2026 HIPAA Update Effective July 1, 2026.

    Loading...

    5 HIPAA Compliance Mistakes That Could Shut Down Your Practice (And How to Fix Them)

    > TL;DR: Five HIPAA compliance mistakes account for the majority of OCR enforcement actions: outdated or missing risk assessments, untracked business associate agreements, unencrypted portable devices, inadequate workforce training documentation, and slow or undocumented breach responses. Each one is fixable in weeks with the right platform — but left alone, any single one can trigger six-figure penalties and public reputation damage. Run a free HIPAA audit-readiness self-assessment to see which of the five are hiding in your program today.

    Between 2018 and 2025, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services collected over $142 million in HIPAA penalties and settlement agreements (Source: HHS OCR Enforcement Highlights). The organizations that paid those penalties were not all negligent or reckless. Many of them believed they were compliant. They had policies on paper. They had security tools deployed. But when OCR investigators looked under the hood, they found the same handful of failures showing up over and over again.

    These are not obscure technical violations. They are fundamental compliance gaps that persist because organizations either misunderstand the requirements, underestimate the effort involved, or simply let things slide between audits.

    This article identifies the five most common HIPAA compliance mistakes that lead to enforcement actions, explains why each one is dangerous, and provides concrete steps to fix them -- particularly in light of the 2026 HIPAA Security Rule updates that have raised the bar on several of these requirements.

    Mistake 1: Outdated or Incomplete Risk Assessments

    Why It Happens

    The HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) requires covered entities and business associates to conduct a thorough risk analysis of all electronic protected health information (ePHI) in their environment. Most organizations know this. The problem is that many treat it as a one-time event -- something they completed three years ago, filed in a binder, and never revisited.

    Others perform risk assessments that look comprehensive on the surface but miss entire categories of ePHI. A risk assessment that covers the EHR but ignores the cloud storage accounts staff use to share files, the personal devices clinicians bring into the office, or the legacy billing system that nobody wants to touch is an incomplete assessment. OCR treats it the same way they treat not having one at all.

    Why It Is Dangerous

    Failure to conduct an adequate risk analysis is the single most-cited deficiency in OCR enforcement actions. It appeared in the majority of Resolution Agreements published between 2016 and 2025, including high-profile settlements with Premera Blue Cross ($6.85 million), Anthem ($16 million), and Banner Health ($1.25 million). In each case, investigators found that the organization either had no documented risk analysis or had one that was so outdated or narrow that it failed to identify the vulnerabilities that led to the breach.

    Under the 2026 HIPAA Security Rule updates, the requirements have become even more explicit. Risk assessments must now be conducted annually at minimum, with detailed documentation that includes a written assessment of each identified risk, the security measures in place to address it, and the rationale for any residual risk the organization has chosen to accept. "We did one in 2022" is no longer a defensible position. It arguably never was, but the updated rule eliminates any remaining ambiguity.

    How to Fix It

    Stop treating risk assessment as an annual project with a start date and an end date. Implement a continuous risk assessment process that identifies new threats as they emerge -- when you onboard a new vendor, deploy a new system, or change a workflow that involves ePHI.

    Practically, this means:

    A platform that automates risk assessment tracking and ties findings directly to remediation tasks eliminates the most common failure mode: the gap between identifying a risk and actually addressing it.

    Mistake 2: Missing or Incomplete Business Associate Agreements

    Why It Happens

    The HIPAA Privacy Rule (45 CFR 164.502(e)) and Security Rule (45 CFR 164.314) require covered entities to execute Business Associate Agreements (BAAs) with every vendor, subcontractor, or service provider that creates, receives, maintains, or transmits ePHI on their behalf. The concept is straightforward. The execution is where things fall apart.

    Healthcare organizations work with dozens, sometimes hundreds, of vendors. IT providers, billing companies, cloud hosting services, shredding companies, answering services, EHR vendors, email providers, telehealth platforms -- the list grows every year. Keeping track of which vendors have signed BAAs, whether those agreements are current, and whether they contain the required provisions is a substantial administrative burden. Many organizations simply lose track.

