Skip to main content
PHIGuard logo PHIGuard logo

98% of Practice Managers Believe They're HIPAA-Compliant. The Data Says Otherwise.

Last updated: April 5, 2026

TLDR

98% of small practice managers believe they are HIPAA-compliant (Paubox, 2025). Only 35% have completed a security risk analysis. Only 24% have evaluated their Business Associate Agreements. Only 55% have any compliance plan. This gap is not negligence — it's a structural problem created by complexity, vendor misdirection, and no single compliance deadline. This guide explains what drives the gap and what closing it actually requires.

The confidence-compliance gap in small medical practices is one of the clearest patterns in HIPAA enforcement research. Practice managers are not dishonest about their compliance status — they believe what they say. The problem is that what they believe has very little connection to what HIPAA actually requires.

The Confidence Gap

These two numbers cannot both be right. If 98% of managers believe they are compliant and only 35% have completed a required compliance element, then roughly 63% of managers have an incorrect picture of their own compliance status.

The gap is not explained by managers lying on surveys. It comes from a mismatch between what managers understand “HIPAA compliance” to mean and what HIPAA actually requires.

What Small Practices Are Actually Doing: The Data

<DataTableBlock caption=“HIPAA Compliance Activity in Small Practices (Paubox, 2025 / NueMD, 2014)” columns={[“Compliance Activity”, ”% Completed”, “Source”]} rows={[ [“Believe they are fully HIPAA-compliant”, “98%”, “Paubox 2025”], [“Have any compliance plan”, “55–58%”, “NueMD 2014 / Paubox 2025”], [“Have designated a Privacy Officer”, “~55%”, “NueMD 2014”], [“Have completed a security risk analysis”, “35%”, “Paubox 2025”], [“Have evaluated all BAA relationships”, “24%”, “Paubox 2025”], [“Have implemented secure email protocols”, “1%”, “Paubox 2025”], [“Have a comprehensive compliance program”, “20–34%”, “NueMD 2014”], ]} />

The data tells a consistent story. Most practices have done the most visible, once-at-setup steps — like signing a BAA with their EHR and knowing what HIPAA is. Far fewer have done the ongoing, documented, programmatic work that OCR actually checks: risk analysis updates, BAA inventories, training records, and written policies.

The 1% secure email implementation rate is particularly striking. Nearly every email used in clinical coordination goes through Gmail, Outlook consumer, or a similar non-HIPAA-configured provider. Practices using them believe their EHR handles email compliance. It doesn’t.

Why the Gap Exists

Three structural factors create the compliance confidence gap.

HIPAA’s complexity is real. HIPAA is not one rule — it is three rules (Privacy Rule, Security Rule, Breach Notification Rule) with multiple implementation specifications, each of which requires specific documentation. A practice manager without a compliance background cannot intuit the requirements from general HIPAA awareness. Most small practices never receive a formal explanation of what the program requirements actually are.

EHR vendors claim HIPAA coverage they don’t provide. Every major EHR markets itself as HIPAA-compliant. This is true in a narrow sense: the EHR vendor signs a BAA and operates its system with appropriate safeguards. But managers frequently interpret “our EHR is HIPAA-compliant” as “we are HIPAA-compliant because we use an EHR.” The EHR BAA covers the EHR relationship. It does not cover the 15 other tools clinical staff use to coordinate patient care.

There is no compliance deadline or certification. HIPAA has no annual compliance certification, no license renewal that requires documented compliance, and no routine audit trigger. The only external check is an OCR complaint or breach investigation. Practices operate for years without anyone asking to see their risk analysis, and assume that the absence of problems means compliance is fine.

The Consumer Tools Problem

The most pervasive compliance gap is also the most invisible: widespread use of consumer tools for PHI coordination.

Consumer SMS apps — iMessage, standard texting, WhatsApp — will not sign BAAs for consumer tiers. Using them for PHI creates a violation regardless of whether staff understand the risk. The practice is responsible, not the individual staff member’s tool choice.

