Do we need HIPAA compliance if we're a small practice?

Yes. HIPAA applies to all covered entities and business associates regardless of size. The OCR has fined solo practitioners and small practices — including a single-physician practice fined $100,000 for failing to conduct a risk assessment. The requirements scale with your organization's complexity, but the obligation is the same whether you have 5 employees or 5,000.

How often do we need a HIPAA risk assessment?

The HIPAA Security Rule requires periodic risk assessments — the OCR interprets this as at least annually, and after any significant change to your environment (new EHR system, office move, merger, staff changes, etc.). We conduct comprehensive annual assessments and update them as your environment changes throughout the year.

What is the difference between required and addressable specifications?

"Required" specifications must be implemented as written. "Addressable" specifications must either be implemented as written, implemented with an equivalent alternative, or documented as not applicable with a justification. Addressable does NOT mean optional — the OCR has penalized organizations that treated addressable specifications as optional. In practice, nearly all addressable specifications (like encryption) should be implemented as-is in modern IT environments.

What happens if we have a data breach?

HIPAA requires notification to affected individuals within 60 days. Breaches affecting 500+ records must also be reported to the OCR and local media. We help you investigate the scope, contain the breach, perform the required 4-factor risk assessment, and manage the entire notification process — including the OCR reporting portal, individual notice letters, and media notifications if applicable.

Can you help us with our EHR system's HIPAA requirements?

Yes. We work with all major EHR platforms — including Epic, Cerner, eClinicalWorks, athenahealth, NextGen, and Practice Fusion — and ensure that access controls, audit logging, encryption, and backup requirements are properly configured. We also review BAAs with your EHR vendor and ensure their cloud hosting meets HIPAA requirements.

What does HIPAA compliance cost?

For a typical medical practice with 10–50 employees, our HIPAA compliance program — including risk assessment, policy development, technical controls, training, and ongoing monitoring — typically ranges from $15–$40 per user per month when bundled with managed IT services. Standalone compliance projects are quoted based on scope. We provide a detailed estimate after assessing your environment.

Do we need HIPAA compliance for telehealth?

Yes. Telehealth platforms that handle PHI must comply with HIPAA. This means using HIPAA-compliant video platforms (not consumer Zoom or FaceTime), ensuring proper encryption, executing BAAs with telehealth vendors, and training staff on telehealth-specific privacy procedures. The temporary COVID-era enforcement discretion for telehealth has ended.

How long does it take to become HIPAA compliant?

A business with reasonable IT practices can typically achieve initial HIPAA compliance within 60–90 days. This includes the risk assessment, remediation of critical gaps, policy development, and workforce training. Ongoing compliance requires continuous monitoring, annual reassessments, and regular policy updates. We provide a realistic timeline during the initial gap assessment.

HIPAA Compliance - BrightWorks IT

What Is HIPAA and Who Must Comply?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for protecting sensitive patient health information. HIPAA applies to covered entities — healthcare providers, health plans, and healthcare clearinghouses — as well as their business associates who handle protected health information (PHI) on their behalf.

HIPAA compliance is enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR). The law comprises several rules that work together to safeguard PHI:

The Privacy Rule — Governs how PHI can be used, disclosed, and shared. Establishes patient rights including the right to access their records and request corrections.
The Security Rule — Requires administrative, physical, and technical safeguards specifically for electronic PHI (ePHI). This is where IT compliance requirements live.
The Breach Notification Rule — Requires notification to affected individuals, HHS, and sometimes the media when unsecured PHI is breached.
The Omnibus Rule — Extended HIPAA requirements directly to business associates, strengthened enforcement, and increased penalty amounts.

Who Must Be HIPAA Compliant?

Covered Entities

Hospitals, medical practices, dental offices, behavioral health providers, pharmacies, health insurance companies, and healthcare clearinghouses that transmit health information electronically.

