Alice Gosfield, Episode 3: Understanding HIPAA Compliance for Medical Practices: Common Mistakes and How to Avoid Them

How Daniel Shay Entered the Field of Healthcare Law

Daniel Shay began his career in health law somewhat unexpectedly. After graduating law school during a tough job market, his mother, attorney Alice Gosfield, needed an associate for her firm. She offered to train him, and though health law wasn’t his original plan, he quickly developed a passion for it. Today, Daniel focuses on helping physicians navigate complex healthcare regulations, including HIPAA, billing, fraud and abuse laws, and emerging issues in electronic health records and artificial intelligence.

What HIPAA Actually Requires and Where Practices Go Wrong

HIPAA, which stands for the Health Insurance Portability and Accountability Act, governs the privacy and security of medical and billing records known as Protected Health Information (PHI). Daniel Shay notes that physicians often fall on two extremes:

Some fail to take HIPAA seriously enough, focusing only on basic privacy rules while neglecting deeper security and documentation requirements. Others become overly cautious, refusing to release information even when HIPAA allows it.

Both mistakes create compliance risks. The key is understanding what HIPAA actually permits and requires, and maintaining a balanced, informed compliance program.

How HIPAA Enforcement Works and What the Office for Civil Rights Looks For

The Office for Civil Rights (OCR) under the U.S. Department of Health and Human Services enforces HIPAA regulations. Anyone — not just a patient — can file a complaint, including staff members who believe their practice isn’t compliant.

OCR typically conducts a preliminary investigation first. If potential violations are found, a deeper review follows. One of the first things OCR examines is how promptly the practice responds to their inquiries. Ignoring an OCR notice or failing to respond quickly can lead to serious consequences.

Most practices cooperate when notified, but Daniel Shay warns that some offices ignore letters or delay responses — a mistake that almost always ends badly.

The Most Common HIPAA Mistakes Physicians Make

Two compliance failures appear more often than any others.

First, many practices have never conducted a Security Risk Assessment (SRA) — a core HIPAA requirement for any office using electronic health records. Others completed one years ago but never updated it after changing systems or vendors.

Second, many practices create policies and procedures but never implement them. They collect dust on a shelf with no staff training, internal audits, or updates. When a breach occurs, the practice is unprepared.

Effective HIPAA compliance requires regular updates, documented reviews, and ongoing education — not just a binder of policies.

When IT Vendors Create Compliance Problems

Daniel Shay cautions against relying solely on IT vendors for HIPAA compliance. While many are skilled in technology, they may not fully understand regulatory requirements.

He recalls one client whose IT contractor misconfigured a network firewall, leading to a security breach and OCR investigation. Although the practice ultimately avoided penalties by taking quick corrective action and cooperating fully, the experience was costly and stressful.

Shay’s advice: IT vendors should assist with technical safeguards, but healthcare professionals remain responsible for compliance. Practices should ensure vendors understand HIPAA’s specific security standards — not just technology.

Why Withholding Patient Records Over Unpaid Bills Violates HIPAA

HIPAA does not allow practices to withhold medical records because of unpaid bills. Patients have a right to access their medical records upon request, regardless of payment status.

Daniel Shay points out that OCR has repeatedly fined practices for refusing to release records over outstanding balances. Patient access has been one of OCR’s top enforcement priorities in recent years.

While practices can charge a reasonable fee for producing copies, they cannot use unpaid bills as a reason to deny or delay access.

How Small Practices Can Strengthen HIPAA Compliance on a Budget

For smaller offices, hiring a full-time compliance officer may not be practical. Daniel Shay encourages physicians to rethink their mindset — compliance shouldn’t be viewed as a cost-cutting exercise but as preventive medicine for the business.

Every practice should designate at least one privacy officer and one security officer, even if those roles are filled by existing staff. These individuals should understand HIPAA requirements and basic technical safeguards.

If possible, separate the roles to improve accountability. Clinical or administrative team members with technology awareness can fill these positions effectively. The goal is to stay proactive, not reactive.

As Shay emphasizes, investing in compliance early saves far more than it costs — both in money and reputation.

Final Thoughts: HIPAA Compliance Is Preventive Protection

HIPAA compliance is not about checking boxes or cutting corners; it’s about building systems that prevent future problems. Practices that stay current with security risk assessments, document training, and maintain open communication with vendors are far better protected from violations and penalties.

For more information or guidance on healthcare compliance, visit gosfield.com.