If you run a medical practice, you've probably heard of HIPAA. You likely have a Notice of Privacy Practices posted in your waiting room. You may have trained your staff on patient confidentiality. But there's a substantial gap between administrative HIPAA compliance and technical HIPAA compliance — and most small practices in Miami-Dade, Broward, and Palm Beach are falling short on the technical side.
This is not a minor issue. The Office for Civil Rights has levied fines against solo practitioners and small practices just as aggressively as against hospital systems. The law does not distinguish between a 500-bed hospital and a five-physician group practice.
What Is Technical HIPAA Compliance?
HIPAA has three main rules. The Privacy Rule covers how you use and disclose patient information. The Breach Notification Rule covers what you do when something goes wrong. The Security Rule covers your technology — and it's the one most IT companies handle poorly.
The Security Rule requires "covered entities" (that's you, if you're a healthcare provider) to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). In plain English: the computers, phones, servers, and software that touch patient data must be secured in specific ways.
The Business Associate Agreement: The First Thing to Check
Before we get into technical specifics, there's a foundational requirement that many small practices miss entirely: every vendor with access to your patient data must sign a Business Associate Agreement (BAA).
This includes your IT company. If your IT provider has access to your systems — and any IT company worth hiring does — they must have a signed BAA on file. If they don't, you are already non-compliant. Ask your current IT provider today. If they don't know what a BAA is, you have your answer.
No BAA = automatic non-compliance. This is one of the most commonly cited violations in OCR investigations, and it requires no breach to trigger a penalty.
What Your IT Company Should Be Doing for HIPAA
Here is what technical HIPAA compliance actually requires from your IT environment:
1. Encrypted Storage
Any device that stores patient data must encrypt that data at rest. This means if a laptop is stolen, the thief cannot read the patient records on it. Full-disk encryption on every workstation, laptop, tablet, and server that touches ePHI is required. Most practices have this on none of their devices.
2. Encrypted Transmission
When patient data moves — from your EHR to a specialist, from your practice to a billing service, from a staff member working remotely — it must be encrypted in transit. Sending patient records as unencrypted email attachments is a HIPAA violation. Accessing your practice management system over an unsecured connection is a HIPAA violation.
3. Access Controls
Only the people who need access to patient data should have it. Your billing staff should not have access to clinical notes they don't need. Former employees should have their access revoked the day they leave. Every user should have a unique login — shared passwords are not compliant. Your IT company should be managing user accounts and access levels, not leaving it to chance.
4. Audit Logs
HIPAA requires you to maintain records of who accessed what patient data and when. These logs must be preserved for six years. If the OCR audits you and asks who accessed a specific patient record on a specific date, you need to be able to answer that question. Most small practices cannot.
5. Automatic Logoff
Workstations with access to patient data must automatically log out after a period of inactivity. The doctor who leaves a patient record open on their desk while seeing another patient is creating a HIPAA violation. This is a simple technical control that most IT companies fail to configure.
6. Backup and Disaster Recovery
You must have a documented procedure to restore patient data in the event of an emergency. This means tested, verified backups stored separately from your primary systems. "We back up to an external drive in the server room" does not qualify if the server room floods, burns, or gets ransomwared.
7. Risk Assessment
HIPAA requires an annual documented risk assessment — a systematic review of the risks to the confidentiality, integrity, and availability of ePHI. This is not a checkbox. It's a written document that identifies your current safeguards and any gaps, and it needs to be updated annually. Most small practices have never had one done.
8. Staff Training
All staff with access to patient data must receive HIPAA security training. This should be documented. "We told them during orientation" is not sufficient if the OCR asks for training records.
The majority of HIPAA breaches affecting small practices start with phishing emails. A staff member clicks a link, their credentials are stolen, and the attacker accesses your practice management system. Security awareness training is one of the highest-value investments a small practice can make.
What Happens When There's a Breach
If patient data is exposed — through a ransomware attack, a stolen laptop, an unauthorized access, or an accidental disclosure — you have specific legal obligations. You must notify affected patients within 60 days. If more than 500 patients in a state are affected, you must notify the media. You must notify the Department of Health and Human Services.
The investigation that follows will examine whether you had the required safeguards in place. If you didn't — and most small practices don't — the penalties multiply.
A Note on EHR Systems and HIPAA
Using a cloud-based EHR system does not make you HIPAA compliant. Your EHR vendor is responsible for the security of their platform. You are responsible for everything else: how staff access it, what devices they use, how those devices are secured, what network they connect from, and who has credentials.
Having Epic or Athena or any other compliant EHR does not protect you if your staff is accessing it from an unencrypted laptop on a coffee shop WiFi network.
Is Your Practice Compliant?
The honest answer for most small practices is: probably not fully. This is not a moral failing — it's a knowledge gap. HIPAA's technical requirements are detailed, the penalties are severe, and most general IT companies don't specialize in healthcare compliance.
The good news is that most small practices can achieve full technical compliance without a massive investment. The gap is usually a combination of missing configuration, missing documentation, and missing processes — all of which are addressable.
Is Your Practice HIPAA Compliant?
We review your technical environment against HIPAA's Security Rule requirements and give you a plain-English gap analysis. No jargon. No scare tactics. Just an honest assessment of where you stand.
Book Your Assessment →