SecurityMetrics

Download the HIPAA Compliance Trends full PDF here.

‍

Since 2015, SecurityMetrics has received over 3,000 survey responses from individuals responsible for HIPAA compliance, gathering information specific to HIPAA’s Security, Breach Notification, and Privacy Rules.

In 2023, we received over 300 responses in 1 survey; in 2022, over 300 responses from 4 surveys; in 2021, over 600 responses from 4 surveys; in 2020, over 750 responses from 5 surveys; in 2019, over 450 responses from 4 surveys; in 2018, over 250 responses from 5 surveys; in 2017, over 300 responses from 4 surveys; in 2016, over 150 responses from 3 surveys; and in 2015 over 300 responses from 1 survey.

These professionals primarily belong to organizations with fewer than 500 employees, but these statistics are important for organizations of any size because most (if not all) healthcare organizations share patient data with smaller organizations (e.g., hospitals send patient data to specialty clinics). Whenever patient information is shared, the security of one organization could impact the security of the other, regardless of size.

Executive Summary

The following statistics detail the overall statistical highlights from 2023 surveys, with arrows showing the result comparisons to 2022 survey results.

COMPLIANCE MANDATES

72% ↘ comply with PCI DSS compliance
8% ↘ comply with HITRUST requirements
7% ↗ comply with GDPR compliance

RISK MANAGEMENT

55% ↗ conduct a risk analysis at least annually
64% ↗ review their risk management plan at least annually

PATIENT DATA SECURITY

63% ↗ encrypt patient data
84% ↗ delete or destroy sensitive data
59% ↗ use multi-factor authentication
68% ↗ have automatic timeouts/logouts enabled on all workstations

EMAIL SECURITY

62% ↘ don’t send emails containing patient data
20% ↗ employees email patient data to doctors outside of their network
12% ↗ email patient data to business associates
6% ↗ email patient data to themselves
36% ↘ that email patient data send data through encrypted email services
31% ↗ send patient data through patient portals
9% ↘ send patient data through unencrypted email services

MOBILE DEVICE SECURITY

91% ↗ don’t allow this usage of organization-owned mobile devices
30% ↗ have a mobile device policy (e.g., BYOD policy)
18% ↗ use mobile encryption

FIREWALL BEST PRACTICES

18% ↘ don’t know what firewall(s) their organization uses
4% ↗ don’t use firewall(s)
- 58%↗ use software firewall(s)
- 50%↗ use hardware firewall(s)
- 30%↘ use web application firewall(s)
47% ↘ use a security professional or third party to manage their network’s firewall(s)
17% ↘ review their firewall rules at least quarterly

SYSTEM MONITORING

43% ↗ store system logs
17% ↗ review their data prevention tool logs at least monthly
48% ↘ review access control systems at least annually

VULNERABILITY SCANNING

48% ↗ conduct vulnerability scans
23% ↗ conduct scans at least quarterly

PENETRATION TESTING

22% ↗ perform penetration tests
18% ↗ perform penetration tests at least annually

DOCUMENTATION

69% ↗ review their business associate agreement documentation at least annually
51% ↘ update their notice of privacy practices (NPP) documentation at least annually
72% ↘ review their HIPAA compliance documentation at least annually
70% ↘ update their HIPAA compliance documentation at least annually

INCIDENT RESPONSE

13% ↘ don’t have any response plan policies in place (e.g., incident response plan, disaster recovery plan, business continuity plan)
60% ↗ review their response plan policies at least annually
22% ↗ test their incident response plan

HIPAA TRAINING

58% ↗ train employees at least annually
73% ↗ provide HIPAA Security Rule training
55% ↗ provide HIPAA Breach Notification Rule training
81% ↗ provide HIPAA Privacy Rule training
43% ↗ don’t test employees on their HIPAA training
49% ↗ test employees on their HIPAA training at least annually

HIPAA Support Surveys

SURVEY RESULTS

Since 2015, SecurityMetrics has received over 3,000 survey responses from individuals responsible for HIPAA compliance. In 2022, we received over 300 responses from 4 surveys; in 2021, over 600 responses from 4 surveys; in 2020, over 750 responses from 5 surveys; in 2019, over 450 responses from 4 surveys; in 2018, over 250 responses from 5 surveys; in 2017, over 300 responses from 4 surveys; in 2016, over 150 responses from 3 surveys; and in 2015 over 300 responses from 1 survey.