Business Associates

IT service providers, billing companies, cloud hosting providers, EHR vendors, shredding companies, attorneys, accountants, and any third party that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

Subcontractors

Since the Omnibus Rule, subcontractors of business associates must also comply with HIPAA requirements and execute their own BAAs.

HIPAA Compliance Is Not Optional — and It's Getting Harder

The OCR is increasing enforcement, breach notification requirements are strict, and patients are more aware of their data rights than ever. Partial compliance is not compliance.

Fines Range from $100 to $1.9 Million Per Violation Category

HIPAA penalties are structured in four tiers based on the level of negligence — from unknowing violations ($100–$50,000 each) to willful neglect ($50,000–$1.9 million per violation category per year). A single breach affecting 500+ records triggers mandatory OCR investigation and public disclosure on the HHS "Wall of Shame." The average cost of a healthcare data breach reached $10.93 million in 2023, making it the most expensive industry for breaches for the 13th consecutive year.

Business Associates Share Full Liability

If you're a business associate handling PHI on behalf of healthcare providers, HIPAA applies to you directly — not just through your contractual BAA. The OCR has pursued enforcement actions directly against business associates, including IT service providers, for security failures. Your covered entity clients increasingly require proof of compliance, signed BAAs, and documented security programs before renewing contracts.

Healthcare Is the #1 Target for Ransomware

Healthcare organizations experienced more ransomware attacks than any other industry in 2024 and 2025. Patient data commands premium prices on the dark web, and healthcare systems often run legacy software with known vulnerabilities. Under HIPAA, a ransomware attack that encrypts ePHI is presumed to be a breach unless you can demonstrate a low probability of compromise through a documented risk assessment — and most organizations cannot.

Risk Assessments Are Required — Not Suggested

The HIPAA Security Rule requires documented risk assessments under §164.308(a)(1). Yet the most common citation in OCR enforcement actions is failure to conduct a comprehensive, organization-wide risk assessment. If you cannot produce a current risk assessment during an investigation, you are already non-compliant — regardless of how strong your technical controls may be.

HIPAA Security Rule: Technical Safeguards Explained

The Security Rule's technical safeguards are the IT-specific requirements that protect ePHI. Here's what they require and how we implement them.

Access Controls (§164.312(a))

Every user who accesses systems containing ePHI must have a unique user ID. Access must be limited to the minimum necessary for each role. Emergency access procedures must exist for situations requiring immediate access to ePHI.

How we implement it: Role-based access control (RBAC) across Active Directory and cloud applications, multi-factor authentication on all ePHI systems, automatic session timeouts, privileged access management, and documented emergency access procedures with audit trails.

Audit Controls (§164.312(b))

Organizations must implement hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Audit logs must capture who accessed what information, when, and what actions they performed.

How we implement it: Centralized log management with SIEM integration, automated alerting on suspicious access patterns, regular audit log reviews, 6+ year log retention, and tamper-proof logging to prevent log manipulation.

Integrity Controls (§164.312(c))

Policies and procedures must protect ePHI from improper alteration or destruction. Electronic mechanisms must confirm that ePHI has not been altered or destroyed in an unauthorized manner.

How we implement it: File integrity monitoring (FIM), database checksums, backup verification with integrity checks, version control on clinical documents, and data loss prevention (DLP) policies that prevent unauthorized modification of ePHI.

Transmission Security (§164.312(e))

Technical security measures must guard against unauthorized access to ePHI being transmitted over electronic networks. This applies to email, file transfers, remote access, API connections, and any other electronic transmission of PHI.

How we implement it: TLS 1.2+ encryption on all data in transit, encrypted email (Microsoft 365 message encryption or third-party solutions), VPN tunnels for remote access to clinical systems, encrypted SFTP for file transfers, and network segmentation to isolate ePHI traffic.

Encryption at Rest

While technically an "addressable" specification under the Security Rule, encryption of ePHI at rest is effectively required in practice. The OCR has stated that if encryption is not implemented, the organization must document why an equivalent alternative is reasonable and appropriate — and in modern IT environments, there is no defensible reason not to encrypt.

