Most Skilled Nursing Facilities believe they are HIPAA compliant. Most are wrong. And the difference isn’t discovered until a surveyor is already walking your halls.

Let me say something your consultant, your corporate compliance officer, and your legal team probably haven’t said directly enough: if your facility has not completed a formal, documented HIPAA Security Risk Assessment within the last twelve months, you are not compliant. Not technically. Not legally. And not in the eyes of a state surveyor who arrives unannounced on a Tuesday morning with a clipboard, a camera, and the authority to make your next quarter a living nightmare.

This isn’t a hypothetical. It’s the single most cited, most prosecuted, and most avoidable vulnerability in the entire skilled nursing sector — and it compounds into something far worse than a fine. It compounds into a pattern. And patterns become Immediate Jeopardy.

The HIPAA Risk Assessment is not a compliance checkbox. It is your facility’s insurance policy, your survey defense, and your proof of good faith — all in one document.

old policies covered in dust

Why Most SNFs Are Flying Blind on HIPAA Risk

Here’s a question every Administrator and Director of Nursing should be able to answer in under ten seconds: When was your last documented HIPAA Security Risk Assessment, who conducted it, what vulnerabilities were identified, and what is the status of your remediation plan?

If you hesitated — or if the answer is “we have something in a binder from 2021” — you are carrying significant, unquantified regulatory and financial risk right now. The Office for Civil Rights (OCR) has made the Security Risk Assessment the centerpiece of HIPAA enforcement. It is the first document requested in every investigation. It is the first question a surveyor will ask when a resident or family member files a privacy complaint.

And in a skilled nursing facility, the stakes are categorically different from a physician’s office or a billing department. You have residents with cognitive impairment. You have 24/7 staffing cycles and the highest turnover rate of any healthcare sector. You have multiple EHR systems, personal devices, shared workstations, and fax machines — yes, still fax machines — all handling Protected Health Information every single day. The attack surface is enormous. And the regulatory audience watching you is unforgiving.

Real Facilities. Real Fines. Real Consequences.

These aren’t cautionary tales from a training module. These are documented federal enforcement actions — and the through-line in every single one is a failure to properly assess, document, and remediate HIPAA risk.

OCR Enforcement Action

$650,000 Settlement

Catholic Health Care Services of the Archdiocese of Philadelphia (2016)

A workforce member’s iPhone was stolen — a device containing the Protected Health Information of hundreds of nursing home residents across six facilities. The OCR investigation revealed no risk analysis had been conducted, no mobile device policy existed, and no encryption was in place. The settlement: $650,000 and a two-year corrective action plan under federal monitoring. The root cause: zero documented risk assessment. This is a direct SNF-sector enforcement action — and it started with one unencrypted phone.

OCR Enforcement Action

$475,000 Settlement

Presence Health, Illinois (2017)

One of the largest health systems in Illinois — operating hospitals, long-term care, and SNF-affiliated facilities — failed to notify patients of a 2013 breach within the 60-day HIPAA requirement. The breach involved paper-based PHI records. OCR fined Presence Health $475,000. The lesson that gets buried: the delayed response was directly linked to not having a formal risk management process that would have triggered proper incident identification and notification timelines.

OCR Enforcement Action — “The Yelp Warning”

$25,000 Fine

Complete P.T., Pool & Land Physical Therapy (2019)

A physical therapy practice responded to a patient’s negative Yelp review — and included the patient’s PHI in the public response. Fine: $25,000. This case is cited here specifically because it illustrates a risk that every SNF faces daily: disgruntled former family members, anonymous online reviews, and a workforce that doesn’t always understand where HIPAA applies. In a SNF with 80+ residents and constant family engagement, this risk is multiplied exponentially — and it only surfaces in a risk assessment.

These cases share a common origin: no current, documented, facility-specific risk assessment. Not a policy manual from corporate. Not a generic template downloaded from HHS.gov. A real, living risk analysis — specific to your building, your technology stack, your workflows, and your workforce.

