Everything small healthcare businesses need to know about HIPAA IT compliance — technical safeguards, required policies, breach notification rules, and what the OCR actually audits.
HIPAA violations cost small healthcare businesses an average of $1.19 million per incident in 2025 (HHS Office for Civil Rights data). Yet most small practices, dental offices, therapy clinics, and health tech startups operate with significant HIPAA gaps — not from negligence, but because the regulation's 115-page text is genuinely difficult to translate into a practical IT checklist.
This guide distills HIPAA's IT requirements into exactly what you need to implement, maintain, and document — written for business owners and office managers, not lawyers.
Who Needs to Comply With HIPAA?
HIPAA applies to two categories:
- Covered Entities: Healthcare providers, health plans, healthcare clearinghouses that transmit PHI electronically
- Business Associates: Any vendor or service provider that creates, receives, maintains, or transmits PHI on behalf of a covered entity — including cloud storage providers, billing companies, IT managed service providers, EHR vendors, and legal firms
If you're unsure whether you qualify, assume you do. The cost of over-compliance is far lower than the cost of an OCR audit finding.
The Three HIPAA Safeguard Categories
1. Administrative Safeguards (Policies & Procedures)
- ☐ Security Officer designated — One person responsible for HIPAA compliance (can be the owner in a small practice)
- ☐ Risk analysis completed — Written assessment identifying all PHI locations and threats. Required annually.
- ☐ Risk management plan — Written plan to address risks identified in the risk analysis
- ☐ Workforce training — All staff trained on HIPAA policies at hire and annually. Training records retained 6 years.
- ☐ Sanction policy — Written consequences for HIPAA violations by employees
- ☐ Access management procedure — Process for granting, modifying, and revoking PHI access
- ☐ Contingency plan — Data backup, disaster recovery, and emergency mode operations procedures
- ☐ Business Associate Agreements (BAAs) — Signed contracts with every vendor that touches PHI
2. Physical Safeguards
- ☐ Facility access controls — Locked doors, visitor logs, security cameras for areas containing PHI
- ☐ Workstation use policy — Screens positioned away from public view, auto-lock after 15 minutes
- ☐ Workstation security — Physical controls preventing unauthorised access to devices
- ☐ Device disposal procedure — Hard drives wiped (DoD 5220.22-M standard) or physically destroyed before disposal
- ☐ Mobile device policy — Rules for PHI on laptops, phones, tablets (encryption required)
3. Technical Safeguards (The IT Requirements)
Access Control:- ☐ Unique user IDs — no shared logins, ever
- ☐ Automatic logoff after 15 minutes of inactivity on all systems containing PHI
- ☐ Emergency access procedure for critical systems
- ☐ Role-based access — staff can only access PHI required for their job function
- ☐ Activity logs on all systems accessing PHI — who accessed what, when, from where
- ☐ Log retention minimum 6 years
- ☐ Regular log review process (monthly minimum)
- ☐ Mechanism to detect unauthorised alteration of PHI (checksums, digital signatures)
- ☐ Transmission integrity verification (error-checking during data transfer)
- ☐ All PHI transmitted over networks encrypted (TLS 1.2+ minimum)
- ☐ No PHI sent via standard unencrypted email (use encrypted email or secure messaging)
- ☐ VPN required for remote access to systems containing PHI
- ☐ Wi-Fi networks carrying PHI use WPA3 encryption
Breach Notification Requirements
When a breach of unsecured PHI occurs, HIPAA mandates:
- Affected individuals: Notified within 60 days of breach discovery
- HHS Secretary: Notified within 60 days (or annually for breaches affecting fewer than 500 individuals)
- Media (if 500+ individuals in a state affected): Notification within 60 days
Notification must include: what happened, what PHI was involved, what you're doing about it, and steps individuals can take to protect themselves.
The 5 Most Common HIPAA IT Violations in 2025
- Lack of encryption on portable devices — Stolen/lost unencrypted laptops account for 35% of breaches
- Unauthorised PHI access by employees — Insider snooping, often discovered months later
- Missing or expired Business Associate Agreements — Your EHR vendor, billing service, and cloud backup provider all need signed BAAs
- Phishing leading to credential theft — One compromised email account can expose thousands of patient records
- Inadequate risk analysis — The OCR's most cited violation — you must document your assessment annually
HIPAA-Compliant Technology Stack for Small Practices
| Category | Compliant Options |
|---|---|
| EHR | Epic, athenahealth, DrChrono (with BAA) |
| Cloud Storage | Microsoft 365 (with BAA), Google Workspace (with BAA) |
| Paubox, Proofpoint, Mimecast (encrypted) | |
| Video/Telehealth | Zoom for Healthcare (with BAA), Doxy.me |
| Backup | Veeam, Acronis (encrypted, with BAA) |
| Password Manager | 1Password Business, Bitwarden Teams |
| MFA | Microsoft Authenticator, Duo Security |
What Does an OCR Audit Actually Look Like?
The Office for Civil Rights (OCR) conducts two types of audits: desk audits (document review) and on-site audits. They request:
- Your most recent risk analysis and risk management plan
- HIPAA policies and procedures (with version history)
- Training records for all workforce members
- List of all Business Associate Agreements
- Incident/breach log for the past 3 years
- Sample of system access logs
If you can produce these documents within 10 business days, you're in good shape. If you can't, you're not — regardless of what your actual technical security looks like.
Our HIPAA compliance service includes a full technical gap assessment, policy documentation, staff training, BAA review, and ongoing monitoring to ensure you stay compliant as regulations evolve. Book a free HIPAA readiness assessment — we'll tell you exactly where your gaps are within 48 hours.