When it comes to protecting sensitive patient information, it’s rarely the big, headline-making hacks that get Spokane practices in trouble. The real danger is the smaller, overlooked healthcare IT habits—things done for convenience or out of routine.
HIPAA (the federal law safeguarding patient health data) doesn’t judge your intentions; it judges results.
Watch out for these subtle missteps that quietly put many health providers on the radar for audits, fines, and reputation damage.
Email and Fax: Overestimating Security
Email moves fast, but speed hides risk—especially when sharing patient details (legally, PHI: Protected Health Information). Even an innocent subject line can leak sensitive info. “Secure fax” is another misnomer; most cloud fax providers are just using the public internet, and they fall under the same HIPAA rules as email.
Require encryption for all outbound emails containing patient data, use secure portals for anything sensitive, and ensure your fax provider’s security is robust.
Don’t just assume you’re covered—demand a current Business Associate Agreement (BAA) with every company handling PHI.
Missing or Outdated Risk Analysis
This one’s a classic blind spot. Too many practices treat risk analysis like a box to tick, not a real process. If your last review happened before a major EHR (Electronic Health Record) upgrade—or worse, before remote work and telehealth took over—it’s already out of date.
The only way to stay off the audit list is by running a proper risk analysis annually or whenever you make a significant change. That means knowing where PHI lives, how it flows, who touches it, and how you’re managing the threats. If you’re not actively updating your plan, you’re just hoping nothing goes wrong.
Vendor Oversight and Incomplete Contracts
Vendors can be your weakest link. Waste baskets and recycle bins, shredders, even marketing agencies—anyone who touches PHI, directly or indirectly, brings risk. If you don’t have a signed, up-to-date BAA for each one, you’re wide open.
Maintain a living inventory of all vendors with access to patient data and regularly verify their security practices, focusing on encryption and breach notification. If a vendor’s standards slip, your compliance goes with them.
Shared Logins and Access Controls
Let’s be honest—shared logins happen because it’s quick and easy, especially at the front desk. But if everyone’s, or even just a few, are using the same username, you’ll never know who actually touched a patient record. That’s a liability waiting to happen. The gold standard is “least privilege”—give each person only the access they genuinely need, nothing extra. Accountability is the name of the game.
- Make unique logins mandatory for all staff members.
- Audit access regularly—whenever roles change, or someone leaves, clean up immediately.
- Turn on Multi-Factor Authentication (MFA) for any remote access or email. It’s a small step that blocks a mountain of headaches.
Unmanaged Devices in Healthcare IT
Lost or unencrypted laptops and personal phones are prime targets for data leaks. PHI often ends up in personal photo rolls or unsecured cloud backups if Mobile Device Management (MDM) is not in place.
The solution isn’t complicated: require full-disk encryption on every computer and laptop, manage all phones and tablets with MDM, enforce strong passcodes, and keep work data separate from personal info. No texting PHI, period—use secure messaging apps that keep you in control.
Reactive Incident Response
Here’s where many practices fall short. When something goes wrong—a lost device, a phishing attack—most scramble to respond, and precious time is wasted.
That confusion turns minor problems into full-blown breaches.
Your best defense is a simple, clear incident response plan: know who to call, who decides, and what gets communicated if there’s an incident. Train your staff to escalate fast, not after the fact, and run practice drills so the first “real” test isn’t a fire drill.
In Summary
HIPAA compliance isn’t about chasing perfection—it’s about being intentional, consistent, and building habits that keep you out of the audit crosshairs. When Spokane healthcare providers focus on these areas, they spend less time fighting fires and more time on what matters: patient care and peace of mind.
Minor improvements aren’t just box-ticking—they’re the difference between constant headaches and a practice that runs smoother, safer, and earns absolute trust. Every step forward is worth it.
If you’re looking for a risk review that provides actionable insights—not just more paperwork—Cycrest is ready to help. We’ll pinpoint your exposures and deliver a plan you can execute without stalling your operations.
Please call 509-747-9275 to speak with one of our Team members to help answer any questions you may have.
Glossary:
PHI: Protected Health Information
HIPAA: Health Insurance Portability and Accountability Act
EHR: Electronic Health Record
BAA: Business Associate Agreement
MFA: Multi-Factor Authentication
MDM: Mobile Device Management
