immediate access revocation across all systems
• Review your access logs — your managed IT provider should be doing this routinely

Failure #3 — Unencrypted ePHI

Encryption is an "addressable" safeguard under the HIPAA Security Rule, meaning covered entities must implement it or document an equivalent alternative. In practice, OCR treats absent encryption as a significant deficiency in virtually every investigation.

• Laptops without full-disk encryption. The single most preventable cause of reportable breaches. A lost laptop with an unencrypted drive containing ePHI is a reportable breach. With encryption, it is a non-event. The difference between a $100,000 settlement and a minor inconvenience is a setting that takes 30 minutes to enable.
• Unencrypted email containing PHI. Practices routinely send lab results and patient information via standard email. Staff often do not realize they are creating a compliance violation with every message.
• Cloud storage misconfiguration. Practices using consumer-grade cloud storage (personal Google Drive or Dropbox) for ePHI, without encryption or a BAA in place.

Settlements in the $500,000 to $1.5 million range frequently cite encryption gaps as a primary finding. These are preventable problems with known solutions.

How to fix it:

• Enable full-disk encryption (BitLocker for Windows, FileVault for Mac) on every device that touches ePHI
• Deploy an encrypted email solution or secure patient portal for any messages containing PHI
• Audit all cloud storage in use, including personal accounts staff may be using without IT's knowledge
• Ensure cloud vendors have signed BAAs and their environments are configured correctly
• Encrypt all backups, whether local or cloud-based

Failure #4 — Backup and disaster recovery gaps

HIPAA requires covered entities to maintain the availability and integrity of ePHI, not just its confidentiality. The backup failures we encounter across Nashville healthcare practices follow a distressingly consistent pattern:

• Backups that have never been tested. The job runs nightly and reports success, but no one has attempted a full restore. A backup that has never been tested is not a backup — it is a hope.
• No offsite or immutable copies. Backups on the same network as production are destroyed by the same ransomware. We have seen practices lose primary data and every backup in a single event.
• No documented recovery procedures. Even when good backups exist, there is no plan for how to recover. Which systems come back first? Who decides? Without documentation, recovery is chaotic.
• No defined RTO or RPO. Practices have no idea how much data loss they can tolerate (RPO) or how quickly they need systems back (RTO). Without those benchmarks, you cannot evaluate your backup strategy.

OCR has increasingly focused on backup practices when investigating breach notifications. Practices that could not recover from ransomware due to inadequate backups face both the operational damage and the regulatory consequences.

How to fix it:

• Implement the 3-2-1 backup rule: three copies, two different media types, one offsite
• Add an immutable backup copy that cannot be modified or deleted by ransomware
• Test full restores quarterly and document the results
• Document your disaster recovery plan with specific procedures, responsibilities, and communication protocols
• Define your RTO and RPO for each critical system and verify your backup strategy meets those targets
• Ensure your cybersecurity and compliance program includes backup verification as a standard deliverable

Failure #5 — No incident response plan

The final common HIPAA IT compliance failure is the absence of a documented incident response plan. When a potential breach occurs, practices without a plan waste critical time figuring out what to do instead of executing a known process.

HIPAA's Breach Notification Rule has specific requirements that many practices are unaware of until they are in the middle of an incident:

• 60-day notification window. You must notify affected individuals within 60 days of discovering a breach. That clock starts when any person in the organization becomes aware — not when leadership is formally briefed.
• HHS notification. Breaches affecting 500 or more individuals must be reported to HHS within the same window and are posted publicly on the OCR breach portal. Breaches under 500 must be reported annually.
• Documentation requirements. Even if an incident does not constitute a reportable breach, you must document your risk assessment and reasoning. "We looked into it and decided it was fine" is not sufficient.
• Media notification. Breaches affecting more than 500 residents of a state require notification to prominent local media outlets.

We see Nashville practices with no written plan, no designated response team, and no understanding of these requirements. When a phishing compromise, lost device, or ransomware attack occurs, the result is panic and missed deadlines that turn a manageable event into a regulatory nightmare.

How to fix it:

• Create a written incident response plan covering identification, containment, eradication, recovery, and post-incident review
• Designate an incident response team with specific roles: breach determination, notifications, technical containment, and communications
• Include contact information for external resources: HIPAA-experienced legal counsel, your IT provider's incident response line, and your cyber insurance carrier's breach hotline
• Document the breach risk assessment process using the four-factor test from HHS guidance
• Conduct a tabletop exercise at least annually to walk through a realistic scenario
• Train all staff to recognize and report potential security incidents immediately — every hour of delay is an hour lost on your notification clock

A vCISO can build and maintain your incident response plan and lead tabletop exercises — security leadership without a full-time executive hire.

How to close these gaps before your next audit

These five HIPAA IT compliance failures account for the vast majority of OCR findings. None require exotic technology or massive budgets. Here is a practical sequence for addressing them:

1. Start with the risk assessment. Everything else flows from it. You cannot fix what you have not identified.
2. Lock down access controls. Eliminate shared accounts, enable MFA, and build an offboarding process that actually works.
3. Encrypt everything. Full-disk encryption, encrypted email, encrypted backups. No exceptions.
4. Test your backups. Run a full restore test this quarter. If it fails, you have found a critical gap before OCR does.
5. Write and exercise your incident response plan. You do not want the first time you use it to be a real breach.

For healthcare practices in Nashville and across Middle Tennessee, the stakes are real. OCR enforcement is not theoretical — settlements are public, and no practice is too small to investigate. The practices that invest in closing these gaps now will be in the strongest position when their compliance is tested — whether by an audit, a breach, or a patient complaint.

If your practice has not had a current risk assessment or you are unsure whether these gaps exist, TMTech provides focused HIPAA gap assessments that identify where your compliance stands and give you a prioritized remediation plan.

Schedule a HIPAA gap assessment and find out where your practice stands before OCR does.