    Why It Is Dangerous

    When a business associate experiences a breach, the covered entity is exposed. If there is no BAA in place -- or if the BAA is outdated and does not reflect current regulatory requirements -- the covered entity may face direct enforcement action for failure to obtain satisfactory assurances from its business associates.

    The 2026 rule updates make this even more urgent. Business associates are now required to report security incidents to their covered entities within 24 hours. That reporting obligation only works if there is a current, enforceable BAA that clearly defines incident notification procedures, timelines, and contact information. An outdated BAA that references a 60-day notification window, or one that does not specify a notification process at all, creates a gap that could delay your organization's breach response by days or weeks.

    OCR has pursued enforcement actions specifically targeting BAA failures. In the case of North Memorial Health Care, a $1.55 million settlement resulted in part from the organization's failure to have a BAA in place with a major vendor that had access to ePHI for over 289,000 individuals.

    How to Fix It

    Centralize your vendor management. Every organization that handles ePHI needs a single, authoritative system that tracks:

    Do not rely on a shared spreadsheet maintained by one person in the compliance department. When that person leaves, the spreadsheet stops getting updated. Use a system that assigns ownership, sends automated alerts, and generates compliance reports showing BAA coverage across your entire vendor ecosystem.

    Mistake 3: Unencrypted Devices and Data

    Why It Happens

    For years, the HIPAA Security Rule classified encryption as an "addressable" implementation specification under 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii). "Addressable" did not mean optional -- it meant organizations had to assess whether encryption was a reasonable and appropriate safeguard and, if they decided not to implement it, document an equivalent alternative measure. In practice, many organizations interpreted "addressable" as "optional" and moved on.

    That interpretation has always been wrong, and it has been expensive. Stolen or lost unencrypted laptops, USB drives, and mobile devices are consistently among the top reported breach categories on the HHS Breach Portal. A single unencrypted laptop containing a few thousand patient records can trigger a reportable breach, a full OCR investigation, mandatory notification to every affected individual, and penalties that dwarf the cost of the laptop itself.

    Why It Is Dangerous

    The 2026 HIPAA Security Rule updates have ended the "addressable" versus "required" distinction for encryption. Under the updated rule, encryption of ePHI at rest and in transit is a required implementation specification. There is no longer a regulatory pathway to decide that encryption is not reasonable and appropriate for your environment. If ePHI exists on a device or traverses a network, it must be encrypted using standards consistent with NIST guidelines.

    Organizations that have been operating under the assumption that their "alternative measures" satisfied the encryption requirement now have a hard deadline to close that gap. Those that have already experienced a breach involving unencrypted data and did not remediate are in an especially precarious position, as OCR considers prior knowledge of a vulnerability to be an aggravating factor in penalty calculations.

    How to Fix It

    Implement a comprehensive encryption policy and enforce it technically, not just on paper:

    Encryption is one of the most straightforward safeguards to implement, and it provides a critical safe harbor: under the HIPAA Breach Notification Rule, if ePHI is encrypted consistent with NIST standards and a device is lost or stolen, it is not considered a reportable breach (45 CFR 164.402(2)). That single provision can save your organization millions in breach response costs.

    Mistake 4: No Incident Response Plan (or an Untested One)

    Why It Happens

    Most healthcare organizations have some form of incident response documentation. The problem is that it often exists as a generic template that was downloaded, minimally customized, and filed away. Nobody has read it in two years. Key personnel listed in the plan have changed roles or left the organization. The notification procedures reference outdated contact information. The plan has never been tested through a tabletop exercise or simulated incident.

    Having a plan that nobody knows exists and nobody has practiced is functionally equivalent to having no plan at all.

    Why It Is Dangerous

    When a security incident occurs -- a ransomware attack, a phishing compromise, a lost device, a misdirected fax containing PHI -- the first 24 to 72 hours determine how much damage the organization sustains. Organizations without a practiced response plan waste critical hours figuring out who is in charge, who needs to be notified, how to contain the incident, and what their legal obligations are.

