98% of small medical practices wrongly claim HIPAA compliance: Survey

Nearly all small healthcare practices are exposing themselves to cyberattacks and federal compliance violations, according to a recent survey conducted by Paubox.

The technology company’s survey, released Aug. 19, of 214 healthcare IT leaders and practice managers at organizations with fewer than 250 employees found that 98% said they believe they are HIPAA compliant despite widespread security gaps. Nearly half of healthcare email breaches were tied to Microsoft 365, and nearly 99% of organizations had not implemented secure email transfer protocols.

Eighty-three percent of respondents said they believed patient consent eliminated the need for encryption, while 64% said they believed patient portals were required for HIPAA compliance. One in 5 organizations lacked email archiving or audit trails, and one-third reported lacking time or policies for compliance tasks. The survey also found that the average employee at a small practice had access to more than 5,500 sensitive files.

Phishing attacks, which accounted for more than 70% of healthcare breaches in 2024, remain the top threat. Forty-three percent of small organizations reported phishing or spoofing incidents in the past year, and about 50% lacked anti-phishing controls beyond default spam filters, according to the survey.

In 2025, healthcare breaches took an average of 224 days to detect and 84 more days to contain, according to an Aug. 19 news release from the company. 

The post 98% of small medical practices wrongly claim HIPAA compliance: Survey appeared first on Becker’s Hospital Review | Healthcare News & Analysis.