Technology, people, and money in HIPAA compliance

The Paubox report "Healthcare IT is dangerously overconfident about email security" uncovered a contradiction: while healthcare organizations project confidence in their compliance efforts, eight out of ten IT leaders privately admit they worry about their HIPAA compliance status. This gap between public confidence and private anxiety signals a crisis affecting decision-making, resource allocation, and operational efficiency across the healthcare industry.

Technology challenges

Electronic health records, telemedicine platforms, mobile health applications, cloud computing, and artificial intelligence technologies have transformed healthcare delivery but have also created new vulnerabilities and compliance complexities.

Mobile devices present challenges for HIPAA compliance. As John Lynn reports in Unlocking Healthcare's Mobile Future: HIPAA-Compliant BYOD,: "1/2 of the US population suffered from data breaches and mobile was a major part of it" with "100 smart phones are stolen or lost every minute in the US." The healthcare sector faces disproportionate risks, as Lynn notes that "45% of breaches were occurring on mobile devices. Plus, healthcare has up to $1.5 Million in HIPAA fines."

The bring-your-own-device (BYOD) trend has complicated compliance efforts, as organizations struggle to secure personal devices used for work purposes. The challenge, as Lynn explains, is that "PHI or other protected organizational data can't be left on the device without a major impact financially on the organization." This creates a balancing act between enabling modern workflows and maintaining regulatory compliance.

Smartphones, tablets, and wearable devices used by healthcare workers can store or transmit PHI, requiring careful management and security controls. Lynn points out that "secondary devices are expensive and have their own logistical challenges," making it difficult for organizations to provide secure alternatives to personal devices.

Cloud computing presents another challenge for HIPAA compliance. While cloud services can enhance security and operational efficiency, they also create new risks and responsibilities. Organizations must ensure their cloud service providers sign appropriate business associate agreements, implement adequate security controls, and maintain compliance throughout the relationship. The shared responsibility model of cloud computing can create confusion about who is responsible for what aspects of compliance.

Telemedicine's growth, accelerated by the COVID-19 pandemic, has introduced new compliance considerations. Video conferencing platforms, remote monitoring devices, and digital communication tools must all comply with HIPAA requirements. Many organizations rushed to implement telehealth solutions without fully considering the compliance implications, creating ongoing concerns about their regulatory status.

The nature of technology creates ongoing compliance challenges. As Lynn asks in his analysis: "When did you last look at that plan? When did you last make sure the plan is being followed? How much has technology changed since you last put that plan together?" This highlights how quickly technology evolves and how easily compliance measures can become outdated.

Related: HIPAA compliant email

The human factor

Despite the focus on technology and policies, many HIPAA compliance failures ultimately stem from human error or inadequate training. As Amy Larson DeCarlo, Principal Analyst for Security and Data Center Services at GlobalData, emphasizes: "It is important for healthcare institutions and payer organizations to understand that the weakest security link in an organization is the human element. End users are vulnerable to anything that either promises to make a task easier or offers them some kind of reward for clicking on a link."

Healthcare workers, administrators, and support staff must understand their responsibilities under HIPAA and consistently apply appropriate safeguards in their daily activities. This human element introduces variability and unpredictability that contributes to compliance anxiety, particularly when employees fall victim to social engineering attacks or make well-intentioned mistakes that compromise security.

DeCarlo also notes that technological solutions can help address these human vulnerabilities: "There are solutions that make it possible to validate the source of an access request to authenticate that request comes from a legitimate source. Trusted platform modules in devices support the safe manufacture and ongoing use of public passkeys. The private key that authenticates the user is stored on the hardware of an end user's device. It isn't shared so threat actors can't access it. This provides strong protection against phishing and credential theft in general."

Employee turnover in healthcare creates ongoing training challenges. New employees must be properly educated about HIPAA requirements, but busy healthcare environments often struggle to provide training. Even experienced employees may not fully understand how HIPAA applies to new technologies, processes, or situations they encounter.

The complexity of HIPAA requirements can make it difficult for non-compliance professionals to understand their obligations. Healthcare workers focused on patient care may not fully appreciate the privacy and security implications of their actions. Simple mistakes, like sending an email to the wrong recipient or discussing patient information in a public area, can result in HIPAA violations.

The cost of compliance

HIPAA compliance requires financial investment, creating pressure for healthcare organizations already operating on thin margins. The Paubox report reveals trends in cybersecurity spending, with 56% of organizations dedicating less than 10% of their cybersecurity budget to email security despite its critical importance for HIPAA compliance.