The Compounding Damage Problem That Nobody Talks About

The Citation Cascade — How One Vulnerability Becomes a Pattern of Harm

In SNF surveying, HIPAA violations don’t stay in their lane. They cross-contaminate your entire survey profile.

Here is the mechanism that keeps Administrators and DONs awake at night — and that most compliance consultants dramatically understate. When a state surveyor identifies a HIPAA-related deficiency, it rarely stands alone. It triggers a deeper look at your privacy policies, your staff training records, your resident rights documentation, and your overall “culture of compliance.” What begins as a privacy complaint becomes a multi-tag survey event.

  • A privacy-related complaint triggers an unannounced focused survey.
  • Surveyors find no documented annual risk assessment — immediate F-tag for failure to protect resident rights (F-584, F-600 territory depending on context).
  • Absence of a risk assessment signals inadequate staff training — a second deficiency emerges around in-service education records.
  • Training gaps expose inconsistent PHI handling at the nurses’ station — a third deficiency, potentially escalating to Substandard Quality of Care.
  • Repeat deficiencies on the next standard survey now become a “pattern” — triggering enhanced CMP (Civil Monetary Penalty) calculations under CMS’s per-day penalty structure, which can reach $10,000 or more per day per citation.
  • Compounded CMPs + an OCR investigation triggered by the same root incident = a financial event that can exceed $500,000 — from one gap in documentation.

This is why the risk assessment is not a compliance task. It is a financial risk management tool. Every dollar you invest in conducting one is insuring against a cascade that can end careers, close facilities, and permanently damage your Five-Star Rating.

Surveyors Are Watching for Proactivity — and Rewarding It

What Experienced Surveyors Actually Want to See

State surveyors operate under an underappreciated reality: their job is not simply to find violations and levy fines. Their mandate is to ensure the safety and dignity of residents. When a facility demonstrates a genuine, proactive compliance culture — documented, dated, and followed — surveyors take notice. And it changes the tenor of every survey interaction.

A current HIPAA Risk Assessment, produced on the first day of a survey, communicates three things to a surveyor immediately: this facility knows its vulnerabilities, this facility has a remediation plan, and this facility takes resident privacy seriously. That posture shifts the dynamic from adversarial to collaborative. It is not a guarantee of a deficiency-free survey. But it is the most powerful “good faith” document in your regulatory arsenal.

Compare that to the facility that cannot produce a risk assessment — or produces one dated three years ago. That signal tells the surveyor the opposite story. And the rest of the survey proceeds accordingly. Facilities that are proactive about compliance documentation consistently demonstrate better survey outcomes, fewer escalating deficiencies, and stronger positioning during the informal dispute resolution process when deficiencies do occur.

The Problem With “Doing It In-House”

Every compliance director in a skilled nursing facility is already stretched across infection control, staff education, policy updates, MDS coordination, grievance tracking, and survey readiness. Adding a HIPAA Security Risk Assessment to that list — the kind that actually satisfies OCR scrutiny — is not realistic without dedicated resources and specialized expertise.

The HHS-published Security Risk Assessment (SRA) Tool is freely available. And it is maddeningly inadequate for a complex SNF environment. It does not account for the intersection of your EHR, your medication management system, your eMAR, your building access controls, your vendor agreements, your wireless infrastructure, or your staffing agency relationships. A completed generic template does not constitute a defensible risk assessment. It constitutes a document that an OCR investigator will set aside in the first ten minutes of a review.

The standard is specific, documented, facility-level analysis — conducted by someone who understands both the technical requirements of the HIPAA Security Rule and the operational reality of a skilled nursing environment. That is an exceptionally narrow professional overlap.

