HIPAA Cybersecurity Requirements: What Small Healthcare Businesses Must Do

If your business touches patient health information, you are subject to HIPAA whether you are a hospital with thousands of employees or a three-person physical therapy practice. The law does not scale its requirements based on how small you are. It scales them based on how much risk you carry, and a small healthcare business that stores patient records on an unencrypted laptop carries more risk than most people realize. Here is what HIPAA actually requires from a cybersecurity perspective, explained without the legalese that makes most compliance guides useless for business owners.

Who HIPAA Applies To

HIPAA applies to two categories of organizations: covered entities and business associates.

Covered entities are healthcare providers who transmit health information electronically (which is essentially all of them today), health plans, and healthcare clearinghouses. If you are a medical practice, dental office, mental health provider, physical therapy clinic, pharmacy, optometrist, chiropractor, or any other provider that bills electronically or stores patient records digitally, you are a covered entity.

Business associates are organizations that handle protected health information (PHI) on behalf of a covered entity. This includes IT providers, billing companies, cloud storage providers, EHR vendors, shredding services, accountants who access patient billing data, and attorneys who handle cases involving patient information. If your company processes, stores, or transmits PHI for a healthcare client, you are a business associate and HIPAA applies to you directly.

The distinction matters because business associates are independently liable for HIPAA compliance. A small IT company that manages a medical practice’s network and suffers a breach can be fined directly by the Office for Civil Rights (OCR), not just through the covered entity. Many small businesses do not realize they are business associates until something goes wrong.

The HIPAA Security Rule: What It Actually Requires

The HIPAA Security Rule is the section that defines cybersecurity requirements. It applies specifically to electronic protected health information (ePHI), which is any patient health information stored or transmitted electronically. The Security Rule is organized into three categories of safeguards: administrative, physical, and technical.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and management processes that govern how your organization handles ePHI. They are the largest category and the one most small healthcare businesses neglect because they feel like paperwork rather than security.

Risk assessment is the foundation of everything. HIPAA requires that you conduct a thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI in your environment. This is not optional and it is not a one-time exercise. OCR expects regular risk assessments, and failing to have a current one is the single most common finding in HIPAA enforcement actions. A risk assessment documents what ePHI you have, where it is stored, how it flows through your organization, what threats exist, and what controls are in place to mitigate those threats.

Risk management follows the assessment. Once you know what your risks are, you need a plan to address them. This means implementing security measures to reduce risks to a reasonable and appropriate level. “Reasonable and appropriate” is HIPAA’s way of acknowledging that a two-person dental office does not need the same controls as a hospital system, but it does need controls that match its specific risk profile.

Workforce training requires that all employees who handle ePHI receive security awareness training. This includes training on your security policies, how to identify phishing and social engineering, proper handling of patient information, and what to do if they suspect a breach. Training must be documented and provided to new employees as part of onboarding.

Assigned security responsibility means someone in your organization must be designated as responsible for HIPAA security. In a small practice, this is often the office manager or the physician owner. The person does not need to be a security expert, but they need to be accountable for ensuring that security policies exist and are followed.

Contingency planning requires that you have plans for responding to emergencies that could affect ePHI. This includes a data backup plan, a disaster recovery plan, and an emergency mode operation plan. At minimum, your backup strategy should follow the 3-2-1 backup rule – three copies, two media types, one offsite – to ensure patient data survives any single point of failure. If your EHR system goes down, how do you continue providing care? If ransomware encrypts your patient records, how do you recover? These questions need documented answers in a disaster recovery plan before the emergency happens.

Physical Safeguards

Physical safeguards control physical access to the systems and facilities where ePHI is stored.

Facility access controls mean that only authorized individuals can access areas where ePHI is stored or processed. For a small practice, this could be as simple as keeping server rooms locked, ensuring that workstations displaying patient information are not visible to patients in the waiting area, and having a visitor policy for areas where ePHI is accessible.

Workstation security requires that workstations used to access ePHI are physically protected from unauthorized access. Screens should lock automatically after a short period of inactivity. Workstations in shared areas should be positioned so that screens are not visible to unauthorized individuals. Portable devices like laptops and tablets that contain ePHI need encryption and physical security controls.

Device and media controls address what happens to hardware and electronic media that contain ePHI when they are moved, reused, or disposed of. You cannot throw an old computer in the dumpster if its hard drive contains patient records. Drives must be securely wiped or destroyed, and the disposal must be documented.

Technical Safeguards

Technical safeguards are the technology controls that protect ePHI in your systems.

Access controls require that only authorized users can access ePHI, and only the minimum necessary for their role. This means unique user IDs for every employee (no shared logins), role-based access so that the front desk cannot see clinical notes they do not need, and procedures for granting and revoking access when employees join or leave.

Audit controls require that you implement mechanisms to record and examine activity in systems that contain ePHI. This means logging who accessed what patient records, when, and from where. If a breach occurs, you need to be able to trace exactly what happened. Most EHR systems have built-in audit logging, but it needs to be enabled, reviewed, and retained.

Integrity controls require mechanisms to ensure that ePHI is not improperly altered or destroyed. This includes protections against both malicious modification (an attacker changing records) and accidental modification (a software bug corrupting data).

Transmission security requires that ePHI transmitted over electronic networks is protected from unauthorized access. In practical terms, this means encryption. Email containing patient information should be encrypted. Data transmitted between systems should use TLS or equivalent encryption. Remote access to systems containing ePHI should go through an encrypted VPN or similarly secured connection.

