HIPAA comes up a lot in conversations with small business owners, usually in one of two ways. Either they know they need to comply and have no idea what that means on the IT side, or they assume HIPAA only applies to hospitals and doctor’s offices. Both groups are usually wrong in ways that cost them money.
This article covers the IT side of HIPAA. Not the administrative policies, not the training requirements, not the physical security of paper records. Specifically: what needs to happen on your computers, your network, and your cloud services, and which parts your IT provider should be handling for you.
We spent years auditing IT providers who served healthcare and health-adjacent businesses. The IT gaps we found weren’t exotic. They were basic things like unencrypted laptops, no audit logs, shared admin passwords, and backup systems that had never been tested. These aren’t obscure compliance requirements. They’re the minimum standard, and most small businesses we audited weren’t meeting it.
Which Businesses Need HIPAA Compliance
HIPAA applies to significantly more businesses than most small business owners realize. The obvious covered entities are medical and dental practices, mental health providers, pharmacies, and health insurance companies. But any company that handles protected health information on behalf of a covered entity is classified as a business associate under HIPAA and must comply with the same security requirements. This includes IT companies managing servers that store patient records, accounting firms processing medical billing, law firms representing healthcare clients whose documents contain patient information, document shredding companies destroying paper records from clinics, and cloud storage providers hosting electronic health data. The legal test is straightforward: does individually identifiable health information pass through your systems at any point, even temporarily during processing or transit. If the answer is yes, HIPAA requirements apply to how you store, transmit, and protect that data.
Protected health information is any individually identifiable health information. That includes names combined with dates of service, diagnoses, treatment records, insurance information, Social Security numbers, and more. If you can connect a person’s identity to their health information, it’s PHI and it’s protected under HIPAA.
The IT Side of HIPAA
HIPAA’s Security Rule is the part that deals with electronic protected health information, commonly called ePHI. It breaks down into three categories of safeguards: administrative, physical, and technical. The technical safeguards are where your IT provider comes in. Here are the major requirements and what they mean in plain English.
Encryption
HIPAA requires that ePHI be encrypted both at rest and in transit. At rest means on hard drives, USB drives, backup media, and cloud storage. In transit means when it’s being sent over a network, whether that’s email, file transfers, or accessing a cloud application.
For small businesses, this means every laptop and desktop that stores or accesses patient information needs full disk encryption enabled. Windows has BitLocker. Mac has FileVault. Both are built into the operating system and free to enable. Every email containing ePHI needs to be encrypted. Every connection to a cloud service storing ePHI needs to use HTTPS. And your backups need to be encrypted both during transfer and in storage.
The most common encryption failure we found during audits was laptops without disk encryption. A lost or stolen laptop with unencrypted ePHI is a reportable breach. With encryption enabled, a lost laptop is a hardware loss, not a data breach, because the data is unreadable without the decryption key. This distinction can mean the difference between a notification to HHS and a notification to every patient whose data was on that machine.
Access Controls
HIPAA requires that access to ePHI be limited to people who need it for their job. This is the “minimum necessary” standard. Your receptionist probably needs access to the scheduling system. They probably don’t need access to clinical notes. Your billing person needs access to insurance information. They probably don’t need access to treatment records.
On the IT side, access controls mean unique user accounts for every person (no shared logins), role-based permissions that limit what each account can see, automatic session timeouts that lock the screen after inactivity, and a process for disabling accounts immediately when someone leaves the organization. Multi-factor authentication on all accounts that access ePHI is not explicitly required by the current HIPAA Security Rule text, but it’s considered an expected safeguard by HHS enforcement and any auditor worth their billing rate will flag its absence.
Audit Logs
HIPAA requires the ability to record and examine activity on systems that contain ePHI. In practice, this means your systems need to log who accessed what, when they accessed it, and what they did. If a patient files a complaint that their records were accessed inappropriately, you need to be able to pull up logs showing every access event for that record.
Audit logging is one of the most commonly missing controls at small businesses. Many small practice management systems have logging capabilities that are turned off by default. Nobody enables them. When an incident occurs, there’s no trail to investigate. Your IT provider should ensure logging is enabled on every system that stores or processes ePHI, the logs are stored securely and can’t be modified, and the logs are retained for at least six years (HIPAA’s documentation retention requirement).