Organizations that conduct a formal Risk Analysis

Organizations need to conduct a formal risk analysis to protect against cyber attacks.

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 26% | 16% | 58% | | 2023 | 19% | 16% | 65% | | 2022 | 23% | 26% | 51% | | 2021 | 21% | 38% | 41% | | 2020 | 22% | 38% | 40% | | 2019 | 28% | 14% | 58% | | 2018 | 46% | 25% | 29% | | 2017 | 26% | 29% | 45% |

How often organizations conduct a Risk Analysis

HIPAA requires organizations to regularly conduct a risk analysis (e.g., annually).

| Year | Never | Don't know | Every other year | Annually | Semiannually | | :--- | :----: | :----: | :----: | :----: | :---: | | 2024 | 26% | 12% | 4% | 43% | 15% | | 2023 | 22% | 16% | 7% | 45% | 10% | | 2022 | 27% | 25% | 0% | 43% | 5% | | 2021 | 27% | 23% | 4% | 40% | 6% | | 2020 | 29% | 25% | 5% | 32% | 9% | | 2019 | 28% | 14% | 1% | 52% | 5% | | 2018 | 49% | 24% | 9% | 17% | 1% | | 2017 | 19% | 30% | 3% | 39% | 9% |

Organizations with a formal Risk Management Plan

Organizations need to create a risk management plan annually.

How often organizations review their Risk Management Plan

Organizations need to regularly review their risk management plan (e.g., monthly).

| Year | Never | Don't know | Annually | Semiannually | Quarterly | Monthly | Weekly | | :--- | :----: | :----: | :----: | :----: | :----: | :----: | :---: | | 2024 | 28% | 8% | 46% | 8% | 6% | 3% |1% | | 2023 | 24% | 16% | 47% | 5% | 8% | 3% | 1% | | 2022 | 34% | 25% | 32% | 8% | 5% | 0% | 0% | | 2021 | 29% | 23% | 34% | 4% | 9% | 6% | 1% | | 2020 | 34% | 25% | 31% | 6% | 8% | 6% | 0% | | 2019 | 38% | 14% | 48% | 7% | 0% | 5% | 0% | | 2018 | 58% | 24% | 10% | 0% | 0% | 1% | 0% | | 2017 | 14% | 30% | 34% | 14% | 0% | 7% | 0% |

Organizations that destroy sensitive data

Organizations need to make sure to destroy sensitive data properly (e.g., shredding, degaussing, overwriting).

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 10% | 9% | 81% | | 2023 | 10% | 6% | 84% | | 2022 | 11% | 8% | 81% | | 2021 | 8% | 9% | 83% | | 2020 | 6% | 8% | 86% | | 2019 | 13% | 9% | 78% | | 2018 | 27% | 15% | 58% |

Organizations that encrypt stored electronic protected health information

Organizations need to properly encrypt stored ePHI (e.g., using AES-256 encryption).

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 17% | 11% | 71% | | 2023 | 20% | 17% | 63% | | 2022 | 36% | 24% | 40% | | 2021 | 50% | 19% | 31% | | 2020 | 52% | 12% | 36% | | 2019 | 28% | 16% | 56% | | 2018 | 20% | 26% | 54% | | 2017 | 20% | 2% | 78% | | 2016 | 12% | 38% | 50% |

Organizations that send emails containing patient data

If you send emails containing patient data, make sure that you have adequate security in place (e.g., email encryption, patient portal).