The same applies to consumer Gmail, standard Microsoft accounts without HIPAA configuration, and consumer versions of collaboration tools like Slack (non-Enterprise) and Google Workspace (without BAA configuration). Many of these tools are actively marketed to healthcare organizations. Marketing language like “secure messaging for healthcare” does not mean the tool has a BAA available.

Practices that have signed a BAA with one communication vendor sometimes assume that covers their communication compliance broadly. It does not. Each tool category — email, task management, messaging, file storage — requires its own BAA.

What “HIPAA-Compliant” Actually Requires

The three HIPAA rules each impose distinct requirements on a small practice.

Privacy Rule. Designate a Privacy Officer. Write and post a Notice of Privacy Practices. Establish minimum necessary use policies (staff access only the PHI needed for their task). Handle patient access requests. Train all staff.

Security Rule. Conduct a documented security risk analysis. Implement technical safeguards (encryption, access controls, audit logs). Implement physical safeguards (workstation policies, device controls). Implement administrative safeguards (documented policies, designated Security Officer, workforce training). Sign BAAs with all vendors handling electronic PHI.

Breach Notification Rule. Know what constitutes a reportable breach. Notify affected individuals within 60 days of discovery. Report breaches affecting 500+ individuals to OCR within 60 days. Report smaller breaches in annual summaries.

Most practices that say “we’re HIPAA-compliant” have done pieces of this. Most have not done all of it in a documented, auditable way.

Closing the Gap Without a Compliance Department

The compliance gap is real but manageable. Four steps address the most common deficiencies in priority order.

Step 1: Complete a security risk analysis. This is OCR’s #1 enforcement target. Use HHS’s free Security Risk Assessment Tool at healthit.gov. Document every place PHI exists in your practice — EHR, email, task tools, phones, paper records. Assess threats. Record what you find. Update it annually.

Step 2: Conduct a BAA inventory. List every vendor your practice uses that touches PHI. Check whether a signed BAA exists for each one. Common gaps: email provider, task management tool, cloud storage, billing service, fax service, IT support vendor. Any gap is a violation. Fix it by either getting the BAA or switching to a vendor that will sign one.

Step 3: Run documented workforce training. Every staff member who touches PHI needs annual training. Use an e-learning platform that produces completion records. Keep records for 6 years — it’s the documentation OCR asks for.

Step 4: Replace consumer tools with HIPAA-compliant alternatives. This is the step most practices delay. Staff are used to their tools. But the compliance exposure from consumer SMS and non-BAA-covered messaging accumulates daily. HIPAA-native task and workflow tools that sign BAAs exist at every price point, including flat-rate options that don’t penalize practices for having more than a few staff.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Security Risk Analysis (SRA)
A required HIPAA Security Rule activity in which a covered entity documents threats and vulnerabilities to electronic PHI. Only 35% of small practices have completed one, according to 2025 Paubox survey data.

DEFINITION

Business Associate Agreement (BAA)
A required contract with any vendor that handles PHI on the practice's behalf. A BAA with your EHR does not cover your email provider, task management tool, or messaging apps. Only 24% of small practices have evaluated all their BAA relationships.

DEFINITION

Minimum Necessary Standard
A HIPAA Privacy Rule requirement that staff access only the PHI necessary for their specific task. Widespread use of consumer group messaging violates the minimum necessary standard by exposing PHI to staff who don't need it.

Q&A

Why is there such a large gap between HIPAA compliance confidence and actual compliance among small practices?

The confidence gap has three causes. HIPAA's complexity creates a knowledge gap — managers know HIPAA exists but not what it specifically requires. EHR vendors market their tools as HIPAA-compliant, leading practices to assume the EHR relationship covers all obligations. And there is no external certification or deadline that forces a compliance audit, so gaps persist undetected.

Q&A

What does actual HIPAA compliance require that most small practices are missing?

