HIPAA questions healthcare leaders are finally asking
by HIPAA Vault

HIPAA compliance is one of those topics that tends to get attention only when something goes wrong—a breach, an audit, or a ransomware attack. During a recent live edition of the HIPAA Insider Show, industry experts tackled some of the biggest questions healthcare organizations face as they navigate cloud security, ransomware threats, OCR audits, and AI adoption.

Compliance is a team sport

One of the clearest takeaways from the discussion was that HIPAA compliance isn't just about paperwork.

Discussing Business Associate Agreements (BAAs), HIPAA Vault CEO Gil Vidals explained:
"We're signing to avoid being able to say, 'I didn't know I was handling sensitive data.'"

The panel emphasized that cloud providers can help secure infrastructure, but organizations remain responsible for securing applications, access controls, and patient data. As Vidals put it:
"The public cloud has excellent tools. They work well—if you enable them."

AI, ransomware, and the shared responsibility challenge

The conversation also explored the growing role of AI in healthcare and the importance of understanding where protected health information (PHI) is being processed.

Compliance Manager Henri Alfonso urged organizations to carefully vet AI providers before sharing sensitive data:
"Treat the AI as a junior developer. Make sure you're always looking over their shoulder."

The panel also warned against assuming that smaller organizations fly under regulators' radar. According to Henri A.:
"As soon as a single patient complaint goes in, a ransomware report, or a lost phone gets reported, you will be audited."

Whether you're deploying AI, migrating to the cloud, or preparing for an OCR audit, compliance isn't something you can outsource completely. Understanding your responsibilities—and your vendors'—remains critical.

✔ Watch the full discussion: The team dives deeper into BAAs, OCR audits, ransomware recovery, AI compliance, cloud security, and common HIPAA misconceptions in the full HIPAA Insider Show episode

Ready to strengthen your compliance posture? Contact HIPAA Vault to learn how managed HIPAA-compliant hosting and security services can help reduce risk and simplify compliance.

HIPAA Compliance Tip of the Week

Backups Mean Nothing If You Never Test Them.

A backup that fails when you need it is as good as no backup at all. HIPAA requires regular testing of disaster recovery plans. Test your backups quarterly—restore a file and verify it.

Industry News Roundup

Healthcare’s data breach problem just got a lot bigger

The healthcare industry managed to reduce the number of large data breaches in 2024—but somehow still shattered records for the amount of patient data exposed.

According to new reports from the Department of Health and Human Services’ Office for Civil Rights (OCR), 663 healthcare breaches affecting 500+ individuals occurred last year, down 9% from 2023. The catch? Those incidents exposed the protected health information of nearly 243 million people, more than double the previous record.

One breach changed everything

The eye-popping total was driven largely by the massive Change Healthcare cyberattack, which alone impacted an estimated 192 million individuals.

Meanwhile, hacking and IT incidents remained the industry's biggest headache, accounting for 81% of all breaches and more than 99% of affected individuals. OCR says many incidents could have been avoided with stronger security basics, including risk assessments, access controls, system monitoring, and multifactor authentication.

Healthcare organizations are reporting slightly fewer breaches—but the consequences of a single cybersecurity failure have never been larger.

✔ Want the full story? Read the complete OCR report breakdown to see what drove the record number of affected patients—and why regulators say many of these breaches were preventable.

Another reminder: hackers love healthcare

Healthcare organizations continue to find themselves in cybercriminals’ crosshairs, with three newly disclosed breaches exposing sensitive patient information across providers in Connecticut, New York, and Georgia.

The largest incident hit Hartford HealthCare, where attackers used compromised employee credentials to access Connecticut’s Medicaid provider portal and download files containing data on roughly 22,500 patients. Exposed information included names, claim IDs, treatment details, billing records, and insurance information—but not Social Security numbers.

A familiar playbook

The other breaches followed a pattern cybersecurity teams know all too well: compromised email accounts.

A single employee email account at New York cosmetic surgery practice Ira L. Savetsky, MD may have been accessible to unauthorized parties for more than a year, potentially exposing patient records, health information, insurance details, and photographs. Meanwhile, rehabilitation products provider ERMI disclosed unauthorized access to employee email accounts that persisted for six months before being detected.

Whether through stolen credentials or compromised inboxes, attackers continue to exploit some of the most common—and preventable—security weaknesses in healthcare.

✔ Want the full details? Read the complete breach breakdown, including what data was exposed, how the attacks unfolded, and what organizations are doing to protect affected patients.

Need help navigating HIPAA compliance?

Whether you're building a healthcare SaaS platform, managing a clinic, migrating to the cloud, or exploring AI tools, staying compliant requires more than just checking a few boxes. It takes the right infrastructure, security controls, documentation, and ongoing monitoring.

That's where HIPAA Vault comes in.

From HIPAA-compliant hosting and managed security services to risk assessments, audit support, backup and disaster recovery, AI compliance guidance, and Business Associate Agreements, HIPAA Vault helps healthcare organizations build secure, compliant environments without needing an enterprise-sized IT department.

Think of us as an extension of your compliance and security team—helping you stay audit-ready, reduce risk, and focus on what matters most: serving patients and growing your business.

✔ Learn more at HIPAAVault.com or contact our team for a complimentary consultation.