Most Providers Think They’re HIPAA Compliant. 98% of Them Are Wrong.

A recent report found that among small care providers who believe they’re HIPAA compliant, 98% were found not to be.

The same report highlights a consistent pattern:

• Most organizations are confident in their compliance posture
• Many rely on default configurations in platforms like Microsoft 365
• Critical safeguards—like audit trails and monitoring—are often missing or incomplete

Where the Disconnect Comes From

The challenge is that compliance in Microsoft 365 operates on a shared responsibility model.

Microsoft provides the platform, infrastructure, and available controls.
Care providers are responsible for how those controls are configured, enforced, and monitored.

That includes decisions like:

• Who has access to sensitive data
• How data is shared externally
• Whether activity is logged and reviewed
• How incidents are detected and handled

The platform enables compliance…but it does not guarantee it.

That’s on you, as the provider.

And for most organizations, “how” isn’t always clear—especially without deep familiarity with how Microsoft 365.

What Actually Separates the 2%

The small percentage of organizations that would hold up under scrutiny tend to have four things in common:

They Don’t Rely on Default Assumptions

They don’t assume:

• That email is always encrypted
• That access is inherently secure
• That the platform is “handling it”
• They understand that default configurations are a starting point—not a finished state.

They Enforce Controls (Not Just Support Them)

There’s a meaningful difference between:

• A system that can enforce encryption
• And a system that always does

The same applies to:

• Access controls
• Sharing restrictions
• Data protection policies

In the environments that get this right, safeguards are not optional or situational—they are consistently enforced.

They Can Produce Evidence

If something goes wrong, they don’t rely on assumptions.

They can show:

• Audit logs of activity
• Records of how data was handled
• Evidence that safeguards were applied

This is what regulators look for—not intent, not capability, but proof.

They’ve Actually Performed Risk Assessments

Not informally. Not once, years ago.

They’ve completed and documented risk assessments that:

• Identify where exposure exists
• Evaluate how data is handled
• Define what needs to be addressed

This step alone eliminates a large portion of the uncertainty most organizations operate under.

What Needs to Be Confirmed in Microsoft 365

If you’re using Microsoft 365, compliance ultimately comes down to whether specific conditions are true in your environment.

At a high level, that means being able to confirm five areas:

Identity and Access Is Controlled

• Multi-factor authentication is enforced across all users
• Administrative access is limited and monitored
• Legacy authentication is disabled
• External access is governed

Sensitive Data Has Defined Boundaries

• ePHI is stored only in approved locations
• External sharing is restricted
• Anonymous links are disabled
• Email forwarding outside the organization is controlled
• Data protection policies are active

Activity Is Logged and Detectable

• Audit logging is enabled
• Logs can be searched and used
• Alerts are configured for suspicious activity
• Logs and alerts are reviewed regularly

Devices Are Governed

• Devices accessing data are managed or restricted
• Encryption is enforced
• Non-compliant devices are blocked or limited
• Organizational data can be removed from lost devices

Governance Is in Place

• A Business Associate Agreement (BAA) exists
• A recent risk analysis has been completed
• Responsibility for compliance is assigned
• Incident response procedures are defined

A Simple Reality Check

If you were asked today:

• Can you show which emails were protected last week?
• Can you verify who accessed sensitive data and from where?
• Can you demonstrate that safeguards are consistently enforced?

If those answers aren’t immediately available, you’re not dealing with confirmed compliance—you’re operating on assumption.

And that’s the gap the 98% represents.

Get Clarity on Where You Actually Stand

If you’re not completely certain how your Microsoft 365 environment supports HIPAA requirements, that’s the gap most organizations are operating in.

A HIPAA Readiness Assessment gives you a clear view of:

1. What’s actually configured in your environment
2. Where risks and gaps exist
3. What needs to be addressed next

No assumptions. Just a structured review of how your system is actually operating.