Most small practices think they’re HIPAA compliant — a new report says they’re wrong

© Kannapat - stock.adobe.com

Small medical practices, which make up more than 90% of U.S. health care providers, overwhelmingly believe their email systems are HIPAA compliant, but a new report from email security firm Paubox finds that nearly all of them are mistaken.

The study, based on a survey of 214 IT leaders and practice managers from organizations with fewer than 250 employees, revealed that 98% of small practices think their platforms automatically encrypt emails. In reality, common tools like Microsoft 365 and Google Workspace often fail to provide the protections required by federal law.

The gap arises because encryption may drop if a recipient’s server doesn’t support modern protocols, leaving protected health information unprotected.

Nearly half of health care email breaches stem from Microsoft 365 alone, according to the report.

Misunderstanding HIPAA

The survey uncovered widespread misconceptions that are creating compliance violations without practices even realizing it.

Eighty-three percent of respondents believe patient consent removes the need for encryption — a costly misunderstanding, as the HIPAA Security Rule still requires safeguards even with patient approval.

Another 64% think patient portals are required for compliance, despite federal rules explicitly allowing alternative communication methods if reasonable.

One in five small practices admitted to not using email archiving or audit trails, leaving them unable to investigate incidents or demonstrate compliance during audits.

“Every organization, no matter the size, is required to comply with the HIPAA Security Rule,” said Melanie Fontes Rainer, director of the Health and Human Services (HHS) Office for Civil Rights. “Risk assessments are not optional — they’re foundational.”

Cybercriminals target the vulnerable

Phishing remains the leading cause of health care data breaches, accounting for more than 70% of incidents in 2024. Small practices are increasingly prime targets, with 43% reporting phishing or spoofing incidents in the last year.

Half of surveyed organizations lack protections beyond default spam filters, and nearly all have not adopted secure email transfer protocols.

“Phishing attacks have evolved — they’re faster, smarter and relentless,” said Hoala Greevy, CEO of Paubox. “It’s not about one-off scams anymore; it’s deception at scale.”

According to the report, health care breaches take an average of 224 days to detect, and another 84 days to contain once detected — totaling over 10 months of vulnerability.

Real-world consequences

The financial and reputational fallout from breaches can be severe, regardless of practice size. Several recent cases demonstrate the risks:

• Solara Medical paid $9.76 million in a class-action settlement after a phishing attack.
• Sunrise Community Health faced email compromise affecting more than 54,000 patients.
• Salud Family Health saw 80,000 patient records exposed through phishing.
• Agape Health, a North Carolina clinic, paid $25,000 for emailing protected health information unencrypted to the wrong recipient.
• Vision Upright MRI, a small California practice, was fined $5,000 this year and placed under two years of federal monitoring after unauthorized access to its server exposed more than 21,000 patients’ medical imaging records.

The average HIPAA breach now costs practices more than $11 million when factoring in fines, legal fees and patient notification expenses.

A path forward

The report emphasized that many compliance gaps have straightforward fixes.

Automated email encryption, audit trails and phishing defenses can significantly reduce exposure without requiring major IT investments. Practices that implement these measures can avoid relying on staff to make perfect security decisions every time.

"Confidence without clarity is what gets organizations breached,” said Rick Kuwahara, chief compliance officer at Paubox. “We don’t just need encryption — we need evidence.”

As enforcement tightens and cybercriminals refine their tactics, experts say small practices should abandon assumptions of safety. Compliance may not require complicated systems, but it does require proof.