Why HIPAA Compliance Still Trips Up Small Practices
Most small healthcare providers understand that HIPAA requires them to protect patient health information (PHI). But understanding the requirement and operationalizing it are very different things. In 2025, the Department of Health and Human Services Office for Civil Rights (OCR) issued more than $12 million in HIPAA penalties — and a significant share went to organizations with fewer than 50 employees.
The common thread: these practices knew the rules but lacked the technical safeguards to meet them. This checklist focuses specifically on the IT side of HIPAA compliance — the systems, configurations, and processes that auditors and investigators actually examine.
What Counts as PHI?
Protected Health Information includes any individually identifiable information relating to a patient's health condition, healthcare delivery, or payment for healthcare. PHI covers 18 identifiers defined by HIPAA, including names, dates of birth, Social Security numbers, phone numbers, email addresses, medical record numbers, health plan IDs, and IP addresses when tied to a healthcare record.
For IT purposes, assume that any data touching your electronic health record (EHR) system, billing platform, scheduling software, or patient email is ePHI (electronic PHI) and must be protected accordingly.
The Four HIPAA Rules That Drive IT Requirements
There are four primary HIPAA rules, but two directly shape your IT obligations:
- Security Rule: Requires administrative, physical, and technical safeguards for ePHI. This is where most IT work lives.
- Privacy Rule: Governs how PHI can be used and disclosed. Affects your workflows, access policies, and staff training.
- Breach Notification Rule: Requires you to notify patients and HHS within 60 days of discovering a breach affecting 500+ individuals (or annually for smaller breaches).
- Omnibus Rule: Extended many requirements to business associates — your IT vendors, cloud providers, and MSPs must sign a Business Associate Agreement (BAA).
The 10-Point HIPAA IT Checklist
Use this list as a starting point for your annual HIPAA risk assessment. Each item maps to a specific Security Rule requirement.
HIPAA IT Checklist — 2026
- All ePHI is encrypted at rest and in transit using AES-256 or TLS 1.2+ standards.
- Access to ePHI is role-based — staff can only access records needed for their job function.
- Multi-factor authentication (MFA) is enforced on all systems that touch ePHI, including email and EHR portals.
- Audit logs are enabled and retained for at least 6 years, capturing who accessed what data and when.
- All workstations and servers are patched within 30 days of critical security update release.
- Automatic screen lock is enforced after no more than 15 minutes of inactivity on all devices.
- Offsite, encrypted backups are tested quarterly and can restore within your defined recovery time objective.
- All vendors with access to ePHI have signed a Business Associate Agreement (BAA) with your practice.
- A documented Security Incident Response Plan exists, has been reviewed in the past 12 months, and staff know their roles.
- An annual HIPAA Security Risk Assessment has been completed and documented, with any identified gaps remediated or risk-accepted in writing.
Common Violations OCR Investigators Find
When OCR investigates a healthcare breach, these are the most frequent IT failures they document:
- No risk analysis: Failure to conduct a thorough, accurate, enterprise-wide security risk analysis is the single most common HIPAA violation cited. It's required at least annually and after significant operational changes.
- Unencrypted laptops and mobile devices: Devices containing ePHI that aren't encrypted create an automatic presumption of breach if lost or stolen.
- Weak or shared passwords: Sharing login credentials, using default passwords, or not enforcing password complexity requirements violates the unique user ID requirement.
- No workforce training: All workforce members who handle PHI must receive HIPAA training at hire and regularly thereafter. Failure to document training is a frequently cited gap.
- Missing or outdated BAAs: Sending PHI to a vendor without a signed BAA — even a cloud storage provider or email platform — is a violation regardless of whether a breach occurs.
How a HIPAA-Focused MSP Helps
Many small practices struggle with HIPAA compliance not because they don't care, but because IT management isn't their core business. A managed IT provider with demonstrated HIPAA expertise can take on the technical safeguards on your behalf — implementing encryption, configuring audit logging, managing patches, and providing the documentation your auditors will ask for.
At Teleon, we specialize in HIPAA-compliant IT environments for healthcare practices in Georgetown and Central Texas. We sign Business Associate Agreements with every healthcare client, conduct security risk assessments as part of onboarding, and maintain the audit trail your practice needs to demonstrate ongoing compliance.
If your practice has never had a formal HIPAA security risk assessment, or if you're not confident your current IT setup meets the technical safeguard requirements, a HIPAA compliance assessment is the right first step.