There are several aspects of HIPAA compliance that elude most businesses. However, failing to address the full HIPAA requirements puts healthcare businesses at risk of breaches, fines, and lost reputation. If your organization handles sensitive and personal data, you'll want to know about the most common HIPAA compliance issues and how to address them.

The 7 Most Common HIPAA Compliance Issues

  1. Failing to Conduct Security Risk Analysis
  2. Lack of Adequate Security Controls
  3. Inadequate Device Security Protections
  4. Failing to Conduct Vendor Due Diligence
  5. Outdated HIPAA Policies and Procedures
  6. Failing to Implement Data Backup and Disaster Recovery
  7. Lack of Comprehensive Employee Training

1. Security Risk Analysis

An important part of HIPAA compliance, and an area in which most audited businesses fail to address, is conducting an enterprise-wide security risk analysis through a trusted managed service provider (MSP), like CTTS. The purpose of conducting a risk analysis is to identify gaps and vulnerabilities in your organization’s security practices. HIPAA requires you to conduct a risk analysis annually, or whenever there are changes to your business operations.

2. Security Controls

Implementing advanced security controls is the best way to prevent unauthorized access to protected health information (PHI). Security controls may include encryption to prevent unauthorized users from accessing data, access controls to designate different levels of access to data based on an employee’s job role, and audit controls to track access to data.

3. Device Security Protections

Device security protections have never been more important with the increase in remote workers. Many remote workers use personal devices to conduct business, however, before permitting an employee to do so, it is essential to ensure that their personal devices have adequate security protections in place.

4. Vendor Due Diligence

Many organizations fail to conduct vendor due diligence when considering new vendors. But, their vulnerabilities are ultimately your vulnerabilities. Additionally, when you fail to vet vendors, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) will hold you liable should your vendor experience a breach. To conduct vendor due diligence, you must send your vendors a risk analysis much like the one you are required to complete. You must also have a signed business associate agreement with your vendor before it is permitted to share PHI with them.

5. HIPAA Policies and Procedures

HIPAA policies and procedures are an important aspect of preventing HIPAA compliance issues. Policies and procedures provide your organization and employees with guidelines on the proper uses and disclosures of PHI, how to protect PHI, and how to report a breach should one occur.

6. Data Backup and Disaster Recovery

As more and more healthcare organizations fall victim to cyberattacks that maliciously encrypt their data, implementing a data backup and disaster recovery plan is the key to a quick recovery. HIPAA requires you to retain exact copies of PHI in both local and offsite data locations so that in the event of breach or natural disaster, files can be easily accessible.

7. Employee Training

Employee training is integral to HIPAA compliance. Employees must be trained annually on HIPAA basics, your organization’s policies and procedures, and cybersecurity best practices.

It may seem like a tedious process to be HIPPA compliant, but CTTS takes all the hassle way and ensure your peace of mind remains intact. All you have to do is give us a call and we’ll take it from there: (512) 388-5559.



Josh Wilmoth
CEO, Central Texas Technology Solutions