In 2023, OCR reported that hacking and IT incidents accounted for 79% of all large healthcare data breaches — a staggering figure that would have been unimaginable two decades ago. For every efficiency gained through electronic health records, telehealth platforms, and cloud-based systems, healthcare organizations face an expanding attack surface. The negative impact of technology in healthcare is not a theoretical concern. It is a daily compliance reality that your covered entity must address head-on.

The Negative Impact of Technology in Healthcare: A HIPAA Perspective

Technology has transformed how protected health information moves through your organization. PHI now travels across EHR systems, patient portals, mobile devices, messaging apps, and cloud storage — often simultaneously. Each transmission point is a potential vulnerability under the HIPAA Security Rule (45 CFR Part 164, Subparts A and C).

In my work with covered entities and business associates, I consistently see organizations adopt new digital tools faster than they update their risk analysis. The result is a widening gap between the technology in use and the administrative, physical, and technical safeguards required to protect it.

OCR has made clear through its enforcement actions that ignorance of a technology's risks is not a defense. When Premera Blue Cross agreed to a $6.85 million settlement in 2020, the root cause was a failure to conduct a sufficient risk analysis — one that should have identified vulnerabilities in systems the organization had already deployed.

Five Technology Risks That Create HIPAA Violations

1. Unsanctioned Communication Tools

Your workforce is texting PHI on personal devices. They are using consumer-grade messaging apps that lack encryption, audit controls, or BAAs. Every unsanctioned message containing a patient name, diagnosis, or treatment detail is a potential HIPAA violation under both the Privacy Rule and Security Rule.

2. Cloud Storage Without Business Associate Agreements

Cloud platforms like Google Drive, Dropbox, and OneDrive are not inherently HIPAA-compliant. Without a signed business associate agreement and proper configuration, storing PHI in these environments violates 45 CFR § 164.502(e). Yet healthcare organizations routinely let staff upload files to personal cloud accounts without oversight.

3. Telehealth Platforms and Expanded Attack Surfaces

The telehealth explosion post-2020 introduced dozens of new platforms into clinical workflows. Many organizations that adopted telehealth under OCR's temporary enforcement discretion during the public health emergency never transitioned to compliant solutions after those flexibilities ended in May 2023. These platforms may lack end-to-end encryption, access controls, or proper audit logging.

4. Internet of Things (IoT) Medical Devices

Connected infusion pumps, wearable monitors, and smart diagnostic equipment transmit PHI across networks that are often poorly segmented. A 2022 FBI alert specifically warned healthcare organizations about vulnerabilities in unpatched medical devices. Under the Security Rule, these devices must be included in your risk analysis — yet they rarely are.

5. AI and Automated Decision Tools

Artificial intelligence tools that process patient data introduce questions about the minimum necessary standard and data use limitations. When an AI model ingests PHI for training or analysis, your organization must ensure that access is limited to the minimum necessary information and that any third-party AI vendor has a valid BAA in place.

Why Risk Analysis Fails to Keep Pace with Technology

The HIPAA Security Rule requires covered entities to conduct an accurate and thorough assessment of potential risks and vulnerabilities to ePHI. This is not a one-time exercise. It must be updated whenever your organization adopts new technology, changes workflows, or identifies new threats.

Healthcare organizations consistently struggle with this requirement because technology adoption happens in real time — a clinician downloads an app, a department head signs up for a SaaS tool, IT deploys a patch that changes system configurations. Meanwhile, the risk analysis sits in a binder from two years ago.

OCR's enforcement record confirms this pattern. In its 2023 settlements, inadequate risk analysis was cited more frequently than any other deficiency. Your organization cannot manage what it has not assessed.

The Workforce Training Gap That Amplifies Technology Risks

Technology does not create HIPAA violations on its own. People do. The negative impact of technology in healthcare is magnified exponentially when your workforce lacks proper training on how to use digital tools in a compliant manner.

Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures related to PHI. Under § 164.308(a)(5), security awareness training is a required administrative safeguard. Despite these clear mandates, many organizations treat training as a checkbox exercise — a single annual slide deck that never addresses the specific technologies staff actually use.

Effective HIPAA training and certification programs address real-world technology scenarios: how to verify a telehealth platform's compliance, why personal devices require mobile device management, and what to do when a business associate's system is breached. Generic training does not reduce risk. Targeted, role-based training does.

Mitigating Technology's HIPAA Risks: Actionable Steps

  • Update your risk analysis quarterly — or whenever a new technology, vendor, or workflow is introduced. Document every update.
  • Inventory every system that touches PHI. This includes shadow IT, personal devices, IoT medical devices, and third-party integrations.
  • Require BAAs before onboarding any technology vendor. No exceptions, no verbal agreements, no assumptions that a platform is "HIPAA-compliant" because it says so on its website.
  • Enforce the minimum necessary standard across all digital systems. Role-based access controls should limit PHI exposure to what each workforce member actually needs.
  • Implement ongoing, scenario-based workforce training that addresses the specific technologies your organization uses. Programs like those offered through HIPAA Certify's workforce compliance platform are designed to close exactly this gap.
  • Monitor and audit. Deploy audit logging on all systems that store or transmit ePHI. Review logs regularly — not just after an incident.

Technology Is Not the Enemy — Unmanaged Technology Is

The negative impact of technology in healthcare is not an argument against digital transformation. It is an argument for disciplined, compliance-driven adoption. Every EHR, every telehealth tool, every connected device has the potential to improve patient care — but only if your organization has the safeguards, the training, and the oversight to deploy it responsibly.

OCR does not penalize organizations for using technology. It penalizes them for using technology without understanding and mitigating its risks. Your Notice of Privacy Practices, your security policies, your BAAs, and your workforce training must all evolve as fast as your technology stack does.

The organizations that treat compliance as a living process — not an annual task — are the ones that harness technology's benefits without becoming its next cautionary tale.