Let's be direct: HIPAA is not fun. It's not designed to be fun. It's a regulatory framework written by people who wanted to be thorough, not readable, and it's been amended and clarified enough times that keeping track of what actually applies to you requires either a lawyer on staff or someone who's spent significant time in the weeds of it.
We're not lawyers and this isn't legal advice. But we are the IT team for a number of Utah healthcare organizations, and we can tell you what the gaps look like in practice — the stuff that HHS auditors and your cyber insurance carrier will actually look for when things go wrong.
First: Are You Actually a Covered Entity?
HIPAA applies to "covered entities" and their "business associates." A covered entity is a healthcare provider that transmits health information electronically. If you're a dental office, a medical clinic, a physical therapy practice, or a specialty physician group — yes, you're a covered entity.
Business associates are organizations that handle Protected Health Information (PHI) on behalf of a covered entity. Medical billing companies, IT companies that have access to your systems (hi), transcription services, cloud storage providers you use for patient records — all business associates. HIPAA applies to them too, and you need Business Associate Agreements (BAAs) with all of them.
Missing BAAs are one of the most common compliance gaps we find. It's not exotic — it's just paperwork that nobody thought to do.
The HIPAA Requirements That Actually Matter in Practice
HIPAA has three main rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. The Security Rule is where most of the IT work lives. Here are the requirements that come up most often in audits and that we see most commonly unaddressed:
1. Access Controls
Every user who accesses systems containing PHI should have their own unique login. Shared accounts — "we all just use the 'office' login" — are a HIPAA violation and also a forensic nightmare when something goes wrong. You need to be able to audit who accessed what and when.
Practically, this means:
- Individual user accounts for every employee
- Role-based access (the receptionist doesn't need access to clinical notes)
- Automatic screen locks after inactivity
- Multi-factor authentication, especially for any remote access
2. Audit Controls
You need to log access to systems that contain PHI and be able to retrieve those logs. This is one of the things auditors will specifically ask for. "Can you show us who accessed patient record X on this date?" If you can't answer that question, you have a gap.
3. Encryption
HIPAA doesn't technically require encryption — it's an "addressable" specification — but any organization that doesn't encrypt and then has a breach is going to have a very hard time explaining to HHS why they didn't. In practice, treat encryption as required:
- Laptops and workstations should use full-disk encryption (BitLocker on Windows, FileVault on Mac)
- Email containing PHI should be encrypted in transit
- Backup data should be encrypted at rest
- Mobile devices that access PHI need to be enrolled in mobile device management (MDM) and have encryption enabled
4. Risk Analysis
This is the one that trips up small practices the most. HIPAA requires you to conduct a formal, documented risk analysis — an assessment of where PHI lives in your organization, what the risks to it are, and what you're doing to mitigate those risks. This isn't a checkbox; it's a living document that needs to be updated when your environment changes.
We see practices that have never done one. We also see practices that did one seven years ago and haven't looked at it since. Neither is compliant.
5. Workforce Training
Every employee who handles PHI needs HIPAA training. This needs to be documented. It needs to happen for new employees and on a recurring basis (annually is the typical standard). The training needs to cover what PHI is, how to handle it, how to recognize a breach, and what to do if one occurs.
A breach notification is not the same as a breach. A breach notification is what you're required to do after a breach. The goal is to never get there.
The Breach Notification Piece
If PHI is improperly accessed, used, or disclosed, you have notification obligations. The timeline is aggressive: affected individuals must be notified within 60 days of discovering a breach. If the breach affects 500 or more people in a state, you also have to notify HHS and prominent media outlets in that state. Yes, media outlets.
The incentive to have good logging and monitoring is partly that you can detect breaches early. If you find out about a breach 60 days in, you're already at your deadline. If you find out 30 days in — or the same day — you have time to respond properly.
What We Actually Do for Healthcare Clients
We use Compliance Manager Pro to manage compliance for our healthcare clients on an ongoing basis. That means:
- A documented, current risk analysis
- Tracked remediation tasks with owners and deadlines
- Policy documentation that employees acknowledge
- Evidence collection for audit readiness
- Security controls aligned to the HIPAA Security Rule (encryption, access controls, logging, backup)
- Annual training coordination
The goal is that when you get a request from HHS or your cyber insurance carrier asking about your compliance posture, you can answer with documentation — not with a panicked call to us asking what to do.
If you're not sure where your compliance gaps are, we'd be glad to take a look. We do initial assessments and give you an honest picture of what's there and what isn't.