HIPAA has governed ePHI protection since 1996. Yet after nearly three decades, small medical practices — those under 50 employees — remain the most chronically non-compliant segment of the healthcare sector. The reason isn't ignorance or bad faith. It's a structural mismatch that existing compliance frameworks have never adequately resolved.

This article summarizes key findings from original research published by Wlad Pierre-François, PhD: Compliance Under Pressure: A Risk-Based Organizational Framework for HIPAA Security Rule Adherence in Small Medical Practices in an Era of Regulatory Modernization. The full paper is available in the Publications section.

The compliance compression problem: Between 2018 and 2023, healthcare became the most frequently targeted sector for ransomware attacks in the U.S. Small practices are now a primary target — holding high-value ePHI with characteristically weaker security postures. At the same time, HHS proposed the most substantive HIPAA Security Rule revisions since 2003, converting many addressable safeguards to required status. The gap between minimum requirements and current small-practice capabilities is narrowing — in the wrong direction.

Why Small Practices Keep Failing

Research consistently identifies a cluster of structural and organizational factors that explain the compliance gap. These are not excuses — they are diagnosable conditions that any effective compliance framework must account for:

  • Capital constraint: Information security investment competes directly with clinical operations for a limited budget
  • Expertise deficit: Most practices rely on a single IT generalist — or a physician managing IT on the side — with no formal security training
  • High staff turnover: Administrative staff, the primary social engineering targets, cycle through frequently without adequate training
  • Clinical priority displacement: Compliance functions are systematically subordinated to patient care demands
  • Misreading the rule: Many practices treat addressable HIPAA specifications as optional rather than contextually conditional — a misreading that has created systematic gaps in technical safeguards for decades

The 2024–2025 HHS proposed rulemaking forecloses the interpretive latitude small practices have long exploited. Converting addressable specifications to required status eliminates the ambiguity — but does nothing to address the underlying capacity asymmetry.

The Missing Variable: Organizational Behavior

The research draws on empirical findings from Doherty et al. (2022), which identified the organizational antecedents that most reliably predict HIPAA compliance outcomes. Three findings deserve particular attention for small practice operators:

1. Leadership commitment is the strongest single predictor of compliance. In small practices, "top management" is typically one physician-owner whose attention is saturated by clinical demands. The absence of a genuine compliance champion — not a nominal one, but an active one — reliably predicts compliance gaps even when other resources are in place.

2. Organizational culture operates independently of formal policy. Practices whose staff understand the purpose of ePHI protection, are trained to recognize threats, and feel safe reporting incidents consistently outperform those relying on policy documents alone. Culture shapes the informal daily choices through which compliance is either realized or undermined.

3. Perceived regulatory legitimacy predicts voluntary compliance effort. Practices whose leaders view HIPAA requirements as genuinely serving patient protection — rather than as bureaucratic impositions — invest more and sustain compliance better. This has direct implications for how compliance training should be framed.

⚠️ The paper-exercise problem: The HIPAA Security Rule mandates regular risk analysis as an operational intelligence process. In practice, many small practices treat it as a compliance artifact — a document produced once and filed, rather than a living decision-support mechanism updated as the technology environment changes. This is among the most cited violations in OCR enforcement actions.

The Integrated Risk-Behavioral Compliance Framework (IRBCF)

The research proposes a novel framework — the Integrated Risk-Behavioral Compliance Framework — that maps regulatory requirements to organizational capacity variables in a manner calibrated to small-practice realities. The IRBCF operates across four interconnected dimensions:

Dimension 1

Regulatory Mapping

Each HIPAA requirement is mapped to the organizational capacity it demands — clarifying not just what is required, but what kind of resource (financial, human, or cultural) is necessary to meet it.

Dimension 2

Risk Stratification

Requirements are prioritized based on actual risk exposure in the small-practice environment — directing limited investment toward the controls that address the highest-probability, highest-impact threats first.

Dimension 3

Behavioral Antecedents

Leadership commitment, cultural formation, and perceived legitimacy are treated as first-order compliance variables — not soft factors to be addressed after the technical controls are in place.

Dimension 4

Modernization Readiness

The framework anticipates the 2024–2025 HHS proposed rulemaking, building compliance pathways that address both current requirements and the emerging mandatory-control landscape.

What the 2024–2025 Modernization Means in Practice

The HHS Notice of Proposed Rulemaking represents the most significant revision to the HIPAA Security Rule since 2003. For small practices, the practical implications are substantial:

Key Proposed Changes — What Small Practices Must Prepare For

  • Multi-factor authentication as a baseline standard. No longer addressable — MFA on all systems containing ePHI will be required, including EHR remote access and email.
  • Asset inventory programs. Formal, documented inventories of all devices and systems containing or transmitting ePHI — a requirement many practices are not equipped to execute.
  • Vulnerability scanning mandates. Regular, documented vulnerability scanning with evidence of remediation — previously optional under an addressable framework.
  • Tighter breach notification timelines. Proposals would compress current 60-day notification windows, increasing the operational burden on practices with no dedicated incident response capability.
  • Subcontractor accountability. Expanded requirements for business associate agreement chains, including subcontractors of subcontractors who may touch ePHI.

A Scalable Compliance Pathway for Small Practices

The IRBCF offers three actionable priorities for practices seeking a practical starting point — sequenced by impact and feasibility in resource-constrained environments:

Priority 1: Conduct a genuine risk analysis — not a vendor-provided assessment. Your EHR vendor's "HIPAA assessment" does not satisfy the requirement. A valid risk analysis must cover your entire ePHI environment: email, cloud storage, workstations, mobile devices, backup systems, and any third-party tool your staff uses. Document it. Update it when anything changes.

Priority 2: Address the behavioral antecedents before expanding technical controls. No amount of tooling overcomes a physician-owner who models indifference to security, or a staff culture where reporting an incident feels professionally risky. Compliance investment should begin with training that connects ePHI protection to patient trust — not with purchasing the next endpoint security product.

Priority 3: Build toward mandatory controls now, before the rule is finalized. MFA, asset inventory, and documented vulnerability scanning will almost certainly be required. Practices that treat these as future problems will face acute implementation burdens under deadline pressure. Building toward these controls now — incrementally, as budget allows — is far less disruptive than crisis remediation.

This article is a practitioner summary of the research paper Compliance Under Pressure: A Risk-Based Organizational Framework for HIPAA Security Rule Adherence in Small Medical Practices in an Era of Regulatory Modernization by Wlad Pierre-François, PhD (2026). The full paper, including citations and methodology, is available on the Publications page.

Is Your Practice Ready for the New HIPAA Landscape?

P-Bon Consulting provides HIPAA-focused IT assessments for NYC-area medical practices. You'll get a clear picture of your current compliance posture, the specific gaps the new proposed rules would expose, and a prioritized remediation roadmap — in one free conversation.

Book Free HIPAA IT Assessment →

Call: (516) 734-1515