Roles that may overlook HIPAA compliance

Several roles in healthcare and adjacent industries may inadvertently overlook HIPAA compliance due to a lack of awareness, training, or understanding of their responsibilities. While compliance may not always seem like a large part of a job, ignoring it can lead to breaches, financial penalties, and loss of patient trust.

Non-clinical administrative staff

While HIPAA primarily targets healthcare providers and business associates, non-clinical administrative staff also play a role in maintaining compliance. Employees who handle paperwork, billing, and customer service often have access to protected health information (PHI) and may inadvertently expose sensitive information.

Common compliance risks:

• Receptionists or front-desk staff discussing patient information in public areas.
• Billing and coding professionals mishandling or improperly storing PHI.
• IT personnel failing to encrypt or secure electronic PHI (ePHI) properly.

Example:

In October 2013, HOPE Family Health, based in Westmoreland, Tennessee, notified 8,000 patients of a data breach after an unencrypted company laptop used by a finance department employee was stolen from the employee's home during a series of neighborhood burglaries. The laptop contained patient names, Social Security numbers, financial records, billing records, patient account information, dates of birth, and addresses. As a result, HOPE Family Health officials moved all digital private patient information to an encrypted server and required employees to attend information management training to ensure proper handling of patient data

Mitigation strategies:

• Conduct regular training sessions on HIPAA compliance.
• Implement access controls and role-based permissions.
• Securely store and dispose of sensitive documents.

Marketing and sales teams

Marketing and sales professionals in healthcare organizations often use patient stories, testimonials, and data to promote services. However, according to the HIPAA Privacy Rule, individuals have control over whether and how their PHI is used and disclosed for marketing purposes. Without proper authorization, these practices can lead to HIPAA violations.

Common compliance risks:

• Publishing patient testimonials without written consent.
• Using PHI for marketing without authorization.
• Sales representatives accessing or sharing PHI improperly.

Example:

In February 2016, Complete P.T., Pool & Land Physical Therapy, Inc. (California, USA) agreed to a $25,000 settlement after posting patient testimonials on its website without obtaining proper HIPAA compliant authorizations. The testimonials included patients' names and photographs, leading to allegations of unauthorized disclosure of protected health information.

Mitigation strategies:

• Obtain signed patient authorization before using any PHI for marketing.
• Train marketing teams on HIPAA compliant strategies.
• Use de-identified data when analyzing trends or building marketing campaigns.

See also: HIPAA compliant email marketing: What you need to know

Third-party vendors and business associates

Many healthcare organizations work with external vendors who may access PHI as part of their services. These include IT providers, cloud storage vendors, billing companies, and transcription services. Failure to ensure compliance among business associates can lead to HIPAA violations.

Common compliance risks:

• Lack of business associate agreements (BAAs) between healthcare organizations and vendors.
• Vendors failing to encrypt stored or transmitted PHI.
• Improper disposal of records or data.

The numbers:

According to Security Magazine, a report from SecurityScorecard indicated that 98% of organizations are connected to at least one third-party that has suffered a breach. Additionally, attacks involving these third parties have accounted for 29% of all breaches.

Mitigation strategies:

• Ensure all business associates sign a HIPAA compliant BAA.
• Conduct due diligence on vendors’ security protocols.
• Regularly audit third-party compliance.

Researchers and Academic Institutions

Researchers handling patient data for clinical studies must adhere to HIPAA regulations. Universities and hospitals collaborating on research projects must ensure that PHI is properly protected.

Common compliance risks:

• Sharing patient data without de-identification or consent.
• Lack of data encryption in research databases.
• Failure to obtain Institutional Review Board (IRB) approval for research involving PHI.

Example:

On the 18th of February, 2025, Fred Hutchinson Cancer Center and the University of Washington agreed to pay $11.5 million to settle a class action lawsuit following a 2023 data breach. The settlement also included $13.5 million to improve cybersecurity measures over three years. The settlement compensates affected individuals and aims to prevent future breaches.

Mitigation strategies:

• De-identify patient data whenever possible.
• Secure all research data through encryption and access control.
• Obtain explicit patient consent before using PHI in research.

Read also: What are the HIPAA exceptions for research purposes?

Medical equipment and device companies

Medical device manufacturers and service providers often interact with PHI stored on electronic health devices. Ensuring HIPAA compliance in this sector can prevent unauthorized access.

