TL;DR: Healthcare practices face record-breaking breach activity and a proposed HIPAA Security Rule update that eliminates flexible “addressable” safeguards. Encryption, MFA, and documented risk assessments are becoming non-negotiable. This post breaks down what HIPAA-compliant IT actually requires, where most practices fall short, what the 2026 rule changes mean for your security posture, and how a healthcare-focused managed IT partner can close the gap before an audit or breach finds it first.
HIPAA-compliant IT means your technology, vendors, and processes meet the administrative, physical, and technical safeguards required to protect electronic protected health information (ePHI). For healthcare practices, that includes encryption, access controls, risk assessments, business associate agreements, and documented incident response.
What Does HIPAA-Compliant IT Actually Mean?
HIPAA-compliant IT is the combination of physical systems, networks, cloud services, and security controls designed to protect ePHI in accordance with the HIPAA Security Rule. It requires administrative, physical, and technical safeguards working together, not a single product or certification badge.
That definition sounds clean on paper. In practice, it’s where most healthcare practices start running into problems.
Here’s what I see over and over again after 20 years of supporting medical offices. A practice manager points to their EHR system and says, “We’re compliant. Our software vendor told us so.” But your EHR vendor is responsible for the compliance capabilities of their platform. They’re not responsible for how your staff accesses it, whether your Wi-Fi is segmented, whether your front desk is using a shared login, or whether you’ve documented a single risk assessment in the last 3 years.
HIPAA compliance isn’t something your software does for you. It’s something your entire IT environment has to support, from the firewall on your network to the permissions on your billing system to the BAA you may or may not have signed with your cloud backup provider.
The HIPAA Security Rule breaks this into 3 categories. Administrative safeguards cover your policies, procedures, workforce training, and risk management processes. Physical safeguards govern facility access, workstation security, and device controls. Technical safeguards include encryption, access controls, audit logging, and transmission security. All 3 have to be addressed. Most practices we assess have gaps in at least 2 of them. If you want a plain-language starting point, our HIPAA compliance checklist walks through what each category asks of a small practice.
Why Healthcare Practices Are the #1 Target for Cyberattacks

Healthcare isn’t just a frequent target. It’s the most expensive industry to breach, and it has held that position for 14 consecutive years.
In 2025, 772 large healthcare data breaches were reported to the HHS Office for Civil Rights, affecting more than 139 million individuals, making it the worst year on record. The average cost of a single breach reached $7.42 million, according to the IBM Cost of a Data Breach Report 2025. And the average time to identify and contain a breach stretched to 279 days. That’s more than 9 months of exposure before the damage is even understood.
What makes healthcare so attractive to attackers? Medical records contain names, Social Security numbers, insurance details, billing data, and clinical information. Unlike a stolen credit card number that can be cancelled and reissued, a medical record never expires. That permanence makes it far more valuable on dark markets than financial data.
And the assumption that only large health systems get targeted is dangerously wrong. Small and mid-size healthcare organizations account for a large share of the incidents posted to the HHS OCR breach portal each year. Private practices, outpatient clinics, dental groups, and long-term care facilities are hit precisely because attackers know their defenses are thinner.
What Happens After a Breach at a Small Practice
The financial hit from a breach goes far beyond the ransom demand or the cost of forensic investigation. OCR opens an investigation for every breach affecting 500 or more individuals. If they find compliance deficiencies during that investigation, and they almost always do, your practice faces a corrective action plan that can include years of external monitoring, mandatory documentation overhauls, and financial penalties.
Risk analysis failures sit at the center of that enforcement. In December 2024, OCR imposed a $1.19 million civil monetary penalty on Gulf Coast Pain Consultants for Security Rule violations that included the failure to conduct an accurate and thorough risk analysis. The pattern has only intensified. In April 2026, OCR announced 4 ransomware settlements totaling $1,165,000, and every one of them cited a risk analysis failure.
Beyond the regulatory consequences, patient trust erodes quickly when a breach becomes public. And with breach notification requirements, it will become public.
The 5 Most Common HIPAA IT Failures We See in Healthcare Practices

