Compliance Isn’t a Checkbox: Building Systems That Actually Reduce Risk
Let’s start with a moment of honesty: having a “compliant” label slapped on your software doesn’t automatically make your organization safe - or even compliant for that matter. Whether it’s HIPAA, your individual state requirements, insurance payer requirements or any other regulation your healthcare practice or educational institution has to meet, compliance isn't an app feature you can install. It’s not a service you can buy. It’s a living system built over time, and it’s only as good as the people who adopt and adhere to the culture of compliance.
You’ve probably heard or even said it before: "But my Google Workspace/practice management system/data collection software is HIPAA compliant." Sounds reassuring, right? But here’s the catch: compliance isn’t a setting you turn on. It’s a system you build and maintain. That software you’re relying on? It’s just one part of the picture. You need people, processes, and policies working together - consistently and intentionally. Too often, leaders lean on tools and hope for the best. That’s a recipe for trouble.
Think of a SaaS (Software-as-a-Service) like email/cloud storage, practice management software, or data collection solutions as a physical safe. The company behind it promises that the safe is fireproof, flood-resistant, and tamper-resistant. But what they can’t guarantee is how you use it. Leave the door wide open, write the combination on a sticky note, or use your birthday as the code? That’s on you. HIPAA-compliant software is commonly used in a non-compliant way.
We’re going to explore together why software “compliance” isn’t enough, what gets missed when leaders get lazy about compliance, and most importantly, how to build a proactive, resilient compliance system that can adapt with you. We’re breaking down the misconception that "HIPAA-compliant software" equals "HIPAA compliance."
Spoiler alert: it doesn’t.
The Problem: Mistaking Tools for Compliance
“Our software is HIPAA-compliant, so we’re good, right?”
Let’s say you signed up for Google Workspace and got a Business Associate Agreement (BAA). That BAA means Google has done its part: secured infrastructure, encrypted data, locked down access. But it doesn’t mean you’ve done your part.
Example: Google lets you turn on multi-factor authentication (MFA/2FA), a HIPAA best practice. But it doesn’t require you to. If you skip MFA, you’re the one out of compliance, not Google. Just like the safe manufacturer isn’t responsible if you leave the key on top of the safe, make the combination your birthday, or just leave the door to the safe unlocked/open.
Every software vendor operates under a shared risk/responsibility model: they secure their end, you secure yours. Relying solely on software to check your compliance boxes is like installing a top-notch security system and then leaving the front door wide open.
This mindset is dangerously common and dangerously false. Here’s where it breaks down:
Compliance isn’t a product - it’s a practice.
Your software may have safeguards, but those safeguards only work if the people using them understand what to do, when, and how.Policies without follow-through are useless.
There are 3 parts to a policy. 1.) The written rules. 2.) The adoption & enforcement of the rules – the reality. 3.) The proof that reality matches the written rules. You can write all the policies you want, but if no one reads them, or if they’re outdated, if no one follows them, or you lack evidence that they’re following them - the license on your software isn’t going to protect you.Audits happen - not just once.
Compliance isn’t a one-off. If changes happen like staff turnover, new services, new software, mergers - you need to adapt and update your policies and make sure that reality matches what’s written – and you need proof.Human behavior is the weak link.
One misplaced document, one wrong data access, one overlooked training - software won’t catch that. Your Governance, Risk & Compliance (GRC) program must.
Treating compliance as “software plus wishful thinking” leads to gaps. And those gaps? They’re what hackers and auditors are looking for.
Real-World Impact: The Gaps That Cost You
Let’s get real with two examples:
Behavioral Health Clinic: They used HIPAA-compliant telehealth software but didn’t enforce MFA or role-based access. Staff shared logins and reused simple passwords. A breach occurred when an ex-employee accessed the system using old credentials. The clinic faced significant fines and patient trust issues even though the software itself was "compliant."
Private Therapy Practice: Their EHR platform came with built-in HIPAA compliance features, including access controls and audit logs. However, they failed to update user permissions after staff turnover. Former clinicians still had access to sensitive client notes. No breach occurred—but a surprise compliance audit flagged it, triggering remediation requirements and extra scrutiny.
In both cases, tech alone couldn’t prevent the exposure or the fallout. What was missing? A Governance, Risk & Compliance system: documentation, accountability, training, review cycles, clear ownership. Compliance isn’t about the tool - it’s about how you use it.
