Why HIPAA and cybersecurity are inseparable
HIPAA — the Health Insurance Portability and Accountability Act — is often thought of as a privacy regulation. And it is. But embedded within HIPAA is a set of specific cybersecurity requirements that apply to every organization that handles protected health information (PHI). These requirements are codified in the HIPAA Security Rule, and they are not optional.
The Security Rule applies to covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates (any vendor that handles PHI on their behalf). If you are a medical practice of any size — from a solo practitioner to a multi-location clinic — the Security Rule applies to you.
The challenge for small practices is that the Security Rule was written broadly enough to apply to organizations of all sizes, which means the specific technical requirements are not spelled out in a step-by-step checklist. Instead, the rule describes categories of safeguards and expects each organization to implement them in a way that is appropriate for their size, complexity, and risk profile.
This article translates those requirements into practical terms.
The three categories of safeguards
The HIPAA Security Rule organizes its requirements into three categories: administrative, physical, and technical. All three are mandatory. Most small practices have some administrative and physical safeguards in place but are significantly behind on technical safeguards.
Administrative safeguards
Administrative safeguards are the policies, procedures, and management processes that govern how your practice handles security.
Security management process. You must have a formal process for identifying risks to PHI and implementing measures to reduce those risks. This starts with a risk analysis (discussed in detail below) and includes ongoing risk management activities.
Assigned security responsibility. Someone in your organization must be formally designated as responsible for HIPAA security compliance. In a small practice, this is often the practice manager or owner. The person does not need a cybersecurity background, but they need to own the responsibility and have the authority to make changes.
Workforce training. All employees who handle PHI must receive training on your security policies and procedures. This training must be documented — who was trained, when, and on what topics. Annual refresher training is the standard practice, though the rule does not specify a frequency.
Incident response procedures. You must have documented procedures for responding to security incidents. What constitutes an incident, who to notify, how to contain it, and how to document what happened. If you do not have an incident response plan and a breach occurs, the regulatory consequences will be significantly worse.
Contingency planning. You must have plans for continuing operations if a system fails or data is lost. This includes data backup procedures, disaster recovery plans, and emergency mode operation plans.
Physical safeguards
Physical safeguards control physical access to the systems and facilities where PHI is stored or processed.
Facility access controls. Limit physical access to areas where PHI is accessible. Server rooms, workstations displaying patient records, and areas where paper records are stored should be restricted to authorized personnel.
Workstation security. Workstations that access PHI should be positioned so screens are not visible to unauthorized individuals — including patients in waiting areas. Screens should lock automatically after a period of inactivity.
Device and media controls. When hardware or electronic media that contained PHI is disposed of, the data must be securely erased. This applies to old computers, hard drives, USB drives, and even copiers and printers that store data internally.
Technical safeguards
Technical safeguards are the technology-based protections for PHI. This is where most small practices have the largest gaps.
Access controls. Every user who accesses systems containing PHI must have a unique user ID. Shared logins are a HIPAA violation. You must also implement procedures for granting and revoking access, emergency access provisions, and automatic logoff after inactivity.
Audit controls. You must implement mechanisms to record and examine activity in systems that contain PHI. This means logging who accessed what records and when. Most modern EHR systems have built-in audit logging, but you need to verify it is enabled and review the logs periodically.
Integrity controls. You must implement measures to ensure that PHI is not improperly altered or destroyed. This includes both technical controls (checksums, version tracking) and procedural controls (who is authorized to modify records).
Transmission security. PHI transmitted over a network must be encrypted. This applies to email, file transfers, and connections to cloud-based systems. If your practice sends patient information via unencrypted email, that is a violation.
What a risk analysis actually involves
The risk analysis is the foundation of HIPAA security compliance. It is explicitly required by the Security Rule, and it is the first thing auditors and investigators look for. The vast majority of HIPAA enforcement actions cite the lack of a risk analysis as a contributing factor.
A risk analysis is not a one-time checklist. It is a documented process that must be reviewed and updated regularly — at minimum annually, or whenever there is a significant change to your systems or operations.
What the risk analysis must cover
Identify where PHI lives. Document every system, device, and location where PHI is created, received, maintained, or transmitted. This includes your EHR system, email, billing software, paper records, fax machines, backup drives, laptops, smartphones, and any cloud services that store patient data.
Identify threats and vulnerabilities. For each system that handles PHI, identify what could go wrong. Threats include hacking, ransomware, employee error, theft of devices, natural disasters, and vendor breaches. Vulnerabilities are the weaknesses that could be exploited — unpatched software, weak passwords, lack of encryption, no backup.
Assess the likelihood and impact. For each threat-vulnerability pair, estimate how likely it is to occur and how severe the impact would be if it did. This does not need to be a mathematical exercise — qualitative assessments (high, medium, low) are acceptable.
Document your findings. The risk analysis must be documented. "We thought about security" is not sufficient. You need a written record of what risks were identified, how they were assessed, and what actions were taken in response.
Implement measures to reduce risks. Based on the risk analysis, implement safeguards to reduce identified risks to a reasonable and appropriate level. Document what you implemented and why.
Common HIPAA violations that result in fines
Understanding what triggers enforcement actions helps clarify what regulators actually care about.