How we implement it: BitLocker on all Windows endpoints, FileVault on Macs, AES-256 encryption on servers and NAS devices, encrypted cloud storage (SharePoint/OneDrive with Microsoft 365 encryption), and encrypted backup repositories.

HIPAA Risk Assessment: Our Process

The risk assessment is the foundation of HIPAA compliance. OCR has made clear that you cannot adequately protect ePHI without first understanding the risks to it. Here is how we conduct risk assessments.

1

Scope and Inventory

We identify every system, application, and device that creates, receives, maintains, or transmits ePHI. This includes EHR systems, email, fax servers, mobile devices, cloud applications, medical devices, and paper processes that feed into electronic systems.

2

Threat and Vulnerability Identification

We identify reasonably anticipated threats and vulnerabilities for each ePHI asset — including external threats (hackers, ransomware, natural disasters), internal threats (unauthorized employee access, human error), and technical vulnerabilities (unpatched software, weak configurations).

3

Current Controls Assessment

We evaluate existing safeguards — technical controls, administrative policies, and physical protections — and assess their effectiveness at mitigating identified threats. This includes reviewing configurations, testing controls, and interviewing staff.

4

Risk Rating and Prioritization

Each risk is rated based on likelihood and impact. We use a standardized methodology consistent with NIST SP 800-30 to produce risk scores that determine remediation priority. Critical and high risks get immediate attention; medium and low risks are tracked and addressed on a defined schedule.

5

Remediation Plan

We create a detailed, prioritized remediation plan with specific action items, responsible parties, timelines, and resource requirements. This plan becomes your roadmap to compliance and serves as evidence of your good-faith effort to address identified risks.

6

Documentation and Risk Register

The complete risk assessment is documented in a formal report and maintained in a risk register that tracks each identified risk, its current status, and remediation progress. This documentation is what OCR asks for during an investigation — and what we'll have ready for them.

Business Associate Agreement Management

HIPAA requires covered entities to execute Business Associate Agreements (BAAs) with every vendor that accesses, processes, or stores PHI. Many organizations have dozens of business associates — from their IT provider to their shredding company — and managing these agreements is a compliance requirement that's often neglected.

We help you identify all business associate relationships, ensure BAAs are executed and current, and verify that your business associates are maintaining their own compliance programs. Key elements we track include:

Complete inventory of all business associate relationships
BAA execution status and renewal dates
Required provisions per the HIPAA Omnibus Rule
Subcontractor BAA chain verification
Annual review and compliance attestation requests

Breach Notification Requirements

When a breach of unsecured PHI occurs, HIPAA imposes strict notification requirements with specific timelines. Failure to comply with breach notification rules results in additional penalties on top of the underlying security violations.

Individual Notice — 60 Days

Written notification to each affected individual within 60 days of discovery. Must describe the breach, types of information involved, steps individuals should take, what you're doing to investigate and mitigate, and contact information.

HHS Notification

Breaches affecting 500+ individuals must be reported to HHS within 60 days via the OCR breach reporting portal. Breaches affecting fewer than 500 must be logged and reported annually.

Media Notice

If a breach affects 500+ residents of a single state or jurisdiction, you must notify prominent media outlets serving that area within 60 days.

OCR Enforcement Trends You Need to Know

The Office for Civil Rights has significantly increased HIPAA enforcement activity. Understanding these trends helps you prioritize your compliance efforts.

Right of Access Initiative

OCR has pursued dozens of enforcement actions against organizations that failed to provide patients with timely access to their medical records. Fines have ranged from $15,000 to $240,000 for access violations alone.

Risk Assessment Failures

The absence of a comprehensive risk assessment appears in nearly every major HIPAA settlement. OCR views risk assessments as the foundational requirement — without one, you cannot claim to have a reasonable compliance program.

Small Practice Enforcement

OCR has made clear that small practices are not exempt from enforcement. Solo practitioners and small group practices have received six-figure fines. Size is not a mitigating factor when safeguards are absent.