The four most commonly missing elements are: a documented security risk analysis (absent at 65% of small practices), a complete BAA inventory covering all vendors (absent at 76%), comprehensive workforce training with records (absent at many practices), and elimination of consumer tools used for PHI coordination. None of these require a consultant — they require time, documentation, and the right tools.

Q&A

What are the three HIPAA rules and what does each require from a small practice?

The Privacy Rule governs who can access PHI and for what purposes, requires a Notice of Privacy Practices, and designates a Privacy Officer. The Security Rule requires technical, physical, and administrative safeguards for electronic PHI, including a documented risk analysis. The Breach Notification Rule requires notifying affected individuals and HHS within 60 days of discovering a breach affecting 500+ individuals, and annual reporting for smaller breaches.

Want to learn more?

Learn More
Why do practice managers believe they're HIPAA-compliant when they're not?
Three factors drive the gap. First, HIPAA complexity means most managers have a general awareness of HIPAA but do not know the specific program requirements well enough to identify their own gaps. Second, EHR and technology vendors frequently market their tools as 'HIPAA-compliant,' leading managers to believe the EHR relationship covers all compliance obligations. Third, there is no single HIPAA compliance deadline or certification that provides an external check.
What does a security risk analysis require?
A compliant SRA identifies every location where PHI is created, stored, received, or transmitted; evaluates threats and vulnerabilities to each; assesses current safeguards; and documents findings in a format OCR can review. It must be updated annually and whenever significant changes occur. The HHS Security Risk Assessment Tool provides a free structured format.
What does 'evaluated BAAs' mean and why does it matter?
A BAA evaluation means reviewing every vendor relationship to determine which vendors handle PHI and confirming that signed BAAs exist for each. 76% of practices in Paubox's 2025 survey had not done this review. Operating with a vendor that handles PHI and no signed BAA is a HIPAA violation regardless of whether the practice was aware of the gap.
Does signing a BAA with our EHR mean we're HIPAA-compliant?
No. A BAA with your EHR covers your EHR relationship. It does not cover your email provider, task management tool, cloud storage, billing service, messaging apps, or any other vendor that touches PHI. HIPAA compliance requires BAAs with every vendor handling PHI plus a documented compliance program covering risk analysis, policies, training, and breach notification.
How do consumer apps create HIPAA exposure even when staff don't realize it?
Consumer SMS, Gmail, WhatsApp, and similar apps process PHI when staff use them for patient coordination. These vendors will not sign BAAs for consumer product tiers. Using them for PHI-related communication is a HIPAA violation. 60–80% of clinical staff use consumer SMS for coordination (PMC, 2023). Most practices are unaware this is occurring at scale.
What is the fastest way for a practice to close the compliance gap?
Prioritize in this order: (1) complete a security risk analysis — it's the most commonly cited OCR deficiency; (2) conduct a BAA inventory — list every vendor touching PHI and confirm signed BAAs exist; (3) run workforce training — annual requirement for all staff; (4) replace consumer tools with HIPAA-compliant alternatives that sign BAAs.

Keep reading

HIPAA Enforcement Against Small Medical Practices: 2022–2025 Data and Trends

OCR enforcement data from 2022–2025 shows small practices represent the majority of HIPAA penalties. This guide covers annual enforcement trends, the top violation types, 5 named case studies with penalty amounts, and what each practice could have done differently.

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation: the practical version.

OCR's Risk Analysis Initiative: What Small Practices Need to Know

Since 2022, OCR's Risk Analysis Initiative has cited security risk analysis failures in the majority of enforcement actions. This guide explains what a compliant risk analysis requires, which practices got penalized for skipping it, and how to complete one.

How to Do a HIPAA Risk Assessment for Small Medical Practices

A HIPAA risk assessment is the most commonly cited deficiency in OCR audits. Here's how to complete one for a small practice in under a week.

asana alternative hipaa clinics

monday alternative small practices