Integrity Controls
HIPAA requires mechanisms to protect ePHI from being altered or destroyed improperly. On the IT side, this means your backup system needs to produce reliable copies that can’t be tampered with, your systems need protection against malware that could modify or destroy data, and you need the ability to verify that ePHI hasn’t been altered outside of normal business processes.
Transmission Security
When ePHI moves across a network, it needs to be protected. Email encryption for messages containing patient information, HTTPS for web-based applications, VPN connections for remote access, and encrypted file transfer protocols for sharing data with business associates. Sending patient information in a plain-text email is a violation and it happens constantly at small businesses that don’t have proper email security configured.
The Business Associate Agreement
A Business Associate Agreement, or BAA, is a contract between a covered entity and any vendor that handles ePHI on their behalf. If your IT provider has access to your systems and those systems contain ePHI, you need a BAA with that IT provider. This is not optional. It is a HIPAA requirement.
A BAA defines what the vendor is allowed to do with ePHI, how they must protect it, what happens in the event of a breach, and their obligation to comply with HIPAA’s Security Rule. If your IT provider manages your computers and those computers store patient records, and there’s no BAA in place, both you and the IT provider are in violation. During our audits, we found that roughly half of small healthcare practices either didn’t have a BAA with their IT provider or had one that was so outdated it didn’t reflect the current relationship. Getting a BAA in place is straightforward. Your IT provider should initiate this. If they haven’t, that tells you something about how seriously they take compliance.
What Your MSP Is Responsible For vs. What You Handle
HIPAA compliance is a shared responsibility between a business and its IT provider, and confusing who handles which part is one of the most common problems at small healthcare practices. Your IT provider should own the technical controls: enabling disk encryption on all devices that access patient data, configuring unique user accounts with role-based permissions, turning on audit logging for systems that process protected health information, managing encrypted backups with periodic verified restores, setting up email encryption for messages containing health data, applying security patches automatically, and deploying endpoint detection and response. The business owns the organizational side: conducting a formal risk assessment, writing HIPAA policies and procedures, training employees on requirements, designating a security officer, maintaining physical office security, executing Business Associate Agreements with every vendor who touches patient data, and retaining all compliance documentation for six years. No IT provider can make you fully HIPAA compliant with technology alone.
Your IT provider should handle:
- Enabling and managing disk encryption on all devices
- Configuring and monitoring access controls (unique accounts, role-based permissions)
- Enabling and maintaining audit logs on all systems that touch ePHI
- Setting up and verifying encrypted backups
- Configuring email encryption for messages containing ePHI
- Ensuring all remote access uses encrypted connections (VPN or equivalent)
- Applying security patches promptly to all systems
- Deploying and monitoring endpoint security (EDR)
- Running periodic vulnerability scans
- Providing documentation of all technical safeguards for your compliance records
- Signing a Business Associate Agreement with you
You are responsible for:
- Conducting a risk assessment (identifying where ePHI lives and what threats exist)
- Writing and maintaining HIPAA policies and procedures
- Training employees on HIPAA requirements and your specific policies
- Designating a HIPAA Security Officer (can be the practice owner)
- Managing physical security of your office (locked doors, restricted areas)
- Maintaining Business Associate Agreements with all vendors who touch ePHI
- Documenting your compliance efforts for the required six-year retention period
- Reporting breaches to HHS and affected individuals within required timeframes
Many small business owners assume their IT provider handles all of HIPAA. They don’t. And many IT providers are happy to let that assumption stand because correcting it means admitting the client has more work to do, which isn’t a fun conversation. A good IT provider will tell you exactly which parts they cover and which parts are yours. They’ll help you understand the gap.
Common Violations We Found During Audits
The most common HIPAA IT violations found during small business audits are surprisingly basic failures, not exotic security lapses. Laptops used by practitioners, office managers, and billing staff without full disk encryption enabled top the list. A lost or stolen unencrypted laptop containing any patient information triggers a reportable breach requiring notification to both HHS and every affected patient. Multiple employees sharing a single login account to access the practice management system makes audit logging completely useless because there is no way to determine which specific person accessed a patient record at a given time. Business Associate Agreements missing between covered entities and their IT providers, cloud storage vendors, or billing services constitute violations for both parties. Patient information sent via regular unencrypted email sits exposed on intermediate mail servers indefinitely. Audit logging turned off or never configured on electronic health record systems eliminates any evidence trail when access complaints arise.