State AG Enforcement

State attorneys general can also enforce HIPAA, and several have pursued actions independently of OCR. This creates a second enforcement channel that organizations must consider, especially for multi-state operations.

Our HIPAA Compliance Services

We address every pillar of HIPAA — the Security Rule, Privacy Rule, and Breach Notification Rule — with technical controls, policies, training, and ongoing monitoring.

HIPAA Risk Assessments

Comprehensive assessment of administrative, technical, and physical safeguards against the full HIPAA Security Rule. We identify gaps, document findings, and create a prioritized remediation plan that satisfies OCR requirements and follows NIST SP 800-30 methodology.

Learn More About HIPAA Risk Assessments

Technical Safeguards

Encryption, access controls, audit logging, MFA, network segmentation, and data loss prevention configured across your entire environment. Every technical safeguard maps directly to specific HIPAA Security Rule requirements.

Learn More About Technical Safeguards

Policy & Procedure Development

Complete HIPAA policy library — including access management, incident response, workforce training, data retention, breach notification, sanctions, and media communication procedures. Written for your organization, not generic templates.

Learn More About Policy & Procedure Development

Workforce Training

Annual HIPAA awareness training for all workforce members, plus role-specific training for staff who handle PHI directly. Simulated phishing campaigns, completion tracking, and certificates for your compliance records.

Learn More About Workforce Training

Ongoing Compliance Monitoring

Continuous monitoring of technical controls, access logs, and security events. We ensure your safeguards remain effective between risk assessments and alert you immediately to any compliance drift.

Learn More About Ongoing Compliance Monitoring

Breach Response Support

If a breach occurs, we handle the technical investigation, scope the impact, and support the full breach notification process — including OCR reporting, individual notifications, state AG notifications, and media notice when required.

Learn More About Breach Response Support

A Complete HIPAA Compliance Program

HIPAA compliance is not a one-time project — it is an ongoing program that requires continuous attention to technical controls, policy updates, workforce training, and documentation. We provide everything you need to maintain compliance year after year.

Our comprehensive program covers all three HIPAA rules and addresses both the required and addressable specifications of the Security Rule. Whether you're a small medical practice or a multi-location healthcare organization, we scale our services to match your needs.

Annual HIPAA Security Risk Assessment with documented findings

Prioritized remediation plan with timeline and resource requirements

Complete HIPAA policy and procedure library (40+ policies)

AES-256 encryption on all devices, storage, and email containing PHI

Role-based access controls with audit logging on all ePHI systems

Multi-factor authentication on all systems accessing ePHI

Annual workforce HIPAA training with completion tracking

Quarterly simulated phishing campaigns

Business Associate Agreement inventory and management

Incident response and breach notification procedures

Continuous technical safeguard monitoring via SIEM

Complete documentation package ready for OCR investigation

Annual reassessment and policy review

Audit support — we work directly with your auditor or OCR investigator

Why BrightWorks IT for HIPAA Compliance

Healthcare Is Our Largest Vertical

We manage IT and compliance for medical practices, dental offices, behavioral health providers, ambulatory surgery centers, and healthcare business associates across multiple states. We understand EHR workflows, HL7/FHIR interfaces, and the specific technical requirements of healthcare IT environments.

100% Audit Pass Rate for Healthcare Clients

Every BrightWorks IT healthcare client who has faced an OCR investigation or third-party HIPAA audit has passed with our documentation and controls in place. We build compliance programs that hold up under real scrutiny — not just on paper.

Technology + Compliance Under One Roof

Unlike compliance-only consultants who write policies but don't implement technology, we do both. There's no gap between what the policy says and what the technology does — because we own both sides. This eliminates the coordination failures that lead to compliance gaps.

Related Compliance Services

Many healthcare organizations must comply with multiple frameworks. We help you identify overlapping controls so a single implementation can satisfy multiple requirements.

HIPAA Compliance Services for Healthcare Organizations