Healthcare organizations across the US face mounting pressure to demonstrate HIPAA compliance. As a harbinger of things to come, HHS has proposed significant updates to the HIPAA Security Rule. It would be the first major revision since 2013 and would require more rigorous security controls, including mandatory encryption, multi-factor authentication, and annual compliance audits.
At the same time, organizations are struggling with limited resources and competing priorities. Barnes & Thornburg’s 2025 Healthcare Compliance Outlook survey found that 53% of healthcare compliance and risk leaders face resource constraints in critical areas, including budget, staffing, and technology.
And 56% anticipate even greater challenges ahead. It all adds up to only 31% of healthcare compliance and risk leaders feeling “very prepared” to meet future compliance and risk challenges. Fortunately, the compliance and audit-ready methodology practiced by Xantrion and its healthcare clients can help.
“The best knock on our door is when somebody is proactive, and they know that there’s a looming compliance mandate,” says Xantrion senior information security and compliance advisor John Christly. “The worst time is when they suffered a breach, and then they’re in reactive mode.”
This composite case study illustrates the stakes and how healthcare organizations of all sizes are addressing the pressure with the aid of Xantrion’s methodology.
The Universal Challenge: Fragmented Evidence, Compressed Timelines
From the smallest single-practitioner clinic to the largest regional hospital, healthcare organizations of all kinds confront similar compliance challenges that threaten both regulatory standing and patient care quality. Among their challenges:
- Organizations often juggle multiple information security requirements and guidelines, such as HIPAA, PCI-DSS for credit card processing, and SOC 2 for security protocols. Without clear mapping between these frameworks, overlapping and confusion can occur.
- Limited staffing and resources causing compliance responsibilities to fall on part-time staff using inadequate tools such as sprawling spreadsheets.
- Market pressure from payers and partners requiring proof of mature security programs before signing contracts.
- Regulatory risks, with OCR penalties reaching up to $2.1 million per HIPAA violation, driving board-level concern about potential audits.
The Process-Centric Solution: A Six-Phase Methodology
Xantrion’s six-phase process for health organization compliance prioritizes governance and sustainable practices over technology purchases alone.
Phase 1: Governance First
Successful programs begin by establishing a risk and compliance steering committee with clear decision rights and reporting cadences. This executive-level accountability ensures top-down support before any tools or technical solutions are considered.
With this support, organizations write policies in simple language, avoiding complex terminology, and with staff input. Risk and compliance leaders listen for feedback about what direction resonates with their teams and what needs adjustment.
Phase 2: Unified Control Framework
Rather than maintaining separate documentation for each regulatory requirement, successful organizations create a single taxonomy that maps HIPAA Security Rule requirements alongside any other applicable frameworks. This “document once, comply many” approach dramatically reduces complexity and effort.
The key here is establishing what Christly terms a golden source of compliance: a single, authoritative repository for each control’s evidence. That means controls, such as password requirements and incident response protocols, stay together with the documentation (screenshots, testing results, etc.) that supports them.
Organizations with unified control frameworks use dedicated governance, risk, and compliance (GRC) platforms or, at minimum, relational databases that maintain one row per control. In other words, they use tools that avoid the fragile cross-referencing chains common in spreadsheet-based systems, where formulas can break, and data can become inconsistent across multiple spreadsheets.
Phase 3: Structured Security Risk Analysis
The cornerstone of HIPAA compliance, the security risk assessment (SRA), becomes repeatable across business units through a structured approach. The process begins with simple but effective data flow mapping exercises that reveal overlooked systems and vulnerabilities.
But, “It’s not just about mapping,” Christly says. “It’s about understanding your program.” To that end, he recommends going back to basics, using whiteboards and even pencils to map data: where it resides, where it goes, and how users access it. Yes, pencils, because their erasers accommodate connections overlooked in the first pass. “People look at me like I’ve got three heads,” Christly says. “But this is how I start.”
Phase 4: 90-Day Remediation Sprints
Successful organizations prioritize findings by both risk level and business value, then tackle them in 30-, 60-, and 90-day cycles. This approach maintains momentum without overwhelming limited staff or budgets. Monthly steering committee reviews ensure continued progress and accountability.
Phase 5: Culture & Capability Building
Sustainable compliance requires embedding security awareness throughout the organization. Robust programs identify a compliance champion, often the director of Clinical Informatics or a practice manager. This individual bridges the gap between clinical and technical staff.
The culture challenge is real: clinical staff often distrust IT personnel when it comes to compliance matters. Quite simply, it’s natural for clinicians to question why someone without medical training should advise them on handling patient data. The compliance champion’s role addresses this trust gap.
Phase 6: Continuous Monitoring
Modern compliance programs integrate automated evidence collection from multiple sources, including electronic health record audit logs, medical device networks, and data from security tools. The shift from manual collection to automated monitoring transforms audits from fire drills into routine demonstrations of existing controls.
Independent validation through third-party vulnerability scans and penetration tests helps verify compliance program effectiveness. A trusted third party like Xantrion can help with both monitoring and validation.
Results: Measurable Business Impact
Healthcare organizations implementing our six-phase methodology can achieve significant, measurable results, including:
- Audit readiness with complete, enterprise-wide security risk assessments and no critical gaps.
- Reductions in compliance preparation times thanks to automated evidence collection.
- Cost savings through reduced cyber liability insurance premiums and fewer person-hours spent on compliance tasks.
- Fewer high-risk vulnerabilities and potentially zero reportable incidents.
Common Pitfalls to Avoid
Over the years of working with healthcare organizations, we’ve seen several common missteps that interfere with compliance efforts, including the following.
“Set-and-forget” mentality
Many organizations treat compliance as a one-time project, forgetting that HIPAA compliance requires continuous program management to keep current with evolving technology, threats and regulations.
Thinking that size provides protection
Small practices often believe they’re too insignificant to attract attackers. This dangerous assumption ignores reality: hackers and nation-state actors target data regardless of the organization’s size. Two-person clinics face the same threats as large hospital systems.
Evidence chaos
Organizations that save policies in email threads or multiple locations struggle during audits. The solution requires discipline around maintaining that single source of compliance truth.
IT-centric approach
Treating HIPAA as purely a technology project ignores the clinical workflow components that drive real-world compliance.
The Path Forward: From Reactive to Proactive
Just as regular check-ups and screenings can prevent serious health complications, proactive compliance measures act as organizational “finger pricks”—minor inconveniences that prevent major crises. Organizations that wait until after a breach to address vulnerabilities face the equivalent of major surgery, with all the associated costs, complications, and recovery time.
For healthcare compliance leaders experiencing resource constraints, the way forward is clear: start with process, not technology. Begin by understanding where your data lives, who touches it, and how it flows throughout your organization. Build from that foundation with consistent, repeatable processes, and you can turn compliance from a burden into a by-product of good operations.
As Christly says of his engagements with Xantrion clients, the work is about much more than installing and maintaining technology. “We can be your trusted ally,” he says. “We’re there to help you mature your program and stay out of trouble.”
Learn more about how Xantrion can help you implement a sustainable, process-driven compliance program at xantrion.com/managed-security.
