The Top 5 Reasons Why You May Not Be HIPAA Compliant!

After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline coming up on September 23, 2013, some organizations still aren’t HIPAA compliant!   With over 22,000,000 disclosures of Protected Health Information already, what are the five most common reasons why your organization isn’t compliant!

1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is.   A HIPAA Risk Analysis,  (according to the Office for Civil Rights for the Department of Health and Human services) is: Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.

2.  The HIPAA Risk Analysis is out of date — maybe you did it five years ago, which is BEFORE the new HIPAA Omnibus Rule was mandated.  Maybe you wanted to update it, but you got busy with all the other pressing IT issues.  Maybe you didn’t have the right resources to run a risk analysis.

3.  HIPAA Risk Analysis was too focused on technical elements. Many information security
managers think that ”IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.

4.  No correlation between the HIPAA Risk Analysis Recommendations and the changes that were made after the HIPAA Risk Analysis was completed.  The HIPAA Security controls should have been implemented in conjunction with the Risk Analysis, not added completely independently.  The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.

5.  Inadequate training and security awareness program.   In a recent HIPAA Risk Analysis, the individuals surveyed said they had a few hours of HIPAA training when they joined the company, but nothing since.  Next question, how long had they been with the organization, and they said, six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training or even access to a security awareness program.

Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today.  To get started, send your questions to, or review the OCR Guidelines for HIPAA Risk Analysis at:

This entry was posted in HIPAA, HIPAA Compliance, HIPAA fines, HIPAA Omnibus Rule, HIPAA Risk Analysis, HIPAA Risk-Pro, Meaningful Use & HIPAA, risk assessment and tagged , , , , by Caroline Ramsey-Hamilton. Bookmark the permalink.

About Caroline Ramsey-Hamilton

Caroline Ramsey-Hamilton is a leading expert in assessing security risk in both information security and facilities security including security risk assessments, active shooter and security risk assessments for hospitals and healthcare organizations, cybersecurity, nuclear security, and also auditing, analyzing and measuring compliance with all major security standards, like DHS, FEMA 426-428, The Joint Commission, HIPAA Security & Privacy Rules, the HIPAA Omnibus Rule, and OSHA 3148 for Preventing Workplace Violence. And including both C-TPAT and CFATS. She is currently working on a universal set of easy security tools that will make it easy to assess risk in a variety of companies, agencies and business. Her company, Risk & Security LLC, works with more than 500 clients around the world using a program that standardizes site surveys and assessments and makes it easier to compare facilities and measure their level of security. She posts breaking security & risk alerts at She's also an animal lover and tree hugger, and musician who loves dogs, horses, kitties, house rabbits, parrots, and especially beagles! I support and other animal rescue organizations and work toward a more peaceful and green world.

Leave a Reply