Required vs Addressable: What That Actually Means

HIPAA specifications are labeled either “required” or “addressable.” This terminology causes more confusion than almost anything else in HIPAA compliance. Addressable does not mean optional.

A required specification must be implemented. Period. There is no alternative.

An addressable specification must be assessed in the context of your organization’s risk analysis. If the specification is reasonable and appropriate for your environment, you implement it. If you determine that it is not reasonable and appropriate, you must document why and implement an equivalent alternative measure that achieves the same protection. If there is no reasonable alternative, you must document why and accept the risk. The key point is that you cannot simply skip addressable specifications. You must evaluate them, make a documented decision, and either implement them, implement an alternative, or formally accept the risk with documentation.

Encryption is the most commonly misunderstood addressable specification. Many small healthcare businesses assume that because encryption is “addressable,” they do not need to encrypt their systems. That interpretation has led to some of the most expensive HIPAA settlements on record. If you store ePHI on laptops, portable drives, or any device that could be lost or stolen, there is no reasonable argument for not encrypting it. The cost of encryption is minimal. The cost of a breach involving unencrypted devices is not.

What a Breach Means Under HIPAA

A breach under HIPAA is any unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. HIPAA presumes that any unauthorized access to PHI is a breach unless the covered entity can demonstrate a low probability that the information was actually compromised.

The notification requirements are specific and non-negotiable. If a breach affects 500 or more individuals, you must notify the affected individuals within 60 days, notify the Secretary of Health and Human Services (HHS) within 60 days, and notify prominent media outlets serving the state or jurisdiction. Breaches affecting 500 or more individuals are posted on the OCR “Wall of Shame,” a public database that anyone can search.

For breaches affecting fewer than 500 individuals, you must still notify the affected individuals within 60 days and report to HHS, though the HHS notification can be submitted annually rather than immediately.

The financial cost of a breach for a healthcare organization includes all of the standard costs, forensics, legal fees, notification, downtime, but adds HIPAA-specific penalties on top. OCR penalties range from $100 to $50,000 per violated record depending on the level of negligence, with annual maximums reaching $1.5 million per violation category. For a small practice that loses a laptop containing 2,000 patient records, the penalty exposure alone can be hundreds of thousands of dollars before you add investigation and notification costs.

State attorneys general can also bring HIPAA enforcement actions, and several have done so. Some states have their own health privacy laws with additional requirements and penalties that stack on top of HIPAA.

Common Compliance Gaps in Small Healthcare Businesses

After years of OCR enforcement actions, the most common gaps are well documented:

No current risk assessment. This is finding number one in almost every OCR investigation. If you do not have a documented risk assessment that was completed or updated within the last year, you are out of compliance. Free tools like the HHS Security Risk Assessment Tool can help smaller organizations get started.

No encryption on portable devices. Laptops, USB drives, and tablets that contain ePHI must be encrypted. Full disk encryption is built into Windows (BitLocker) and macOS (FileVault) at no additional cost. There is no justifiable reason for a portable device containing patient data to be unencrypted.

No business associate agreements (BAAs). Every business associate that handles your ePHI must have a signed BAA before they access any patient data. This includes your IT provider, your cloud storage provider, your EHR vendor, and anyone else who touches ePHI. Without a BAA, you are out of compliance regardless of how good their security is.

Shared login credentials. Every user who accesses systems containing ePHI needs a unique login. Shared credentials like “frontdesk” or “nurse1” make it impossible to track who accessed what, which violates both access control and audit requirements.

No documented policies. HIPAA requires written policies and procedures. If your security practices exist only in people’s heads, they do not exist for compliance purposes. Policies do not need to be elaborate. They need to be written, accessible to staff, and reviewed regularly. Our guide on building a cybersecurity policy covers what to include and how to keep it practical. A small but growing compliance gap in healthcare: staff using consumer AI tools (ChatGPT, Gemini, Copilot consumer) on ePHI without a BAA in place – this is an immediate HIPAA violation. The companion AI acceptable use policy is the artifact that names approved AI tools for PHI handling and locks out the consumer alternatives, the what data are you feeding into AI tools breakdown lists which AI vendors and which tiers currently offer BAAs, and the dedicated AI and HIPAA: what healthcare businesses need to know article walks through clinical vs administrative AI use cases and how to document AI use for HIPAA audit.

No contingency or incident response plan. If you cannot describe, in writing, what your organization would do if patient data were compromised tomorrow, you have a compliance gap. The plan does not need to be perfect. It needs to exist and be tested.

How a Managed Security Provider Helps with HIPAA

HIPAA compliance is not a one-time project. It is an ongoing obligation that requires continuous monitoring, regular assessments, workforce training, and documented evidence that controls are in place and working. For a small healthcare business with limited IT resources, maintaining this on your own is difficult.

A managed security provider that understands HIPAA can handle the technical controls, including encryption management, access control configuration, audit logging, backup and recovery architecture, and continuous monitoring, while also providing the documentation that proves those controls are active. When OCR comes calling, having a managed provider with detailed logs and reports is significantly better than trying to reconstruct what your security looked like from memory. (For the broader decision of whether to pick a vertical healthcare MSP or a strong generalist with HIPAA practice, see the specialization comparison.)

Sequentur works with small healthcare businesses to implement and maintain the technical safeguards HIPAA requires, integrated with broader security monitoring and incident response. If you are a covered entity or business associate and you are not sure whether your current setup meets HIPAA requirements, we can walk through your environment and identify the gaps. Reach out through our contact page to start that conversation.