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 55% | 6% | 39% | | 2023 | 62% | 4% | 34% | | 2022 | 73% | 9% | 18% | | 2021 | 86% | 3% | 11% | | 2020 | 81% | 3% | 16% | | 2019 | 59% | 5% | 36% | | 2018 | 36% | 5% | 59% | | 2017 | 48% | 11% | 41% | | 2016 | 45% | 0% | 55% |

Organizations that email patient data to the following individuals

Only send patient data to those who need this information.

| Year | Patients | Out-of-network Drs | Out-of-network CEs | Out-of-network BAs | Themselves | Don't email patient data | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | | 2024 | 25% | 12% | 10% | 6% | 7% | 55% | | 2023 | 26% | 20% | 12% | 12% | 6% | 62% | | 2022 | 3% | 5% | 5% | 5% | 3% | 73% | | 2021 | 0% | 3% | 0% | 2% | 2% | 2% | | 2020 | 8% | 8% | 4% | 5% | 4% | 4% | | 2019 | 26% | 21% | 14% | 17% | 7% | 5% |

Organizations that email patient data use the following technologies

Organizations should use either a secure email service or patient portal to email patient information.

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 7% | 60% | 47% | | 2023 | 9% | 36% | 31% | | 2022 | 18% | 45% | 36% | | 2021 | 33% | 50% | 17% | | 2020 | 8% | 50% | 67% | | 2019 | 18% | 55% | 23% |

Employees that use organization-owned mobile devices for non-office related activities

If mobile devices are used to access, create, receive, transmit, or maintain PHI, they should not be used for other non-office related activities.

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 78% | 3% | 19% | | 2023 | 91% | 2% | 7% | | 2022 | 36% | 24% | 40% | | 2021 | 50% | 19% | 31% | | 2020 | 52% | 12% | 36% | | 2019 | 28% | 16% | 56% | | 2018 | 20% | 26% | 54% | | 2017 | 20% | 2% | 78% | | 2016 | 12% | 38% | 50% |

Organizations with a Mobile Device Policy

Organizations that use mobile devices need to have a mobile device policy (e.g., BYOD policy, policy for work tablets).

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 47% | 10% | 43% | | 2023 | 60% | 10% | 30% | | 2022 | 62% | 10% | 28% | | 2021 | 66% | 15% | 19% | | 2020 | 75% | 7% | 18% | | 2019 | 65% | 2% | 33% | | 2018 | 48% | 15% | 37% | | 2017 | 62% | 13% | 25% | | 2016 | 39% | 6% | 55% |

Organizations that Use Mobile Encryption

Mobile devices require the same restrictions and encryption processes as other work devices like desktop or laptop computers.

| Year | Not applicable | No | Don’t know | Yes | | :--- | :----: | :----: | :----: | :---: | | 2024 | 47% | 9% | 4% | 40% | | 2023 | 66% | 11% | 5% | 18% | | 2022 | 52% | 34% | 6% | 8% | | 2021 | 56% | 31% | 6% | 7% | | 2020 | 49% | 34% | 6% | 11% | | 2019 | 42% | 32% | 14% | 12% | | 2018 | 27% | 23% | 17% | 33% | | 2017 | 62% | 16% | 9% | 13% |

Organizations have automatic timeouts/log outs on workstations

All workstations need to have an automated timeout/log out (i.e., a password-protected screensaver enabled after a period of disuse).

| Year | No | Don’t know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 22% | 6% | 72% | | 2023 | 21% | 11% | 68% | | 2022 | 16% | 20% | 64% | | 2021 | 17% | 7% | 76% | | 2020 | 22% | 12% | 66% | | 2019 | 15% | 9% | 76% | | 2018 | 20% | 3% | 77% | | 2017 | 20% | 2% | 78% | | 2016 | 7% | 3% | 90% |

How often organizations train their employees

Employees should receive regular training about HIPAA best practices (e.g., quarterly, monthly).

| Year | Never | Don't know | Only new-hires | Annually | Semiannually | Quarterly | Monthly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 11% | 6% | 21% | 45% | 5% | 8% | 4% | | 2023 | 9% | 7% | 20% | 49% | 7% | 4% | 4% | | 2022 | 20% | 7% | 15% | 48% | 4% | 0% | 6% | | 2021 | 12% | 21% | 13% | 40% | 7% | 3% | 4% | | 2020 | 20% | 19% | 8% | 39% | 6% | 3% | 5% | | 2019 | 8% | 2% | 8% | 65% | 7% | 3% | 7% | | 2018 | 10% | 12% | 5% | 60% | 8% | 0% | 5% | | 2017 | 7% | 7% | 11% | 53% | 16% | 2% | 4% | | 2016 | 8% | 15% | 11% | 60% | 2% | 10% | 5% |

