The Office for Civil Rights collected over $19 million in HIPAA penalties in 2023 alone, and small and mid-size practices are increasingly the target. Most of these violations are not the result of major data breaches. They are the result of gaps that have existed for years, quietly creating liability that most clinic administrators don't know is there.
HIPAA compliance is not a one-time project. It is an ongoing operational requirement that changes as your technology, your staff, and the regulatory environment change. In 2025, the regulatory environment has shifted significantly, and most small practices haven't kept up.
After completing HIPAA risk assessments for practices across Iowa and the Midwest, the same gaps appear repeatedly. They are not exotic or technically complex. They are the gaps that exist because nobody was assigned to maintain compliance after go-live, and because most practice administrators are running a healthcare operation, not a compliance department.
Here are the most common, and most costly, HIPAA gaps we find in small and mid-size clinics in 2025.
The Security Risk Assessment (SRA) is the most foundational HIPAA Security Rule requirement under 45 CFR 164.308(a)(1). It is also the single most-cited violation in OCR audits. The SRA must be comprehensive, enterprise-wide, and documented, and it must be repeated whenever there is a significant change to your environment, or at minimum annually.
Many practices completed an SRA at EHR implementation and never updated it. A 3-year-old SRA does not cover your current cloud tools, telehealth platforms, or staff composition. In an OCR audit, an outdated SRA is treated nearly the same as no SRA at all.
Every vendor, contractor, or service provider that creates, receives, maintains, or transmits PHI on your behalf requires a signed, current BAA. This includes your EHR vendor, billing company, cloud storage provider, IT support company, telehealth platform, and any AI tools you use that process patient data.
In 2025, the number of business associates has grown dramatically for most practices, because the number of cloud-based tools has grown dramatically. We routinely find 3 to 6 vendors touching PHI without a current BAA in place. Each missing BAA is a separate violation with its own penalty exposure.
Standard email, Gmail, Outlook without encryption, Yahoo, is not a compliant method for transmitting ePHI. Yet in almost every practice we assess, we find clinical staff routinely emailing patient information through unencrypted channels, often because the EHR's built-in messaging tools are inconvenient or staff were never trained on compliant alternatives.
The HIPAA Technical Safeguards rule requires encryption of ePHI in transit. The OCR's 2024 guidance explicitly called out unencrypted email as an area of increased enforcement focus. A single discovered instance of unencrypted PHI transmission can trigger a full investigation.
HIPAA requires that all workforce members receive training on your policies and procedures as necessary and appropriate for their roles. Verbal training in a staff meeting does not satisfy this requirement. You need signed acknowledgments, dated records, and documentation of what was covered.
When staff turnover happens, and in healthcare, it happens frequently, training gaps open immediately. New employees who handle PHI before completing HIPAA training represent an active compliance gap from day one.
The HIPAA Breach Notification Rule requires you to notify affected individuals within 60 days of discovering a breach, and HHS within 60 days for breaches affecting 500 or more individuals (or annually for smaller breaches). Without a written breach response procedure, most practices will miss this timeline, which turns a potentially manageable notification requirement into a willful neglect violation.
A written procedure doesn't need to be complex. It needs to specify who is responsible for breach assessment, who makes notification decisions, and what the documentation requirements are. If you don't have this document, you are not prepared for the breach that will eventually happen.
Beyond the perennial gaps above, 2025 has introduced several new compliance considerations that most small practices haven't addressed.
AI tools and third-party apps: If you've adopted any AI documentation, patient communication, or clinical decision support tools in the last 18 months, these almost certainly require BAAs, and their data practices need to be reviewed against HIPAA requirements. Many AI vendors are moving fast on features and slow on compliance documentation.
Telehealth platform data: Telehealth adoption accelerated during COVID and has remained elevated. Many practices are using consumer video platforms or telehealth tools that were deployed quickly without formal compliance review. The PHI captured in telehealth sessions, video recordings, chat logs, clinical notes, requires the same protections as any other ePHI.
The new proposed HIPAA Security Rule updates: HHS published proposed updates to the HIPAA Security Rule in January 2025 that, if finalized, would require more specific technical controls, mandatory multi-factor authentication, and enhanced encryption requirements. While not yet in effect, practices that begin implementing these controls now will have a significant compliance advantage.
A proper HIPAA Security Risk Assessment is not a checklist you complete on a Tuesday afternoon. It is a systematic review of every administrative, physical, and technical safeguard across your entire environment, every location, every device, every system that touches ePHI.
When Elevare Health AI Inc. conducts a risk assessment, we evaluate all 18 Security Rule standards, document every finding with severity rating and regulatory citation, and deliver a written report that is defensible in an OCR audit. We then work with your team to build the policy framework and remediation plan to close every gap identified.
Our fixed-fee HIPAA Rapid Assessment starts at $1,500 and delivers a complete gap analysis, written remediation plan, and policy framework in two weeks. Book a free 30-minute call to get started.
See HIPAA Assessment Details