    Under the 2026 HIPAA Security Rule updates, business associates must notify covered entities of security incidents within 24 hours. Covered entities, in turn, must be prepared to receive those notifications and act on them immediately. If your incident response plan does not account for this accelerated timeline, or if the people responsible for receiving and escalating notifications are not aware of their roles, you will miss the window.

    OCR has cited inadequate incident response in multiple enforcement actions. The investigation does not just ask whether you had a plan. It asks whether the plan was current, whether staff were trained on it, whether it was tested, and whether the organization followed it during the actual incident. Gaps in any of those areas become findings.

    How to Fix It

    Build and maintain a documented incident response plan that includes:

    An incident response plan is a living document. If it is not being tested and updated regularly, it is not a plan. It is a liability.

    Mistake 5: Skipped or Inadequate Employee Training

    Why It Happens

    The HIPAA Security Rule (45 CFR 164.308(a)(5)(i)) requires covered entities and business associates to implement a security awareness and training program for all workforce members. Many organizations satisfy this requirement with a single annual training session -- a one-hour presentation or a generic online module that covers the basics of HIPAA at a high level.

    The problem is that generic, infrequent training does not change behavior. An employee who sat through a compliance slideshow in January is no better equipped to recognize a sophisticated phishing email in September. Training that does not address the specific risks and responsibilities of each role leaves clinical staff, administrative staff, IT personnel, and executives all receiving the same generic content that is deeply relevant to none of them.

    Why It Is Dangerous

    Human error remains the leading cause of healthcare data breaches. Phishing attacks are the number one attack vector in the healthcare sector, according to data from the HHS Cybersecurity Program and multiple industry reports. A single employee clicking a malicious link can give an attacker access to email accounts, EHR systems, and entire network segments.

    When OCR investigates a breach caused by a phishing attack or employee error, one of the first things they examine is the organization's training program. They look at training content, frequency, completion records, and whether the training was tailored to the roles and responsibilities of the individuals involved. An organization that can only produce evidence of a single annual training session with a 60% completion rate is going to face scrutiny.

    The 2026 rule updates reinforce the expectation that training must be ongoing and responsive to emerging threats. Annual compliance training is a starting point, not an endpoint.

    How to Fix It

    Replace the annual checkbox with a continuous training program:

    These Mistakes Are Fixable

    None of the five mistakes described above are edge cases. They are the most common reasons healthcare organizations fail audits, face OCR enforcement actions, and pay penalties that could have been avoided. They persist not because they are difficult to fix but because they require sustained attention -- the kind of attention that is hard to maintain when compliance is managed through spreadsheets, email reminders, and good intentions.

    The pattern across all five is the same: the requirement is known, the initial effort is made, and then things drift. Risk assessments go stale. BAAs expire without renewal. Encryption gaps persist because nobody audits the endpoints. Incident response plans gather dust. Training completion rates drop. By the time an incident occurs or an audit arrives, the gaps have been open for months or years.

    The Live Compliance platform is built specifically to prevent that drift. Automated risk assessment tracking keeps your analysis current and audit-ready. Centralized vendor management with BAA tracking and automated renewal reminders ensures no agreement lapses. Policy management tools enforce encryption and security requirements across your environment. Incident response workflows with built-in escalation paths and notification timelines align with the 24-hour reporting requirements. And an integrated training system with role-specific modules, phishing simulations, and completion tracking keeps your workforce prepared year-round.

    If you are not sure where your organization stands on these five areas, start with a gap assessment. Live Compliance offers a free 12-minute gap scan that evaluates your current compliance posture against the updated HIPAA Security Rule requirements and identifies exactly where your vulnerabilities are. It takes less time than reading this article, and it gives you a clear, prioritized action plan.

    Take the free 12-minute gap scan and find out where you stand before your next audit does it for you.