Solution: Build a Living GRC System
1. Think Habits, Not Features
Compliance is ongoing, not one-and-done. It’s daily habits, weekly check-ins, monthly policy refreshes, quarterly reviews, and annual third-party assessments – rather than just a checkbox in some compliance tool. Make it part of operations, not a separate task. Audit prep shouldn’t feel like scrambling when you find out your lucky number was drawn by the regulators. It should be baked into regular operations.
2. Document Everything.
Keep updated, clear, & accessible policies on access control, data handling, incident response. Tailor them to specific roles such as clinicians, admins, or consultants and review them regularly. Store them where your team can actually find and use them. Keep version history so that you know what changed, when and why. Here are 17 core policies you need for your healthcare practice:
Acceptable Use Policy
Access Control Policy
Password Policy
Data Confidentiality Policy
Mobile Device Policy
Bring Your Own Device (BYOD) Policy
Disaster Recovery Plan
Breach Incident Response Plan
Business Continuity Plan
Remote Access Policy
IT Asset Disposal Policy
Security Awareness Policy
3rd-Party Access Policy
Removable Media Policy
User Termination Policy
Clean Desk policy
Work from home policy
3. Train Your Team Like You Mean It – Not Just Once, But Often.
New hire? Start with real-world onboarding training that’s engaging and context-specific. Existing staff? Schedule quarterly refreshers with not just slides, but real tabletop exercise scenarios like “What if a patient texts you a photo that shows PHI?”. Use relevant scenarios, not just policy jargon. Include leadership in the training because modeling behavior from the top sends a powerful message.
4. Define Accountability and Ownership.
Who’s your compliance lead? Who manages access controls? Who handles training? Assign clear roles and make compliance part of job descriptions. Don’t just leave it as a sideline task.
5. Review and Refine Regularly
Schedule quarterly or bi-annual policy and access reviews with the team. Monitor logs, access patterns, and user activity to find anything unusual. Conduct tabletop exercises to simulate audits or breaches. Use near-misses as learning opportunities (e.g. “someone clicked the phishing link but didn’t enter credentials” what do you improve after that?).
6. Invest in Scalable Infrastructure
Use centralized compliance tools for access controls, documentation, and learning that are coherent rather than a patchwork of apps. Automate reminders for policy reviews and expiring training. Integrate onboarding/offboarding with access permissions.
7. Understand Your Tools & Your Team
Know what your software can and can’t do. Just because a feature exists doesn’t mean it’s enabled. Don’t assume - verify. Run tabletop exercises that walk teams through a simulated breach or audit. Identify gaps, respond safely. Use real feedback to tweak training and documentation. Avoid blame - this is about building systems and resilience, not pointing fingers.
Putting It into Practice: A 6-Month Compliance Blueprint
Month 1–2: Map It Out
Conduct a compliance audit: map tools, policies, training, roles. Identify gaps.
Create or update policies: access, data handling, incident response. Store them centrally.
Month 3–4: Culture and Training
Launch tailored training: onboarding + refresh for all staff. Make it clear, real-world.
Assign compliance roles
Month 5: Systems and Automation
Centralize documentation (e.g. shared folder, intranet).
Implement automations & reminders for training, policy updates.
Integrate access controls and onboarding/offboarding workflows.
Month 6: Test and Improve
Run a tabletop exercise (simulated audit or breach). Identify what worked, what didn’t.
Gather feedback from staff: was training clear? Were policies easy to follow?
Use the results to update policies, training, documentation, and workflows.
Beyond month 6, embed reviews into your calendar: quarterly or semi-annual check-ins that keep your system alive rather than dormant until audit season.
Final Thought: No Software is a Silver Bullet
BAAs are not get-out-of-jail-free cards. Software can support your compliance journey, but it can’t drive the car. That’s your job. So, the next time someone says, "But our software is HIPAA-compliant!" you can confidently respond: "Great. Now let’s make sure we are too."
Compliance isn’t a checkbox. It’s a culture, a system, and an ongoing commitment. Software tools are helpful, but they’re only one part of the story. Without policies that people understand, training that sticks, accountability that’s real, and reviews that matter, the tech won’t save you when it counts.
Let’s ditch the false sense of security and build something sustainable—together.
If you're ready to turn compliance into practice, connect with our trusted partner and explore how we can build systems that truly protect what matters most.
📅 Schedule your free compliance consult here:
Blog contributed by Josh Nelson, CXO
WOM Technology Management Group
