Several roles in healthcare and adjacent industries may inadvertently overlook HIPAA compliance due to a lack of awareness, training, or understanding of their responsibilities. While compliance may not always seem like a large part of a job, ignoring it can lead to breaches, financial penalties, and loss of patient trust.
While HIPAA primarily targets healthcare providers and business associates, non-clinical administrative staff also play a role in maintaining compliance. Employees who handle paperwork, billing, and customer service often have access to protected health information (PHI) and may inadvertently expose sensitive information.
In October 2013, HOPE Family Health, based in Westmoreland, Tennessee, notified 8,000 patients of a data breach after an unencrypted company laptop used by a finance department employee was stolen from the employee's home during a series of neighborhood burglaries. The laptop contained patient names, Social Security numbers, financial records, billing records, patient account information, dates of birth, and addresses. As a result, HOPE Family Health officials moved all digital private patient information to an encrypted server and required employees to attend information management training to ensure proper handling of patient data
Marketing and sales professionals in healthcare organizations often use patient stories, testimonials, and data to promote services. However, according to the HIPAA Privacy Rule, individuals have control over whether and how their PHI is used and disclosed for marketing purposes. Without proper authorization, these practices can lead to HIPAA violations.
In February 2016, Complete P.T., Pool & Land Physical Therapy, Inc. (California, USA) agreed to a $25,000 settlement after posting patient testimonials on its website without obtaining proper HIPAA compliant authorizations. The testimonials included patients' names and photographs, leading to allegations of unauthorized disclosure of protected health information.
See also: HIPAA compliant email marketing: What you need to know
Many healthcare organizations work with external vendors who may access PHI as part of their services. These include IT providers, cloud storage vendors, billing companies, and transcription services. Failure to ensure compliance among business associates can lead to HIPAA violations.
According to Security Magazine, a report from SecurityScorecard indicated that 98% of organizations are connected to at least one third-party that has suffered a breach. Additionally, attacks involving these third parties have accounted for 29% of all breaches.
Researchers handling patient data for clinical studies must adhere to HIPAA regulations. Universities and hospitals collaborating on research projects must ensure that PHI is properly protected.
On the 18th of February, 2025, Fred Hutchinson Cancer Center and the University of Washington agreed to pay $11.5 million to settle a class action lawsuit following a 2023 data breach. The settlement also included $13.5 million to improve cybersecurity measures over three years. The settlement compensates affected individuals and aims to prevent future breaches.
Read also: What are the HIPAA exceptions for research purposes?
Medical device manufacturers and service providers often interact with PHI stored on electronic health devices. Ensuring HIPAA compliance in this sector can prevent unauthorized access.
In 2023, Insulet reported a potential data breach affecting 29,000 Omnipod Dash insulin pump users, potentially compromising their health data, informing affected users and filing a report with the U.S. Department of Health.
See also: What are medical device vulnerabilities?
Law firms handling healthcare-related cases can sometimes work with medical records, patient histories, and insurance claims. Failure to follow HIPAA regulations when handling PHI can lead to legal consequences.
In November 2024, Thompson Coburn LLP and Presbyterian Healthcare Services faced a class-action lawsuit in Illinois for a data breach that compromised over 300,000 individuals' personal information. The lawsuit accuses both parties of failing to secure sensitive personal and medical data, leaving it vulnerable to cybercriminal activity.
See also: HIPAA Compliant Email: The Definitive Guide
Solo practitioners, dentists, therapists, and independent healthcare providers often lack dedicated compliance teams, making them more susceptible to HIPAA violations.
According to Urology Times, smaller medical practices are increasingly being targeted by hackers due to the value of patient data and vulnerability. A report from Critical Insight found that attacks on physician groups rose from 2% of healthcare attacks in the first half of 2021 to 12% in the first half of 2022. The rise is attributed to attacks on EHR systems through business associates and third-party vendors. Ransomware breaches have also increased, with a 13% rise in Verizon 2022 Data Breach Investigations Report. Many small practices are ill-equipped to deal with cyberattacks due to their small IT staff or outsourcing.
Watch: HIPAA compliance basics for small healthcare providers [VIDEO]
With the rise of telehealth and home healthcare services, ensuring HIPAA compliance in remote environments has become a growing challenge.
In March 2023, Cerebral, a remote telehealth company, reported a data breach affecting 3.18 million people. The company admitted to using invisible pixel trackers from Google, Meta (Facebook), TikTok, and other third parties on its online services since October 12, 2019. “Due to a tracking pixel's data logging features, Cerebral said the sensitive medical information of people who used the provider's platform was exposed to third parties without the patient's permission,” says Bleeping computer.
Related:
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law designed to protect sensitive patient health information from being disclosed without consent. Compliance ensures that individuals' private health data remains secure, reducing risks like identity theft, data breaches, and unauthorized access.
PHI includes any individually identifiable health information transmitted or maintained in any form (electronic, paper, or oral). Examples include names, Social Security numbers, medical records, billing information, and biometric data.
Electronic protected health information (ePHI) is any PHI stored or transmitted electronically. It must be encrypted, securely stored, and accessible only to authorized personnel to prevent unauthorized access and breaches.
A BAA is a legally binding contract between a covered entity and a business associate that ensures both parties comply with HIPAA regulations when handling PHI.