The true financial burden of HIPAA compliance exceeds initial government projections. As Dr. Kim-Lien Nguyen documented in her 2019 analysis "HIPAA: At what cost?", the reality is different from original estimates: "At the time of implementation, the Department of Human and Health Services (HHS) estimated that HIPAA would initially cost healthcare systems approximately $113 million with subsequent maintenance costs of $14.5 million per year. The actual costs of HIPAA compliance are estimated at closer to $8.3 billion a year, with each physician on average spending $35,000 annually for health information technology upkeep."

The scope of these hidden costs is concerning. As Nguyen notes, "The true costs, however, are unknown and buried under layers of purportedly necessary bureaucracy." This makes it difficult for organizations to accurately budget for compliance or understand the full impact of regulatory requirements on their operations.

The staffing and technology requirements have created organizational burdens. Nguyen observes that "To cope with the expanded HIPAA obligations, healthcare systems have employed an ever-increasing number of compliance officers and deployed sophisticated technology to safeguard the accessibility of individual healthcare information." These investments represent ongoing operational expenses that divert resources from patient care and other strategic priorities.

The disconnect between stated priorities and actual spending reflects broader budget allocation challenges within healthcare IT departments. While the majority of leaders claim "email is covered" in their budget discussions, the reality shows insufficient resource allocation for one of the most vulnerable aspects of healthcare communication.

The broader healthcare impact extends beyond direct compliance costs. As Nguyen argues, "HIPAA has contributed to the unsustainable rising costs of healthcare and lack of interoperability." The regulation has also created barriers to innovation, as she explains: "HIPAA has also made it much harder for physicians and patients to work with innovators to advance healthcare technology" and "the lack of easy access to healthcare data is a major barrier to advancement."

The opportunity cost of compliance investments also creates anxiety. Resources dedicated to HIPAA compliance might otherwise be used for patient care improvements, facility upgrades, or staff development. As Nguyen points out, HIPAA has "stolen physician time from patients" and created barriers that deter medical research through high compliance costs. Organizations must balance compliance requirements with other strategic priorities, often creating difficult trade-offs.

The implementation reality

The path from compliance anxiety to actual security improvements has obstacles that prevent healthcare organizations from achieving their security goals. The Paubox report identifies a list of barriers that consistently stall efforts to adopt HIPAA-compliant email solutions, revealing why good intentions often fail to translate into effective action.

Implementation complexity tops the list of concerns, with 54% of healthcare IT leaders citing this as a major barrier. The challenge of "replacing legacy systems or layering new protocols on top of outdated infrastructure" continues to plague organizations across all types and sizes. This complexity isn't merely technical—it reflects the integration of legacy systems throughout healthcare operations.

Vendor support gaps create additional challenges, with 53% of organizations reporting a lack of adequate vendor support, "leaving teams to troubleshoot critical gaps alone." This isolation compounds the technical difficulties of implementation and leaves organizations vulnerable during transition periods.

Staffing shortages affect 45% of organizations, while leadership resistance impacts 44%, revealing institutional limitations that extend beyond technical capabilities. These human and organizational factors often prove more challenging to address than technical issues, as they require cultural change and executive buy-in that may be difficult to achieve.

Integration challenges with legacy systems affect 41% of organizations, demonstrating "how deeply embedded old systems remain" in healthcare operations. Budget constraints and fear of user disruption each impact 36% of organizations, illustrating the constant balancing act IT teams perform, "trying to protect data without slowing everything down."

Even end-user factors create barriers, with 23% citing poor patient email literacy and 15% noting inconsistent security training. As the report concludes, "these barriers are persistent, layered, and deeply embedded in healthcare's operational DNA. The problem isn't just technical, cultural and operational."

The report's findings show how "leadership resistance, internal silos, budget constraints, and implementation complexity stall progress. IT leaders are often set up to fail by a system that undervalues secure communication infrastructure, underfunds its modernization, and overestimates its resilience."

FAQs

How do healthcare organizations evaluate whether their BYOD policies are HIPAA-compliant?

They must conduct a risk assessment, enforce encryption, and define device usage protocols through formal policies.

What types of cloud service providers most often fall short of HIPAA compliance obligations?

Providers without signed Business Associate Agreements (BAAs) or proper encryption and access controls pose the highest risk.

How does telemedicine affect HIPAA compliance in rural or low-resource settings?

Limited internet access, aging infrastructure, and lack of staff training in these areas increase the risk of noncompliance.

What are best practices for managing HIPAA training during high employee turnover?

Ongoing onboarding modules, refresher courses, and compliance tracking systems help standardize staff education.

How can healthcare organizations mitigate the risk of human error without slowing operations?

Automating security processes, implementing role-based access, and reducing reliance on user discretion can balance efficiency and safety.