Former employees with active accounts. People who left the practice months or years ago still had active login credentials. Their accounts had never been disabled. In one case, a former employee’s account showed login activity months after their departure because the credentials were shared with a family member who needed medical records access. That’s a breach.
Backup stored on local device with no offsite copy. The entire backup sitting on a USB drive plugged into the server. If the office floods, catches fire, or gets burglarized, the backup goes with it. And if ransomware hits, the USB drive gets encrypted along with the server.
What a HIPAA-Ready IT Setup Looks Like
For a small healthcare practice or business associate with 15 or fewer devices, a HIPAA-ready IT setup includes full disk encryption enabled on every device that accesses ePHI, unique user accounts with role-based access for every person, multi-factor authentication on all accounts, audit logging enabled on all systems that process ePHI with logs retained for six years, encrypted daily backups stored offsite with periodic verified restores, email encryption configured for any messages containing ePHI, endpoint detection and response on every workstation, automated patching for operating systems and third-party applications, a documented incident response procedure, and a signed Business Associate Agreement between you and your IT provider. None of this is exotic technology. It’s standard IT management with the dials turned to the right settings.
At Mr. Fix IT Geeks, our Professional and Complete tiers cover the technical side of this list. We handle encryption, access controls, patching, EDR, backup verification, and we sign a BAA with every healthcare client. We also provide documentation of all technical safeguards in your monthly report, which you’ll need for your HIPAA compliance files. We don’t claim to make you fully HIPAA compliant because the administrative and organizational requirements are yours. But we make sure the IT side is solid, and we give you the documentation to prove it.
Frequently Asked Questions
My business isn’t a medical practice. Do I still need HIPAA compliance?
If your business handles protected health information on behalf of a healthcare provider, you’re likely a business associate under HIPAA and yes, you need to comply. This includes IT companies, billing services, accounting firms, law firms, shredding companies, cloud storage providers, and anyone else who touches patient data. If you’re unsure, the test is simple: does individually identifiable health information pass through your systems? If yes, HIPAA applies.
What’s the penalty for a HIPAA violation?
Penalties range from $137 per violation for unknowing violations to over $2 million per violation category per year for willful neglect. The Office for Civil Rights at HHS has enforcement discretion and considers factors like the size of the organization, the severity of the violation, and whether the organization made good-faith efforts to comply. Small businesses aren’t exempt from enforcement. OCR has fined solo practitioners and small practices. Beyond fines, the reputational damage of a reported breach can cost a small practice patients and revenue for years.
Does my IT provider need to sign a Business Associate Agreement?
If your IT provider has access to systems that store or process ePHI, yes. This is required by HIPAA, not optional. The BAA defines their obligations for protecting the data they can access. If your provider refuses to sign a BAA or doesn’t know what one is, that’s a serious red flag. Find a provider who understands healthcare IT compliance.
Is cloud storage HIPAA-compliant?
Cloud storage can be HIPAA-compliant, but it’s not automatically so. The cloud provider needs to sign a BAA with you. The data needs to be encrypted in transit and at rest. Access controls need to be properly configured. Major providers like Microsoft (OneDrive, Azure), Google (Google Workspace with BAA), and Amazon (AWS) all offer HIPAA-eligible configurations, but the default settings are not sufficient. Your IT provider should configure the cloud storage to meet HIPAA requirements and document the configuration.
How often do I need a risk assessment?
HIPAA requires a risk assessment but doesn’t specify a frequency. The general standard is annually, or whenever there’s a significant change to your systems or operations. A risk assessment identifies where ePHI lives in your organization, what threats exist, what safeguards are in place, and where gaps remain. It’s the foundation of your compliance program. Many small businesses have never done one. If that’s you, start there. A risk assessment tells you exactly what needs to be fixed and gives you a prioritized list.