Types of Firewalls That Organizations Use

All networks (whether small or large) need both a hardware and software firewall, as well as a web-application firewall for all public-facing web applications.

| Year | Don’t use firewalls | Don’t know | Hardware firewall | Software firewall | Web application firewall | | :--- | :----: | :----: | :---: | :---: | :---: | | 2024 | 4% | 18% | 45% | 59% | 53% | | 2023 | 4% | 18% | 50% | 58% | 30% | | 2022 | 0% | 22% | 40% | 46% | 16% | | 2021 | 17% | 24% | 27% | 40% | 20% | | 2020 | 8% | 37% | 35% | 44% | 32% | | 2019 | 5% | 25% | 41% | 31% | 15% | | 2018 | 0% | 0% | 78% | 35% | 13% | | 2017 | 0% | 31% | 51% | 49% | N/A | | 2016 | 0% | 27% | 49% | 42% | N/A |

Network firewalls that are managed by a security professional or third party

Though not required, managed firewalls can help organizations with complex firewall rules and firewall management.

| Year | Don’t use firewalls | Don’t know | In-house security | Third-party vendor | Both | | :--- | :----: | :----: | :---: | :---: | :---: | | 2024 | 1% | 16% | 32% | 19% | 32% | | 2023 | 8% | 19% | 21% | 26% | 28% | | 2022 | 0% | 15% | 30% | 40% | 15% | | 2021 | 1% | 29% | 25% | 28% | 17% | | 2020 | 3% | 23% | 28% | 22% | 24% | | 2019 | 5% | 18% | 21% | 44% | 12% | | 2018 | 2% | 7% | 18% | 60% | 13% | | 2017 | 0% | 16% | 10% | 74% | 0% | | 2016 | 13% | 12% | 75% | 75% | 0% |

How often firewall rules are reviewed

A security professional should regularly review your firewall rules (e.g., at least quarterly).

| Year | Never | Don’t know | Annually | Semiannually | Quarterly | Monthly | Weekly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 16% | 23% | 28% | 12% | 14% | 5% | 2% | 2023 | 19% | 31% | 26% | 8% | 9% | 6% | 2% | | 2022 | 6% | 32% | 32% | 8% | 12% | 4% | 6% | | 2021 | 23% | 33% | 23% | 4% | 10% | 2% | 5% | | 2020 | 11% | 24% | 25% | 3% | 14% | 14% | 9% | | 2019 | 10% | 31% | 22% | 12% | 7% | 15% | 3% | | 2018 | 10% | 50% | 18% | 7% | 8% | 5% | 2% | | 2017 | 0% | 45% | 10% | 0% | 16% | 16% | 13% | | 2016 | 7% | 41% | 13% | 0% | 17% | 13% | 9% |

How Often Organizations Review Their Access Control Systems

Organizations need to regularly review their access controls, especially whenever someone changes positions or leaves their organization.

| Year | Never | Don't know | Annually | Semi-annually | Quarterly | Monthly | Personnel fired | Position change | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | :---: | | 2024 | 19% | 23% | 25% | 3% | 16% | 13% | 13% | 19% | | 2023 | 18% | 23% | 28% | 3% | 9% | 8% | 11% | 15% | | 2022 | 8% | 20% | 28% | 4% | 4% | 16% | 12% | 20% | | 2021 | 19% | 20% | 21% | 9% | 9% | 13% | 0% | 9% | | 2020 | 15% | 19% | 19% | 6% | 9% | 15% | 11% | 6% | | 2019 | 24% | 12% | 15% | 5% | 7% | 3% | 27% | 44% | | 2018 | 8% | 10% | 10% | 5% | 8% | % | 15% | 33% | 58% |

Organizations that require multi-factor authentication for remote access to patient data

If you use remote access, make sure to implement adequate security, such as multi-factor authentication.

