10 Areas Where Senior Living Communities Can Fall Short on HIPAA Compliance

Written By James Brown

Senior living communities play a vital role in caring for aging populations—but with that responsibility comes the obligation to protect resident health information under the Health Insurance Portability and Accountability Act (HIPAA).

Unfortunately, many senior living facilities—especially those without dedicated IT and compliance support—are unknowingly falling short in key areas of HIPAA compliance, putting themselves at risk for data breaches, fines, and reputational damage.

Here are 10 areas where senior living communities often fall short, based on findings from industry audits, enforcement actions, and best-practice assessments.

Inadequate Access Controls

Many communities fail to implement proper role-based access, meaning employees may have access to more resident health information than they need. Worse, shared logins are still used in some settings, making accountability impossible. Shared logins should never be used.

Risk: Unauthorized access to PHI and lack of audit trails
Fix: Implement individual user accounts, strong password policies, and role-based permissions

No Regular Risk Assessments

HIPAA requires covered entities to regularly assess risks to their ePHI (electronic protected health information). Many communities don’t perform formal risk assessments or only do them sporadically.

Risk: Blind spots in security can go undetected
Fix: Schedule annual risk assessments with documentation and follow-up remediation plans

Lack of Device Security

Desktops, laptops, tablets, and even mobile phones are often used to access or store PHI—but they’re frequently unsecured, left unlocked, or not encrypted.

Risk: Lost or stolen devices can lead to major breaches
Fix: Use full-disk encryption, auto-lock policies, and remote wipe capabilities

Poor Email and Communication Practices

Using unsecured email or texting to discuss PHI is a common (and risky) shortcut. HIPAA requires communications involving PHI to be encrypted and secure.

Risk: Interception of sensitive resident data
Fix: Use secure messaging platforms or encrypted email services for all PHI

No Business Associate Agreements

Senior living communities often work with vendors—IT providers, billing companies, labs, etc.—who access PHI, yet don’t always have signed agreements in place as required. This is a must.

Risk: Lack of legal and security accountability from third parties can put your community at risk of litigation.
Fix: Review all vendors and ensure BAAs are in place and up to date

Improper Disposal of PHI

Shredding policies are often inconsistently followed, and digital records aren’t always properly wiped before disposing of old hardware.

Risk: Paper records or old devices could expose resident information
Fix: Train staff on secure shredding, and use certified data destruction services

Insufficient Staff Training

HIPAA requires ongoing training, but many communities only train new hires—or not at all. This leaves staff unaware of how to identify or report a potential HIPAA violation.

Risk: Accidental disclosures or failure to respond to threats
Fix: Provide HIPAA training at onboarding and at least annually for all staff

Incomplete or Outdated Policies and Procedures

Many facilities either don’t have written HIPAA policies or rely on boilerplate documents that haven’t been customized or updated in years.

Risk: Employees may not know how to properly handle PHI or respond to incidents
Fix: Develop clear, community-specific HIPAA policies and review them annually

Unsecured Physical Records and Workspaces

PHI stored in file cabinets, at nurse stations, or on desks is often left unattended or unlocked.

Risk: Visitors, staff, or unauthorized personnel can view sensitive information
Fix: Store files in locked cabinets, use privacy screens, and enforce a clean-desk policy

No Formal Incident Response Plan

When a potential HIPAA violation or breach occurs, many communities don’t have a documented plan for response, reporting, and remediation.

Risk: Delayed response can lead to regulatory penalties or worsening of the breach
Fix: Create and practice a formal incident response plan outlining steps and responsibilities

The Bottom Line

HIPAA compliance is not optional—and it’s not static. It requires an ongoing, organization-wide commitment to privacy, security, and training. As the digital footprint of senior living communities expands, so does the potential risk.

Fortunately, you don’t have to navigate this alone.

At Safe Harbor, we specialize in helping senior living communities secure their data, train their staff, and maintain HIPAA compliance through tailored IT support, risk assessments, policy development, and ongoing monitoring. Reach out to Safe Harbor today for a HIPAA readiness review or IT security consultation.

James Brown
Previous

The Hidden Costs of DIY IT: Why Outsourcing Tech Support Is a Smart Move for Small Businesses
Next

Keeping Your Computer Cool This Summer Matters