 

 

The Right Partner for SNF HIPAA Compliance

Why Health Compliance Partners Is Built for This Specific Problem

I have known Don Waechter, the founding partner of Health Compliance Partners, since 2014. I worked with him for a few years and am on the board of Health Compliance Partners. Don has spent his career in a mix of accounting, healthcare operations, and regulatory compliance. His background spans direct work with medical practices navigating HIPAA enforcement actions, and the operational complexity of maintaining compliance under constant staffing pressure and regulatory change. Don understands what it means to get a surveyor call on a Friday afternoon — because he has helped healthcare practices navigate exactly those situations.

Health Compliance Partners was built on a specific insight: generic compliance consulting fails healthcare facilities because it treats HIPAA as an IT problem. It is not. It is a people problem, a process problem, and a documentation problem — all simultaneously. The annual risk assessment that Health Compliance Partners produces is tailored for your practice or facility. It is a facility-specific, workflow-integrated analysis that identifies your vulnerabilities — in your environment, with your technology, with your workforce profile — and produces a documented remediation roadmap that you can put in front of a surveyor, an OCR investigator, or a plaintiff’s attorney with confidence.

🔍
Facility-Specific Analysis

Your building, your systems, your workflows — not generic.

📋
Survey-Ready Documentation

Formatted for OCR and state surveyor review from day one.

🛡️
Remediation Roadmap

Prioritized action plan aligned with your operational capacity.

🔄
Annual Review Cycle

Keeps your compliance posture current as regulations evolve.

Whether you operate a single SNF or a multi-site post-acute network, whether you run a physician practice, a home health agency, an insurance operation, or a medical billing department — if you handle Protected Health Information, the HIPAA risk assessment obligation applies to you. Health Compliance Partners serves the full spectrum of HIPAA-covered entities because the underlying risk is universal, even if the operational context varies.

The Value Equation — What It Actually Costs to Do Nothing

Consider the math that Don Waechter puts in front of every new client: a single OCR investigation — triggered by one employee opening one wrong email, one unencrypted thumb drive found in the parking lot, one disgruntled family member filing one complaint — costs between $50,000 and $500,000 in legal fees, settlement negotiations, corrective action plan implementation, and staff retraining. Before a single penalty dollar is assessed.

Add the survey cascade described above. Add the CMP accrual if deficiencies repeat. Add the Star Rating impact — which directly affects your census, your managed care contracting, and your VBP (Value-Based Purchasing) scores. Add the administrative time your DON and LNHA will spend on investigation response instead of clinical operations.

The annual HIPAA Risk Assessment conducted by a qualified external partner is not an expense. It is the lowest-cost risk mitigation tool available to your organization — and it is the only one that simultaneously satisfies federal compliance requirements, builds survey defensibility, and demonstrates to your board, your ownership group, and your residents’ families that resident privacy is not an afterthought in your facility.

The Cost of Inaction

The question is never “can we afford a risk assessment?” The question is: “can we afford what happens when we don’t have one?”

Every week without a current risk assessment is a week during which an OCR complaint, a workforce privacy incident, or a state survey can convert a manageable gap into a documented pattern of non-compliance. Patterns attract scrutiny. Scrutiny compounds penalties. Compounded penalties don’t just hurt your bottom line — they threaten your license. The facility that documents proactive effort is always in a stronger position than the one that cannot produce evidence of any compliance activity. That is not a philosophical statement. That is the documented history of OCR enforcement and CMS survey outcomes across the post-acute sector.

Take the First Step — Zero Obligation

Your Annual HIPAA Risk Assessment Starts With One Conversation.

Don’t wait for a breach notification, a survey citation, or an OCR letter to find out where your vulnerabilities are. Contact Health Compliance Partners today for a confidential, no-obligation consultation with Don Waechter and his team. Find out exactly where your facility stands now — before a surveyor does.

Contact HealthCompliancePartners.com →

Serving SNFs · Physician Practices · Medical Billing · Insurance Organizations · Home Health Agencies · CPA’s · Software Companies · Attorneys

Share This Article!