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 20% | 11% | 69% | | 2023 | 24% | 17% | 59% | | 2022 | 40% | 12% | 48% | | 2021 | 29% | 21% | 50% | | 2020 | 33% | 10% | 57% | | 2019 | 60% | 14% | 26% | | 2018 | 21% | 33% | 46% | | 2017 | 40% | 34% | 26% | | 2016 | 13% | 50% | 37% |

Organizations that Store System Logs

HIPAA requires that organizations enable logging and log alerting on critical systems (e.g., unauthorized connection attempts).

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 27% | 15% | 58% | 2023 | 32% | 25% | 43% | 2022 | 58% | 25% | 17% | 2021 | 65% | 15% | 20% | 2020 | 70% | 14% | 16% | 2019 | 39% | 23% | 38% | 2018 | 18% | 25% | 57% | 2016 | 15% | 37% | 48%

How Often Organizations Review Data Breach Prevention Tools

A security professional should regularly review your data breach prevention tool logs (e.g., daily).

| Year | Never | Don't know | Quarterly | Monthly | Weekly | Daily | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | | 2024 | 31% | 26% | 20% | 11% | 4% | 8% | | 2023 | 34% | 35% | 14% | 11% | 3% | 3% | | 2022 | 35% | 31% | 22% | 4% | 0% | 8% | | 2021 | 39% | 20% | 22% | 11% | 4% | 4% | | 2020 | 34% | 35% | 26% | 13% | 0% | 9% | | 2019 | 29% | 35% | 13% | 11% | 5% | 7% | | 2018 | 20% | 60% | 8% | 5% | 2% | 5% |

Organizations that conduct vulnerability scanning

Organizations should perform vulnerability scans–both internal and external scans–to confirm their network security.

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 31% | 14% | 55% | | 2023 | 34% | 18% | 48% | | 2022 | 36% | 21% | 43% | | 2021 | 35% | 25% | 40% | | 2020 | 31% | 36% | 33% | | 2019 | 20% | 27% | 53% | | 2018 | 23% | 9% | 68% |

How often organizations conduct vulnerability scans

Organizations should regularly conduct vulnerability scans (e.g., quarterly).

| Year | Never | Don't know | After a major network change | Annually | Semiannually | Quarterly | Monthly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 31% | 14% | 4% | 24% | 1% | 13% | 13% | | 2023 | 36% | 18% | 1% | 18% | 4% | 13% | 10% | | 2022 | 36% | 22% | 0% | 14% | 14% | 7% | 7% | | 2021 | 35% | 19% | 2% | 15% | 3% | 13% | 13% | | 2020 | 34% | 28% | 6% | 13% | 0% | 13% | 6% | | 2019 | 20% | 26% | 7% | 8% | 2% | 39% | 7% | | 2018 | 22% | 20% | 0% | 1% | 1% | 46% | 10% |

Organizations that perform penetration tests

To protect against cyber-attacks, penetration testing is vital to a network’s security.

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 44% | 34% | 22% | | 2023 | 49% | 29% | 22% | | 2022 | 29% | 50% | 21% | | 2021 | 47% | 29% | 24% | | 2020 | 42% | 43% | 15% | | 2019 | 40% | 43% | 17% | | 2018 | 31% | 45% | 24% | | 2017 | 16% | 58% | 26% |

How often organizations perform penetration tests

Organizations should regularly perform penetration tests (e.g., annually and after major network changes).

| Year | Never | Don’t know | Every other year | Annually | After major network changes | Annually and after network changes | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | | 2024 | 46% | 21% | 2% | 24% | 0% | 7% | | 2023 | 51% | 28% | 21% | 12% | 2% | 6% | | 2022 | 29% | 50% | 0% | 14% | 7% | 0% | | 2021 | 52% | 42% | 0% | 17% | 3% | 5% | | 2020 | 44% | 42% | 1% | 5% | 3% | 5% | | 2019 | 44% | 42% | 2% | 8% | 2% | 2% | | 2018 | 38% | 53% | 2% | 5% | 0% | 2% | | 2017 | 8% | 78% | 2% | 6% | 2% | 4% |

How often organizations review incident response plan policies

Organizations should regularly review and update their incident response plan.

