Compliance · 2026-05-01 · 8 min read
Your EHR Is HIPAA Compliant. Your Practice Probably Isn't.
Most small practices think their EHR handles HIPAA. It doesn't. Your software covers one of the three layers of compliance — and the layers it misses are exactly where OCR finds violations.
You Picked a HIPAA-Compliant EHR. You're Covered, Right?
Here's a conversation that plays out in dental and medical offices every day:
"Are we HIPAA compliant?" "We use [Software Name]. They're HIPAA compliant." "Great. We're good then."
It's an understandable assumption. You spent real money on that system. The sales rep mentioned HIPAA at least twice. You signed a Business Associate Agreement. But here's what nobody told you: your EHR's HIPAA compliance covers their platform. Not yours.
There are three layers to HIPAA compliance, and your software handles exactly one of them.
The Three Layers of HIPAA Compliance
Think of HIPAA compliance like a three-legged stool. Pull one leg out and the whole thing falls.
Layer 1: Platform compliance. This is what your EHR handles. Their servers are encrypted. Their software follows access control rules. They've been audited. This is real compliance work — but it's their compliance, not yours. They're certifying that their platform meets HIPAA's technical safeguards. They are not saying your practice is compliant. They are explicitly not saying that.
Layer 2: Documentation compliance. This is the layer most small practices are missing entirely. It means having written policies and procedures. Conducting and documenting a formal risk assessment. Tracking every Business Associate Agreement you've signed. Maintaining training records. Designating a Privacy Official on paper. Having a breach response plan that isn't "call the lawyer and hope."
Your EHR generates none of this. Your EHR vendor doesn't even know if you've done any of it.
Layer 3: Human judgment. This layer requires someone at your practice to apply the rules to your specific situation. Your EHR doesn't know that your hygienist texts X-rays to herself. It doesn't know that your front desk monitor faces the waiting room. It doesn't know you haven't reviewed your Notice of Privacy Practices since 2019. These are your problems to find and fix — and they require a human who knows your practice.
When HHS investigates you, they're not auditing your EHR vendor. They're auditing the documentation layer and the judgment layer. The platform layer is assumed.
What Your BAA Actually Says
Read your EHR's Business Associate Agreement sometime. The relevant section goes something like this:
"Business Associate shall implement appropriate safeguards to prevent unauthorized use or disclosure of Protected Health Information... Covered Entity is solely responsible for ensuring that its own HIPAA compliance program meets regulatory requirements."
They're telling you — in the contract you already signed — that your compliance program is your responsibility. The BAA is not a compliance certificate. It's a promise that they'll protect the data on their end while explicitly disclaiming responsibility for yours.
This isn't a knock on EHR vendors. They're right to include that language. They have no way to know what happens inside your practice. But the misconception that the BAA transfers compliance responsibility is so widespread that practices get fined for it constantly.
The Enforcement Reality: Fines With No Breach in Sight
Here's what most practice owners get wrong about HIPAA enforcement: you don't need a data breach to get fined. You don't need a hacker. You don't even need a patient to complain about a serious incident. Most enforcement actions are triggered by documentation failures — the paperwork layer your EHR has nothing to do with.
Gums Dental Care, a solo dental practice in Maryland, was fined $70,000 in October 2024. No breach. This was OCR's 50th enforcement action under its Right of Access Initiative — a patient couldn't get timely access to their own records.
Dr. Donald Brockley D.D.M. settled for $30,000. Solo dentist. Same category — a patient's access to their own records was denied or delayed.
Jacob & Associates, a psychology practice in California, paid $28,000 in 2022. The findings: no designated Privacy Official, missing Notice of Privacy Practices. Pure documentation failures — nothing more.
Manasa Health Center, a psychiatric practice in New Jersey, settled for $30,000 in June 2023. The reason: missing policies and procedures. They simply didn't have the written documentation HIPAA requires.
Comprehensive Neurology, a five-person practice in New York, paid $25,000 in February 2025. This came directly out of OCR's Risk Analysis Initiative — the practice had never conducted a formal risk analysis. No breach, no complaint about a disclosure. Just missing paperwork.
