Every EHR vendor, cloud storage provider, and billing platform says it. "HIPAA Compliant." It's on their homepage, in their marketing, probably in the contract you signed. And it gives a lot of practice managers a false sense of security — one that can cost them dearly when something goes wrong.

The phrase has become so ubiquitous that it's essentially lost meaning. But the consequences of misunderstanding it are very real: OCR fines, corrective action plans, and the particularly uncomfortable experience of explaining to your patients that their health records were exposed.

What "HIPAA Compliant Software" Actually Means

When a vendor says their software is "HIPAA compliant," what they're really saying is that their software was built with features that can support HIPAA compliance. Think encryption at rest and in transit, role-based access controls, audit logging, automatic session timeouts, and breach notification capabilities.

These are necessary ingredients. They are not the meal.

  • A vendor's HIPAA compliance means their infrastructure meets HIPAA's technical safeguard requirements
  • It does NOT mean you are using those features correctly — or at all
  • It does NOT mean your workflows, staff behaviors, or internal policies are compliant
  • It does NOT mean the other systems in your environment are covered
  • HIPAA compliance applies to your entire organization — not any single tool

Think of it this way: a hospital-grade lock on a door is an excellent security control. But it means nothing if you prop the door open. The vendor gave you the lock. Whether you use it is entirely on you.

The Covered Entity vs. Business Associate Distinction

HIPAA draws a clear line between two types of organizations. Understanding this line is the foundation of understanding why "HIPAA compliant software" doesn't make your practice compliant.

You are the Covered Entity. As a healthcare practice, you create, receive, maintain, and transmit protected health information (PHI). That makes you the party primarily responsible under HIPAA. The legal and financial risk sits with you first.

Your EHR vendor is a Business Associate. They process PHI on your behalf — storing records, transmitting data, generating reports. They have significant obligations under HIPAA, but they are operating in service of your practice's activities.

A Business Associate Agreement (BAA) is the contract that defines the vendor's obligations. If you don't have a signed BAA with every vendor who touches PHI, you are already out of compliance — regardless of how secure their software is.

But here's the part practice managers often miss: the BAA doesn't transfer your liability. It shares it. The vendor is responsible for their piece. You remain responsible for yours. A security failure in your office is yours to own, not theirs.

// What the vendor is responsible for

  • Maintaining the security of the software itself — patches, encryption, underlying infrastructure
  • Providing audit logging capabilities so you can track who accessed what
  • Notifying you of breaches that originate within their systems
  • Following the specific security practices they agreed to in the BAA
  • Implementing technical safeguards on their end of the data chain

// What you're still responsible for

  • Access controls: deciding who in your practice can access which records — and actually configuring those controls in the software
  • Staff training: ensuring your team uses the system correctly, doesn't share logins, understands the minimum necessary standard
  • Password policies: requiring strong, unique passwords and enabling MFA on every account that touches PHI
  • Audit log review: the vendor provides the logs — someone at your practice actually needs to read them periodically
  • Minimum necessary: restricting staff access to only the records they need for their specific role
  • Incident response: knowing what to do when something goes wrong, and having a documented plan

The Misconfiguration Problem

The overwhelming majority of HIPAA violations involving EHR systems aren't because the EHR itself was insecure. They happen because the practice misconfigured it, ignored the available controls, or made compromises in the name of convenience.

Here are patterns that show up repeatedly in OCR investigation summaries:

  • Every staff member — from the front desk to the billing coordinator — has full admin access, because "it's easier"
  • Audit logging was disabled by an IT contractor to "improve system performance," and no one noticed for two years
  • The patient portal is configured to send appointment reminders to a legacy email address that an employee no longer monitors
  • Former employees' accounts were never deactivated after they left the practice
  • Session timeout is set to never, because clinicians found it annoying to log back in

In 2022, a multi-site orthopedic practice received a $1.5M OCR fine after an investigation found that their EHR's audit logging had been disabled by an IT contractor for over 18 months. The EHR vendor had no liability — the software was functioning exactly as configured. The practice bore the full cost.

The vendor's software was doing its job. The practice wasn't doing theirs.

The Platforms You're Probably Missing

Most practices focus on their EHR when thinking about HIPAA compliance. But PHI flows through a much wider ecosystem than that — and every platform that touches it needs to be covered.

  • Google Workspace / Microsoft 365: Do you have a signed BAA with Google or Microsoft that covers your actual usage? Both offer healthcare-tier agreements, but the standard consumer or SMB accounts don't come with a BAA by default. Many practices assume they're covered — they're not.
  • Cloud storage (Dropbox, Google Drive consumer): Consumer-tier cloud storage explicitly excludes HIPAA coverage. No amount of "but it's encrypted" changes that. If PHI lives in a personal Dropbox folder, you have a compliance gap.
  • Telehealth platforms: Zoom's healthcare tier (Zoom for Healthcare) offers a BAA and is HIPAA-appropriate. Consumer Zoom does not have a BAA available and should never be used for telehealth visits involving PHI. These are not the same product.
  • Appointment reminder and patient intake tools: Text reminder services, online intake forms, scheduling platforms — all of these can touch PHI. All of them require BAAs.
  • Billing and clearinghouse platforms: Your billing software and any clearinghouses you use for claims submission are Business Associates and require BAAs.

A useful exercise: list every software platform your practice uses, then ask — does PHI ever flow through this? For each "yes," confirm there's a signed BAA on file. Most practices discover at least one gap in this process.

What to Actually Verify

Compliance isn't a checkbox you check once. But there are concrete things you can do this week to close the most common gaps:

  • Build a complete inventory of every vendor and platform that touches PHI in your practice
  • Confirm a signed BAA is on file for each — not just assumed, actually verified
  • Open your EHR's user management settings and audit who has admin access — remove it from anyone who doesn't need it
  • Verify that audit logging is enabled and review who is responsible for checking it
  • Confirm MFA is turned on for every account with access to PHI, especially your EHR and email
  • Check that former employees' accounts have been deactivated
  • Review your session timeout settings — convenience is not a HIPAA defense

"HIPAA compliant" on a vendor's homepage is a feature description, not a compliance certification. No vendor can certify your practice compliant — only your practices, policies, training, and configurations can do that.

The good news: a proper security risk assessment maps all of this out systematically. It tells you exactly where your gaps are and gives you a documented remediation plan — which itself is a HIPAA requirement under the Security Rule. Knowing where you stand is always better than assuming you're fine.