| Year | Never | When first created | Annually | Semi-annually | Quarterly | Monthly | Don't know | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 21% | 4% | 8% | 61% | 1% | 1% | 4% | | 2023 | 24% | 8% | 16% | 45% | 3% | 3% | 1% | | 2022 | 31% | 8% | 10% | 41% | 7% | 3% | 0% | | 2021 | 21% | 16% | 9% | 31% | 9% | 7% | 7% | | 2020 | 38% | 7% | 8% | 32% | 7% | 5% | 3% | | 2019 | 33% | 0% | 6% | 45% | 12% | 2% | 2% | | 2018 | 64% | 0% | 11% | 19% | 4% | 1% | 1% |

Organizations that test their incident response plan

To make sure your staff is prepared for a data breach, test your incident response plan (e.g., tabletop exercises).

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 56% | 12% | 32% | | 2023 | 58% | 20% | 22% | | 2022 | 50% | 29% | 21% | | 2021 | 51% | 24% | 25% | | 2020 | 46% | 18% | 36% | | 2019 | 48% | 10% | 42% | | 2018 | 45% | 17% | 38% |

How Often Organizations Test Their Incident Response Plan

Regularly test your incident response team’s and employees’ response to your incident response plan (e.g., at least annually).

| Year | Never | Don't know | When first created/purchased | Every other year | Annually | Semiannually | Quarterly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 15% | 8% | 24% | 5% | 41% | 4% | 3% | | 2023 | 10% | 11% | 21% | 7% | 44% | 5% | 2% | | 2022 | 0% | 0% | 20% | 6% | 47% | 0% | 27% | | 2021 | 5% | 16% | 6% | 2% | 51% | 2% | 18% | | 2020 | 8% | 18% | 19% | 1% | 35% | 8% | 11% | | 2019 | 10% | 14% | 28% | 2% | 38% | 2% | 6% | | 2018 | 8% | 12% | 20% | 17% | 43% | 0% | 0% |

‍

How often organizations update their NPP

If organizations haven’t updated their NPPs since before 2013, NPPs need to be updated to follow the Omnibus Rule.

| Year | Never | Don’t know | When BAA signed/created | Annually | Semiannually | Quarterly | Monthly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | | 2024 | 16% | 16% | 27% | 35% | 5% | 1% | 0% | | 2023 | 15% | 15% | 32% | 33% | 3% | 2% | 0% | | 2022 | 6% | 13% | 13% | 50% | 6% | 0% | 13% | | 2021 | 5% | 22% | 16% | 41% | 0% | 10% | 6% | | 2020 | 6% | 23% | 16% | 33% | 11% | 5% | 6% | | 2019 | 12% | 10% | 27% | 45% | 0% | 4% | 2% | | 2018 | 31% | 20% | 6% | 35% | 4% | 4% | 0% |

How often organizations review their business associate agreement

Both covered entities and business associates need to regularly review their BAA to make sure that each party is complying with the BAA’s terms and agreements.

| Year | Never | Don’t know | Every other year | Annually | Semiannually | Quarterly | Monthly | Weekly | Daily | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | 2024 | 11% | 17% | 0% | 53% | 8% | 8% | 2% | 1% | 0% | | 2023 | 15% | 13% | 0% | 57% | 6% | 7% | 2% | 0% | 0% | | 2022 | 5% | 15% | 0% | 50% | 5% | 5% | 15% | 5% | 0% | | 2021 | 6% | 17% | 0% | 50% | 10% | 13% | 3% | 1% | 0% | | 2020 | 3% | 15% | 0% | 57% | 6% | 13% | 5% | 1% | 0% | | 2019 | 24% | 2% | 0% | 58% | 8% | 0% | 6% | 2% | 0% | | 2018 | 15% | 20% | 5% | 50% | 2% | 3% | 0% | 0% | 5% |

How often organizations review their documentation

Throughout the year, organizations should review their HIPAA documentation.