These are not rare cases. In 2024, OCR completed 22 enforcement actions and collected $9.9 million — a near-record year. Fifty-five percent of all 2022 OCR financial penalties fell on small medical and dental practices. OCR's Risk Analysis Initiative, launched in October 2024, has already produced 12+ enforcement actions targeting practices that simply hadn't done the required documentation.
The audits paint an even bleaker picture. In OCR's 2016–2017 audit program, 86% of covered entities failed the risk analysis requirement. Ninety-four percent failed risk management. One in three small practices today still has no written policies at all.
None of those practices were negligent. They thought they were covered.
The Gaps Hiding in Your Practice Right Now
You don't need an audit to know where the likely problems are. Here's the short version of what OCR finds in small practices:
No documented risk assessment. HIPAA requires a formal, written analysis of where PHI lives in your practice and what the risks are. Not a mental note. A document with a date on it. If you've never produced one, you're in the 86% that fail this requirement.
Missing vendor BAAs. Every vendor who touches patient data needs a signed BAA — your billing service, your cloud backup, your IT support company, your appointment reminder platform, your email provider if it carries anything PHI-adjacent. Most practices have maybe half of these. The rest are silent liability.
No training records. Watching a video at a staff meeting is not sufficient documentation. You need names, dates, and signatures proving that training happened. "We trained everyone" is not an answer that satisfies an OCR audit.
Shared logins. If multiple staff members log into your practice management system with the same credentials, you have no audit trail. You cannot demonstrate who accessed which patient record, or when.
PHI on personal devices. Your hygienist texts X-rays to herself. Your dentist emails intraoral photos from a personal Gmail account. Those images sit unencrypted on personal devices and personal cloud accounts, completely outside your BAA coverage and beyond your ability to do a remote wipe.
No designated Privacy Official. HIPAA requires a documented designation — not just an informal understanding that someone "handles compliance." If it's not in writing, it doesn't exist for purposes of an audit.
A stale Notice of Privacy Practices. Requirements have been updated over the years. Your 2018 template may not reflect current standards, and patients need to receive it in a way you can actually document.
Every item on this list is a documentation gap. None of them require a breach to become an enforcement finding.
Where Shieldra Fits In
We're not going to oversell this. Some HIPAA decisions genuinely require human judgment specific to your practice — how to handle a gray-area disclosure, how to respond to a particular patient complaint, how to negotiate a vendor BAA that actually protects you. For those situations, you may still need a consultant or an attorney.
What we handle is the documentation layer — the one that catches most practices.
Shieldra generates your risk assessment framework, tracks your BAA inventory, maintains training records with timestamps and signatures, and produces audit-ready documentation that proves your policies exist and are being followed. When HHS asks "show us your risk analysis," you have one. When they ask "who completed HIPAA training and when," you have a log.
We also surface the judgment-layer issues so they don't stay invisible. If your policies say "no PHI on personal devices" but that's not being enforced in practice, you need to know that before an investigator does.
A HIPAA consultant charges $5,000 to $15,000 for the documentation work Shieldra handles on an ongoing basis for a fraction of that cost. For most small practices, the documentation layer is the entire gap — and it's a gap you can close without clearing your schedule or hiring a specialist.
The Short Version
Your EHR is HIPAA compliant. That means their platform meets the technical requirements.
You still need:
- A written, dated risk assessment
- Documented policies and procedures
- Training records with names, dates, and signatures
- A complete BAA inventory covering every vendor
- A formally designated Privacy Official
- A current Notice of Privacy Practices
- A documented breach response procedure
If you can't point to an actual document for each of those, you have gaps. They might never come up. Or a patient might file a complaint next week, OCR might open an investigation, and you'd be looking at a $25,000-to-$70,000 settlement for paperwork you could have had in place.
The practices fined in the cases above — Gums Dental Care, Jacob & Associates, Manasa Health Center, Comprehensive Neurology — weren't reckless. They were running normal practices that had the same gap yours might have right now: they assumed platform compliance meant practice compliance.
It doesn't. But it's a fixable problem.
Take Shieldra's free compliance assessment — about 10 minutes — and see exactly where your documentation gaps are before someone else finds them for you.