Most healthcare practices we assess in New Jersey believe they are HIPAA compliant. The reality is that most have significant gaps they do not know about.
The Gaps We See Most Often
After conducting hundreds of HIPAA assessments for medical practices, dental offices, behavioral health providers, and medical billing companies across Northern NJ, these are the most common failures.
Missing or outdated risk assessment. HIPAA requires a documented, comprehensive risk assessment. Not a checkbox form. A real analysis of where protected health information lives, how it moves, and what threats exist. Most practices either have never done one or did one five years ago and never updated it.
Insufficient access controls. Every user should have unique credentials with the minimum access needed for their role. We regularly find shared logins, admin accounts used for daily work, and departed employees whose access was never revoked.
No encryption at rest. HIPAA requires encryption of electronic PHI both in transit and at rest. Most practices encrypt email (in transit) but forget about laptops, USB drives, and local databases (at rest).
Inadequate audit logging. You need to know who accessed what patient data and when. Most EHR systems have this capability, but it is often not enabled or not being reviewed regularly.
The penalty for HIPAA violations ranges from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. The OCR has been increasingly aggressive about enforcement. A proper HIPAA compliance program is far less expensive than a single fine.
We provide comprehensive compliance services for healthcare organizations across New Jersey. Our HIPAA compliance program includes risk assessment, policy development, staff training, and ongoing monitoring.
How often should we update our HIPAA risk assessment?
At minimum annually, and whenever there is a significant change to your IT infrastructure, workforce, or business operations. We recommend quarterly reviews with a full annual assessment.
Does HIPAA apply to our business associates?
Yes. Any vendor that handles PHI on your behalf must sign a Business Associate Agreement and maintain their own HIPAA compliance. You are responsible for verifying this.