Common compliance risks

• Devices storing PHI without encryption.
• Improper disposal or reuse of medical devices containing PHI.
• Lack of HIPAA training for field technicians.

Example:

In 2023, Insulet reported a potential data breach affecting 29,000 Omnipod Dash insulin pump users, potentially compromising their health data, informing affected users and filing a report with the U.S. Department of Health.

Mitigation strategies:

• Encrypt PHI on all medical devices.
• Implement strict access control measures for device servicing.
• Ensure proper data wiping procedures before reselling or disposing of devices.

See also: What are medical device vulnerabilities?

Law firms and legal consultants

Law firms handling healthcare-related cases can sometimes work with medical records, patient histories, and insurance claims. Failure to follow HIPAA regulations when handling PHI can lead to legal consequences.

Common compliance risks:

• Storing PHI in non-secure locations or formats.
• Using non-HIPAA compliant communication channels.
• Sharing PHI with unauthorized parties.

Example:

In November 2024, Thompson Coburn LLP and Presbyterian Healthcare Services faced a class-action lawsuit in Illinois for a data breach that compromised over 300,000 individuals' personal information. The lawsuit accuses both parties of failing to secure sensitive personal and medical data, leaving it vulnerable to cybercriminal activity.

Mitigation strategies:

• Implement secure document storage solutions.
• Use encrypted email and secure file-sharing platforms.
• Train legal staff on HIPAA compliance.

See also: HIPAA Compliant Email: The Definitive Guide

Small or independent healthcare providers

Solo practitioners, dentists, therapists, and independent healthcare providers often lack dedicated compliance teams, making them more susceptible to HIPAA violations.

Common compliance risks:

• Using personal devices for patient communications without encryption.
• Failing to conduct regular risk assessments.
• Improper disposal of paper records.

The statistics

According to Urology Times, smaller medical practices are increasingly being targeted by hackers due to the value of patient data and vulnerability. A report from Critical Insight found that attacks on physician groups rose from 2% of healthcare attacks in the first half of 2021 to 12% in the first half of 2022. The rise is attributed to attacks on EHR systems through business associates and third-party vendors. Ransomware breaches have also increased, with a 13% rise in Verizon 2022 Data Breach Investigations Report. Many small practices are ill-equipped to deal with cyberattacks due to their small IT staff or outsourcing.

Mitigation strategies:

• Implement HIPAA compliant software for patient communications.
• Regularly audit security practices.
• Train staff on compliance protocols.

Watch: HIPAA compliance basics for small healthcare providers [VIDEO]

Home healthcare and telehealth providers

With the rise of telehealth and home healthcare services, ensuring HIPAA compliance in remote environments has become a growing challenge.

Common compliance risks:

• Using non-compliant video conferencing tools for patient consultations.
• Discussing patient details in unsecured environments.
• Inadequate security for remote-access electronic health records (EHRs).

Mitigation strategies:

• Use HIPAA compliant telehealth platforms.
• Train caregivers and telehealth providers on privacy best practices.
• Secure patient data with strong authentication measures.

Example:

In March 2023, Cerebral, a remote telehealth company, reported a data breach affecting 3.18 million people. The company admitted to using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 12, 2019. “Due to a tracking pixel's data logging features, Cerebral said the sensitive medical information of people who used the provider's platform was exposed to third parties without the patient's permission,” says Bleeping computer. 

Related: 

• Can healthcare professionals use online tracking while remaining HIPAA compliant?
• Meta claims hospitals are to blame for Meta Pixel HIPAA violations

FAQS

What is HIPAA, and why is it important?

The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law designed to protect sensitive patient health information from being disclosed without consent. Compliance ensures that individuals' private health data remains secure, reducing risks like identity theft, data breaches, and unauthorized access.

What is protected health information (PHI)?

PHI includes any individually identifiable health information transmitted or maintained in any form (electronic, paper, or oral). Examples include names, Social Security numbers, medical records, billing information, and biometric data.

What is ePHI, and how should it be protected?

Electronic protected health information (ePHI) is any PHI stored or transmitted electronically. It must be encrypted, securely stored, and accessible only to authorized personnel to prevent unauthorized access and breaches.

What is a business associate agreement (BAA)?

A BAA is a legally binding contract between a covered entity and a business associate that ensures both parties comply with HIPAA regulations when handling PHI.