Every HIPAA compliance software vendor markets the same promise. Sign up, complete the modules, generate the documents, and your practice is "HIPAA compliant." OCR enforcement actions in 2025 and 2026 tell a different story. Eighteen separate HHS resolution agreements have been published since January 2025, with settlement amounts ranging from $5,000 to $3 million. Many of those practices had compliance software in place when the violations occurred.
The pattern is consistent. Software produces artifacts. OCR audits demand judgment, documentation of the why behind decisions, and evidence that the rule was actually applied to your practice rather than to a generic template. The seven requirements below are the ones where software almost always falls short. Each one cites the specific HIPAA regulation that defines it.
Regulation: 45 CFR 164.308(a)(1)(ii)(A). The Security Rule requires you to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
What software does: generates a checklist or auto-populated template with generic risk categories.
What the rule actually requires: a written analysis of YOUR specific environment. Your specific systems, your specific vendors, your specific data flows, your specific physical layout. A template populated with vendor names is not an analysis. It is a list.
OCR enforcement reference: Vision Upright MRI settled with HHS on May 15, 2025 for $5,000. The headline finding was failure to conduct an accurate and thorough Risk Analysis. The settlement amount is small. The lesson is that the foundational requirement is the one OCR enforces most consistently, regardless of practice size.
Regulation: 45 CFR 164.308(a)(1)(ii)(C). The Security Rule requires you to "apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity or business associate."
What software does: delivers training modules, tracks completion, generates a sanction policy document.
What the rule actually requires: evidence that you applied sanctions when an employee actually violated policy. That is a human accountability decision. When an employee snoops on a celebrity patient's chart, software can document the audit log entry. The decision to sanction, the documentation of that decision, the contemporaneous record of what was discussed and what consequence was imposed, requires a human in the chain.
Regulation: 45 CFR 164.502(e) and 45 CFR 164.314(a). The Privacy Rule prohibits sharing PHI with a business associate unless a written contract is in place. The Security Rule defines what that contract must cover.
What software does: flags vendors that need a BAA. Provides a template BAA you can send.
What the rule actually requires: a contract that meets the regulatory requirements AND is reciprocally enforceable. When a vendor sends back their preferred BAA, someone has to read it. Vendor-favorable BAAs frequently water down indemnification, limit liability to refund of fees paid, exclude subcontractor obligations, or carve out the vendor's right to use de-identified data however it pleases. Software does not negotiate.
OCR enforcement reference: BST & Co. CPAs, LLP settled with HHS on August 18, 2025. The CPA firm acted as a business associate to a covered entity and was fined for HIPAA Security Rule failures during a ransomware investigation. Many small practices use their CPA, IT vendor, or marketing agency without ever reviewing whether those firms are equipped to be HIPAA business associates.
Regulation: 45 CFR 164.520. The Privacy Rule requires every covered entity to provide a Notice of Privacy Practices that describes the entity's actual privacy practices.
What software does: generates a template NPP with standard categories.
What the rule actually requires: the NPP must reflect what your practice actually does. If your practice sends appointment reminders by text, that goes in the NPP. If you participate in a Health Information Exchange, that goes in the NPP. The NPP must also be posted in a clear and prominent location at every service delivery site, available on request, and posted on the practice's website if you have one. A template that does not match your operations is not a Notice of Privacy Practices. It is a formality.
Regulation: 45 CFR 164.402. When PHI is impermissibly used or disclosed, the rule presumes a breach occurred unless you can demonstrate a low probability that the PHI was compromised, based on a four-factor risk assessment: (1) the nature and extent of the PHI involved, (2) the unauthorized person who used the PHI or to whom the disclosure was made, (3) whether the PHI was actually acquired or viewed, and (4) the extent to which the risk has been mitigated.
What software does: provides a breach reporting form.
What the rule actually requires: a documented analysis of those four factors, applied to the specific incident, with a defensible conclusion about whether breach notification is triggered. The analysis is judgment work. Get it wrong and you either over-report (notifying patients about an incident that did not legally rise to a breach, damaging trust unnecessarily) or under-report (failing to notify when notification was required, which is what OCR investigates after the fact).
Regulation: 45 CFR 164.308(b). The Security Rule requires that satisfactory assurances be obtained from business associates that they will appropriately safeguard the information.
What software does: collects signed BAAs into a folder.
What the rule actually requires: some level of verification that the vendor's actual practices match what they claim. With cloud vendors specifically, this means confirming you are using HIPAA-eligible services, not just any service the cloud provider offers. AWS calls these "HIPAA Eligible Services." Microsoft calls them "in-scope services." Google Cloud has its own list. A BAA does not extend to services outside that list, regardless of what your account contract says. A signed BAA in your files is not the same as an audited vendor relationship.
Regulation: 45 CFR 164.316. The Security Rule requires you to "maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form" and to "maintain a written (which may be electronic) record of the action, activity, or assessment required by this subpart."
What software does: generates artifacts. Policies. Procedures. Training records. Audit logs.
What the rule actually requires: evidence of the action, activity, or assessment. When OCR opens an investigation, the request letter does not ask for your policy documents. It asks for evidence that the policy was followed. Decision logs. Meeting notes. Email threads documenting why a particular vendor was chosen, why a particular access decision was made, why a particular incident was or was not classified as a breach. Software produces the artifact. The contemporaneous record of human judgment is what survives an audit.
Compliance software has a place. It standardizes training. It centralizes policy documents. It tracks deadlines. None of those tasks are unimportant. The question for a small practice owner is not whether to use software. The question is whether you understand what software is not doing on your behalf.
Across the OCR settlements published in 2025 and 2026, the recurring failure modes are the seven described above. Risk Analysis was missing or inadequate. Sanctions were not enforced or not documented. BAAs were generic templates from a vendor. NPPs did not match operations. Breach assessments were not performed. Vendor relationships were unaudited. Documentation could not survive a request letter.
If you are running a small healthcare practice, the audit you should conduct this week is not a software product comparison. It is a honest assessment of which of the seven gaps above are present in your current program, and what evidence you would produce if OCR sent a request letter on Monday morning.
If that exercise is uncomfortable, that is the value of doing it. Book a consultation to walk through your current program with a CIPP/US certified privacy advisor and identify which of the seven gaps need attention first.
RELATED RESOURCES
Dental, medical, mental health, and specialty practices: see how we close the HIPAA gaps your software does not cover.
Written, OCR-defensible Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A). Starting at $3,500.
Estimate the OCR fine range for a HIPAA violation. Verified against the 2026 Federal Register adjustment.
Get a flat-fee Data Privacy Exposure Review for $750.
Book Your Review