THE PROBLEM

Why Small Healthcare Practices Are Exposed

You focus on patients. Meanwhile, your digital footprint is publicly visible, and HIPAA requires you to protect it.

THE REALITY

You run a practice. You focus on patients. Meanwhile, your digital footprint is publicly visible. Email configuration, website software versions, staff addresses, exposed documents. You're required by law to protect patient data, but nobody told you how or what to check. Most small practices have significant exposures they don't know about. OCR launched its Risk Analysis Initiative in 2024 and is actively investigating and fining practices that lack a documented security risk assessment.

See the full process →

THE HIPAA GAP

What the law requires vs. what most practices actually have

What HIPAA Requires✓ Documented Security Risk Assessment✓ Role-based access controls✓ Encryption of electronic PHI in transit and at rest✓ Audit controls and access logging✓ Workforce security awareness training✓ Incident response procedures

What Most Small Practices Actually Have✗ No documented risk assessment✗ Shared logins across staff✗ No monitoring or logging of system access✗ No encryption policy or validation✗ No formal training program✗ No incident response plan

WHAT I FIND

Common exposures at small practices

Email systems that can be spoofed

No SPF, DKIM, or DMARC records. Anyone can send email appearing to be from your practice.

Expired or misconfigured SSL certificates

Patient-facing portals with outdated encryption. A direct HIPAA Technical Safeguards finding.

Staff emails in breach databases

Practice email addresses found in known data breaches. Credentials may be compromised.

Outdated website software

CMS versions with known vulnerabilities that are publicly visible and listed in security databases.

Missing security headers on patient-facing sites

Portals lacking HSTS, CSP, and X-Frame protection. Standard technical safeguards.

Sensitive documents indexed by Google

Internal forms, schedules, or patient documents accidentally exposed in search results.

THE COST OF INACTION

Recent HIPAA enforcement actions

In 2024, OCR launched its Risk Analysis Initiative, an enforcement program targeting compliance with the HIPAA Security Rule's risk analysis provision. Through 2025, OCR announced ten HIPAA settlements citing risk analysis failures, with penalties ranging from $25,000 to $3,000,000.

$80,000Civil penalty against a dental provider for failing to conduct a HIPAA Security Risk AssessmentHHS OCR Resolution Agreements, 2024

86%Of covered entities failed HHS audits on security risk analysisOCR Phase 2 HIPAA Audit Industry Report, 2018

$2.19MMaximum HIPAA penalty per violation category, per year (2025)45 CFR 160.404, 2025 inflation adjustment

Penalty tiers (2025 inflation-adjusted): Tier 1 (didn't know): $145–$73,011. Tier 2 (reasonable cause): $1,461–$73,011. Tier 3 (willful, corrected): $14,602–$73,011. Tier 4 (willful, not corrected): $73,011–$2,190,294. Annual cap: $2,190,294 per identical provision. Source: 45 CFR 160.404, HHS 2025 inflation adjustment.

Sources: HHS OCR Enforcement Highlights (hhs.gov), OCR Phase 2 HIPAA Audit Industry Report (2018), 45 CFR 160.404 (2025 inflation adjustment), OCR Risk Analysis Initiative enforcement actions (2024-2025).

See how I find and fix these issues

Get Free Assessment See the process →