Your HIPAA stack might not be as compliant as you think by HIPAA Vault

Healthcare providers love to assume their tech is “secure enough.” The problem? HIPAA doesn’t grade on vibes.

In a recent HIPAA Insider podcast, Gil Vidal breaks it down: compliance isn’t about stacking fancy tools—it’s about getting the basics right first.

Start with the non-negotiables

Your foundation should include secure email (with a signed BAA), properly configured collaboration tools, and HIPAA-compliant website hosting. Translation: if you’re using free Gmail or a generic web host, you’re already off track.

Then level up

Once the basics are locked in, practices can modernize with encrypted intake forms and SFTP for large file transfers—think MRIs and billing data that email just can’t handle safely.

Here’s the catch: Even the best tools fail without proper setup. Training, access controls, and internal policies matter just as much as the tech itself.

Want the full conversation behind this week’s feature? Tune in on YouTube and Spotify

HIPAA compliance isn’t a one-time checklist—it’s an ongoing system. Build it right, then keep it tight. Take action

→   Think you’re compliant? Double-check it—get a free 15-minute HIPAA risk assessment and uncover gaps before they become liabilities.

Quote of the Week
“HIPAA compliance is not really a one-and-done thing… it has to do with the culture within your practice.”
— Gil Vidals, HIPAA Insider

Industry News Roundup

A hospital breach took a year to disclose—and it’s bigger than first reported

If you think a small data breach stays small, think again.

Chicago’s Saint Anthony Hospital just revealed that a 2025 email system breach impacted 146,000+ individuals—a massive jump from the ~6,600 initially reported.

Here’s what happened: An unauthorized third party accessed unstructured data (read: emails and files) back in February 2025. While electronic medical records were spared, sensitive data like Social Security numbers, medical histories, and prescription info may have been exposed.

The timeline raises eyebrows

• Breach occurred: February 2025

• Investigation completed: February 2026

• Notifications sent: March 2026

That’s over a year before patients were officially informed.

What’s more: Affected individuals weren’t offered credit monitoring or identity theft protection—just a recommendation to “stay vigilant.”

The bigger takeaway

This wasn’t a failure of core systems—it was a failure around email and unstructured data security.

Your biggest compliance risk might not be your EHR—it’s everything around it.

→  From 6,600 to 146,000 patients…here’s how it unfolded

Your inbox might be your biggest risk

Email is still the backbone of most healthcare practices—but as we covered, it’s also one of the easiest places for compliance to break down.

Because “we use Gmail” doesn’t mean “we’re HIPAA compliant.”

And it definitely doesn’t mean your team is protected.

Once patient information is shared by email, the stakes change fast. A signed BAA, admin controls, access restrictions, retention settings, encryption, and data loss prevention all become essential—not later, but from the start.

That’s where HIPAA Vault comes in. Powered by Google Workspace, it helps healthcare teams turn Gmail into a more secure, HIPAA-ready email environment without changing the way they work.

With HIPAA Vault, teams can:

• use Gmail with a signed BAA in place

• apply stricter access controls and Zero Trust security

• protect sensitive data with DLP, retention, and audit controls

• collaborate more safely without adding new software

• support growth with a scalable email setup for healthcare

→ Using Gmail in your practice? Make sure it’s compliant before it becomes a liability.