| Year | Never | Don’t know | Every other year | Annually | Semiannually | Quarterly | Monthly | Weekly | Daily | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | :---: | :---: | :---: | | 2024 | 14% | 19% | 0% | 50% | 4% | 10% | 3% | 0% | 0% | | 2023 | 16% | 14% | 0% | 55% | 7% | 5% | 3% | 0% | 0% | | 2022 | 6% | 17% | 0% | 59% | 6% | 0% | 6% | 6% | 0% | | 2021 | 5% | 18% | 0% | 60% | 4% | 9% | 4% | 0% | 0% | | 2020 | 7% | 18% | 0% | 59% | 8% | 5% | 2% | 1% | 0% | | 2019 | 23% | 3% | 0% | 57% | 8% | 2% | 7% | 0% | 0% | | 2018 | 13% | 20% | 5% | 52% | 5% | 0% | 0% | 0% | 5% |

How often organizations update their documentation

To keep documentation up to date, regularly update relevant HIPAA documentation.

| Year | Security Rule | Breach Notification | Privacy Rule | | :--- | :----: | :----: | :---: | | 2024 | 81% | 63% | 89% | | 2023 | 73% | 55% | 81% | | 2022 | 37% | 31% | 60% | | 2021 | 54% | 53% | 60% | | 2020 | 52% | 50% | 66% | | 2019 | 69% | 67% | 75% | | 2018 | 58% | 38% | 65% | | 2017 | 70% | 34% | 77% | | 2016 | 70% | 70% | 74% |

Organizations that Train Employees on the Following HIPAA Rules

Employees should be trained on all HIPAA standards (e.g., Security Rule, Breach Notification Rule, Privacy Rule).

Organizations that test employees on HIPAA training

Testing employees on HIPAA-related training promotes security.

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 36% | 14% | 51% | | 2023 | 43% | 6% | 51% | | 2022 | 33% | 15% | 52% | | 2021 | 44% | 21% | 35% | | 2020 | 39% | 17% | 44% | | 2019 | 29% | 8% | 63% | | 2018 | 39% | 14% | 47% | | 2017 | 57% | 9% | 34% | | 2016 | 51% | 10% | 39% |

How often organizations test employee knowledge

| Year | Never | Don’t know | Annually | Semiannually | Quarterly | Monthly | | :--- | :----: | :----: | :---: | :---: | :---: | :---: | | 2024 | 41% | 9% | 37% | 9% | 4% | 0% | | 2023 | 44% | 7% | 34% | 7% | 4% | 4% |

Organizations that Conduct Internal Audits

To make sure your system is secure, regularly conduct internal audits with internal IT professionals and third-party security experts.

| Year | No | Don't know | Yes | | :--- | :----: | :----: | :---: | | 2024 | 35% | 3% | 62% | | 2023 | 37% | 11% | 52% | | 2022 | 36% | 20% | 44% | | 2019 | 60% | 17% | 23% | | 2018 | 45% | 23% | 32% |

How Often Organizations Conduct Internal Audits

Organizations should regularly conduct internal audits (e.g., annually and after major network changes).

| Year | Never | Don’t know | Every other year | Annually | Annually and after major network changes | | :--- | :----: | :----: | :---: | :---: | :---: | | 2024 | 35% | 7% | 2% | 45% | 11% | | 2023 | 37% | 12% | 3% | 34% | 14% | | 2019 | 37% | 12% | 4% | 34% | 13% | | 2018 | 64% | 13% | 2% | 17% | 4% |

About SecurityMetrics

We secure peace of mind for organizations that handle sensitive data. We hold our tools, training, and support to a higher, more thorough standard of performance and service. Never have a false sense of security.™

We are a PCI certified Approved Scanning Vendor (ASV), Qualified Security Assessor (QSA), Certified Forensic Investigator (PFI), and Managed Security provider with over 20 years of data security experience. From local shops to some of the world’s largest brands, we help all businesses achieve data security through managed services and compliance mandates (PCI, HIPAA, GDPR, HITRUST). We have tested over 1 million systems for data security and compliance. We are privately held and are headquartered in Orem, Utah, where we maintain a Security Operations Center (SOC) and 24/7 multilingual technical support.

Infographic

Episode

Updated

July 2, 2024

Posted

December 14, 2023

HIPAA Compliance Trends