No risk analysis. The single most cited violation in HIPAA enforcement actions. Fines for this finding alone have ranged from $100,000 to over $1 million depending on the size of the organization and the scope of the breach.
No encryption on portable devices. Laptops, USB drives, and smartphones containing PHI that are lost or stolen without encryption trigger breach notification requirements and frequently result in enforcement actions. Full-disk encryption eliminates this risk entirely.
No business associate agreements. If a vendor handles PHI on your behalf and you do not have a signed Business Associate Agreement (BAA) in place, both you and the vendor are in violation. This applies to cloud storage providers, IT support companies, billing services, shredding companies, and any other vendor that touches patient data.
Insufficient access controls. Shared logins, failure to revoke access for former employees, and lack of role-based access restrictions are common findings.
Lack of training documentation. Even if you train your staff, if you cannot produce documentation proving that training occurred, auditors will treat it as if it did not happen.
What a Business Associate Agreement is
A Business Associate Agreement (BAA) is a contract between a covered entity (your practice) and any vendor that creates, receives, maintains, or transmits PHI on your behalf. The BAA defines what the vendor is allowed to do with PHI, requires them to implement appropriate safeguards, and obligates them to report any breaches.
You need a BAA with every vendor that handles PHI. Common business associates that small practices overlook include:
- Cloud storage providers (Google Workspace, Microsoft 365, Dropbox)
- IT support and managed service providers
- EHR vendors
- Billing and coding services
- Email hosting providers
- Answering services
- Shredding and document destruction companies
- Accounting firms that access financial records containing patient information
Note that not every vendor will sign a BAA. If a vendor will not sign a BAA and they would have access to PHI through the service they provide, you cannot use that vendor for PHI-related work.
Minimum technical controls every practice needs
Based on the Security Rule requirements and common enforcement action findings, here are the minimum technical controls every medical practice should have in place.
Multi-factor authentication on all accounts that access PHI — EHR systems, email, cloud storage, remote access tools.
Full-disk encryption on every laptop, workstation, and mobile device that stores or accesses PHI. BitLocker on Windows, FileVault on macOS.
Email encryption for any messages containing PHI. At minimum, use a provider that supports TLS encryption in transit. For messages containing sensitive patient information, use a portal-based encryption solution.
Automatic session timeouts on all workstations and applications that display PHI. Fifteen minutes is a common standard.
Unique user accounts for every person who accesses systems containing PHI. No shared logins, no generic accounts.
Audit logging enabled on all systems that store PHI, with logs reviewed at least monthly.
Firewall and antivirus on all devices. Endpoint protection with behavioral detection is strongly recommended over signature-only antivirus.
Encrypted, tested backups following the 3-2-1 rule. At least one backup must be offsite or in an immutable cloud storage tier. Backups must be tested quarterly.
Patch management with critical security updates applied within 30 days of release. Shorter timelines are better.
Network segmentation separating clinical systems from guest Wi-Fi and general internet access.
How to document compliance
Documentation is not a nice-to-have under HIPAA. It is a requirement. The Security Rule mandates that policies, procedures, risk analyses, and training records be maintained for six years.
What to document
- Your completed risk analysis and risk management plan
- All security policies and procedures
- Employee training records (who, when, what topics)
- Business Associate Agreements with all vendors
- Incident response plans and any incident reports
- System access logs and audit log reviews
- Backup test results
- Evidence of security control implementation
Keep it simple
Documentation does not need to be elaborate. A clear, organized set of documents that covers the required areas is sufficient. What matters is that the documentation exists, is current, and is accessible when needed.
Many small practices get stuck trying to create perfect documentation and end up with nothing. A simple policy document that covers the essentials is infinitely better than a comprehensive framework that never gets written.
The cost of non-compliance
HIPAA fines are tiered based on the level of negligence:
- Tier 1 (did not know and could not have known): $100 to $50,000 per violation
- Tier 2 (reasonable cause, not willful neglect): $1,000 to $50,000 per violation
- Tier 3 (willful neglect, corrected within 30 days): $10,000 to $50,000 per violation
- Tier 4 (willful neglect, not corrected): $50,000 per violation
Annual maximums per violation category can reach $1.5 million. For a small practice, even a Tier 1 finding with multiple violations can result in a fine that threatens the viability of the practice.
Beyond federal enforcement, most states have their own health data privacy laws with additional penalties. And the reputational damage of a publicized breach in a medical practice — where patients trust you with their most sensitive information — can be more damaging than the fines themselves.
Start with the risk analysis
If your practice has not completed a HIPAA risk analysis, that is where to start. Everything else flows from it. The risk analysis identifies your gaps, and the risk management plan prioritizes what to fix first.
You do not need to hire a consultant to begin. The HHS Office for Civil Rights provides a free Security Risk Assessment tool, and there are numerous HIPAA-specific risk analysis frameworks designed for small practices.
What you cannot do is nothing. The regulatory environment is getting stricter, enforcement is increasing, and the threat landscape is not getting any simpler.
Find out where your practice is exposed. Run a free security assessment to check your email security, exposed services, and vulnerability status — a practical first step toward meeting HIPAA technical safeguard requirements.
