Top 5 Healthcare IT Compliance Mistakes That Are Costly

Healthcare organizations deal with highly sensitive patient information. This sensitive data is stored as electronic health record EHR. While the government supports the adoption of EHR and cloud-based information systems, it is well aware of the risks and threats that follow. Therefore, various regulations, such as HIPAA and HITECH, are in place to ensure better data security across the sector. Failure to fulfill the regulatory requirements can lead to costly consequences.

The largest HIPAA settlement of 2017 cost $5.5 million dollars. The settlement was made by Memorial Healthcare Systems in Florida after a breach in ePHI was uncovered. The breach compromised the data of around 115,143 individuals. In another case, lackluster encryption policies cost MD Anderson Cancer Center $4.5 million in penalties.

U.S. Department of Health and Human Services Office for Civil Rights has a wall of shame dedicated to such cases. While the portal serves as a warning, it also provides insightful information regarding mistakes that lead to breaches that can cost millions of dollars.

Here are five of top healthcare IT compliance mistakes that can result in heavy fines and penalties.

1.  Failure to Understand Compliance Regulations

There are many reported cases of compliance issues arising from a sheer misunderstanding on the organization’s part. HIPAA has been around since the nineties and over the years its scope has spread beyond IT security rules. It covers a wide number of aspects including process and protocols regarding breach notification. It also dictates the privacy rules and regulations set by the organization. IT compliance is not limited to the IT teams. It expands into other departments including billing office, HR, and ER front desk.

Moreover, the scope of healthcare compliance regulation also concerns wirelessly connected devices and components, which may include employee mobile phones a well as lab appliances and other machinery. Therefore, every component, person, process, or entity that connects to the infrastructure comes under the compliance umbrella.

2.  Failure to Conduct Risk Assessment

Although risk assessment is defined as one of the crucial requirements for HIPAA compliance, many healthcare organizations skimp on proper assessment. According to a report, nearly 90 percent of all audits conducted by OCR during ePHI breach investigations identified lack of proper risk assessment.

In a way, this mistake is connected to the first one. Insufficient risk assessment often results from a lack of understanding of the scope. Organizations often fail to consider all the components that somehow connect with the ePHI in their current environment.

Moreover, in some cases, many organization treat risk assessment as a onetime process and overlook its importance during and after any form of change in the environment.

3.  Failure to Treat Security as a Priority

Failure to prioritize security is not about neglecting compliance. It can often stem from an excessive focus on compliance. Many organizations put compliance before security out of fear of fines and penalties. While it is not wrong to worry about compliance, it often steers the focus away from the root of compliance issues.

Despite regular changes, healthcare regulations and compliance requirements are still loosely defined. It is possible for organizations to fulfill the requirements while leaving out numerous loopholes in the security system. With compliance as the major concern, organizations might overlook potential threats that are present but necessarily defined by HIPPA.

Therefore, health care must focus on setting up a solid security infrastructure and then work on making it compliant.

4.  Choosing Non-compliant Cloud Vendor

While cloud technology has opened a new array of opportunities, it also brings a plethora of problems. To ensure cloud safety and security, HIPPA now covers various new regulations. HITECH itself is another set of regulations that were introduced to make cloud technology safer for the healthcare industry.

However, despite their claim of being HIPAA compliant, cloud vendors aren’t always telling the truth. Their compliance is often limited to the certain criteria they need to fulfill as a vendor. They may not always be able to help with your HIPAA and HITECH checklist.

Organizations should be careful with their selection of vendor and service providers. It is imperative to work with a provider who can work along the security team to understand the needs and requirements and deliver a custom-tailored solution accordingly.

5.  Not Understanding the Common Factors

Another mistake that often results from excessively prioritizing compliance is redundancy and duplication. While most commonly discussed, HIPAA isn’t the only regulation that concerns the healthcare sector. There are different compliance regulations that focus on different areas of the business such as HITECH, PCI, NIST, ISO, COBIT, FTC, and GDPR.

Organizations often fail to understand that there are many commonalities between these regulations. For instance, there may be a PCI requirement that is already covered by HIPAA. When different teams are assigned for the management of different regulatory requirements, there is a risk of effort duplication. Time and efforts are needlessly spent on tasks that are already taken care of by another team.

An effective way to eliminate this issue is to streamline the whole process by identifying the commonalities before tasks are assigned to different teams or individuals.


Compliance is a critical issue for a healthcare organization. While a lot of effort, time, and money is spent on fulfilling compliance criteria, there are mistakes that lead to violations. By avoiding the aforementioned common mistakes, organizations can save millions in fines and penalties.

What is a Hypervisor and Which Type Fits Your Business Module?

Posted By: seo_admin - Jan 3rd 2019

Essentially, a hypervisor is a machine manager which has the capacity of creating and running virtual machines. This is a process which separates a computers operating system from different physical hardware, this machine manager is the underlining concept behind virtualization. A hypervisor will empower businesses with the unique ability to run multiple virtual machines on

Read More

5 Key Steps to Data Security Management in Healthcare

Posted By: admin - Dec 27th 2018

We always stress the rising importance of cybersecurity. It doesn’t matter what size your business is or how new it is, and it doesn’t matter which industry you belong to. However, we also emphasize that some industries are in fact more vulnerable than others. Healthcare industry tops the list of industries most susceptible to cyber

Read More

Cybersecurity vs. Information Security – What Is the Difference?

Posted By: admin - Dec 20th 2018

The internet and the fine range of technologies it has blessed us with have changed the landscape of the business world. Productivity is multiplying, data storage is a matter of a click, and there is no limit to growth and outreach. With each passing day, technology is becoming more powerful and effective. However, security concerns

Read More

5 Effective Ways Federal Cybersecurity Can Be Improved

Posted By: admin - Nov 29th 2018

Federal agencies have access to sensitive information. It is the reason these agencies are prime targets of cyber-attacks. These attacks are often conducted by hackers and cybercriminals to compromise national security. Despite risks, federal cybersecurity isn’t as adequate as it should be in this age. According to the most recent report by the Office of

Read More

5 Questions to Ask When Looking For a Cybersecurity Consultant

Posted By: admin - Nov 22nd 2018

Cybersecurity is one of the major concerns for businesses across the world. The rising number of attacks and breaches, along with stricter regulations to deal with such incidents have made cybersecurity a priority for businesses in every industry. According to reports, cybercrime against businesses went from 55 percent in 2016 to 61 percent in 2017.

Read More