After two decades of performing technology assessments for medical offices across Texas, certain patterns repeat themselves. These aren’t obscure technicalities. They’re the same gaps that show up in OCR investigations and settlement agreements year after year.
No Documented Security Risk Analysis
This is the single most common finding in HIPAA enforcement actions. A security risk analysis (SRA) is the foundation of your entire compliance program. It identifies where ePHI lives, how it moves through your systems, what threats exist, and what safeguards you have in place. Without it, everything else is guesswork.
The SRA isn’t a one-time project. It has to be updated at least annually, and again whenever your practice adds new technology, opens a new location, changes vendors, or experiences a security incident. Many practices either skip it entirely or rely on a cursory self-assessment that wouldn’t survive an OCR review. A structured compliance and regulatory assessment is usually the fastest way to find out which one you have.
Missing or Outdated Business Associate Agreements
Every vendor that creates, receives, stores, or transmits ePHI on your behalf needs a signed BAA. That includes your IT provider, your EHR vendor, your billing company, your cloud backup service, your shredding company, and your answering service. Missing even 1 BAA creates a compliance gap that can trigger penalties during an investigation.
Over-Permissioned User Access and Shared Logins
Does your front desk staff have access to clinical notes they don’t need for their job? Is anyone in your office using a shared Windows login because “it’s easier”? These aren’t just workflow shortcuts. They’re audit risks. HIPAA’s minimum necessary standard requires role-based access control (RBAC), where each person can only reach the systems and data their specific role requires. Shared logins also destroy your audit trail, which means if something goes wrong, you can’t prove who did what.
Unencrypted Devices and Data Transmissions
Lost or stolen unencrypted laptops remain one of the most common breach triggers for small practices. If a laptop containing ePHI is taken from a car or left at a coffee shop and the hard drive isn’t encrypted, that’s a reportable breach. The same applies to unencrypted email, unencrypted portable drives, and data transmissions that don’t use TLS or equivalent protocols.
No Formal Incident Response or Backup Testing
Having backups is not the same as having tested backups. If your practice can’t demonstrate that you’ve actually restored from backup within a defined recovery window, your disaster recovery plan is a theory, not a safeguard. Similarly, many practices lack a documented incident response plan with clear steps, assigned roles, and defined escalation paths for when a breach or outage occurs.
HIPAA IT Compliance Gaps vs. What OCR Actually Looks For
| Common Practice Gap | What OCR Expects to See |
|---|---|
| No risk analysis on file | Documented, comprehensive SRA updated annually |
| EHR vendor “handles compliance” | Practice-level policies, training records, and safeguards |
| Shared logins across staff | Unique credentials per user with role-based permissions |
| Antivirus only, no monitoring | Layered security with continuous monitoring and logging |
| Backups exist but never tested | Documented recovery testing with defined RTOs |
| No BAA with IT provider | Signed BAA with every vendor touching ePHI |
| Staff trained once at hire | Annual HIPAA training with documented completion |
What the Proposed 2026 HIPAA Security Rule Changes Mean for Your Practice

The proposed update to the HIPAA Security Rule, published as a Notice of Proposed Rulemaking on January 6, 2025, represents the most significant overhaul since the original rule was adopted. If finalized, it will fundamentally change what “compliant” looks like for every covered entity and business associate, regardless of size.
The biggest structural shift is the elimination of the “addressable” designation. Since the Security Rule was adopted in 2003, certain safeguards like encryption and multi-factor authentication have been classified as “addressable,” meaning organizations could implement an alternative or document why the safeguard wasn’t reasonable for their situation. In practice, “addressable” became “optional” for many small practices. The proposed rule removes that distinction entirely. HHS confirms every specification would become required, with narrow exceptions.
Here’s what that means in practical terms for your IT environment.
- Mandatory encryption of all ePHI at rest and in transit. No exceptions, no alternative documentation workarounds.
- Multi-factor authentication on every system that accesses ePHI. Shared credentials become a violation, not just a bad habit.
- Vulnerability scanning every 6 months and annual penetration testing, with findings documented and remediation tracked.
- Technology asset inventory and network map maintained and reviewed at least annually.
- Network segmentation so that your EHR systems don’t share network space with general office devices or IoT equipment.
- 72-hour recovery time objective for restoring access to ePHI after an incident.
- 24-hour breach notification from business associates to covered entities when an incident response plan is activated.
Where This Rule Stands Right Now
It’s important to be precise here. As of mid-2026, this rule remains proposed. OCR has not issued a final rule, and the requirements could still change, be delayed, or be withdrawn. HHS received thousands of public comments, and industry groups including CHIME and more than 100 hospital systems pushed back on the estimated $9 billion year-one compliance cost, particularly for small and rural providers.
That said, OCR has signaled willingness to credit good-faith, phased compliance plans, especially from critical access hospitals and smaller practices. The direction is clear even if the timeline isn’t. Practices that start implementing MFA, encryption, and documented risk management now will be ahead of the curve whether the final rule lands in late 2026 or early 2027. Practices that wait will be scrambling.
What a HIPAA-Compliant IT Environment Actually Looks Like
If you stripped away the regulatory language and just asked what your practice’s IT needs to do to keep patient data safe and survive an OCR audit, it comes down to 7 technical controls.
The 7 Technical Controls Every Healthcare Practice Needs for HIPAA Compliance
- Encryption on every endpoint, server, cloud platform, and data transmission touching ePHI
- Role-based access control with unique credentials for every user
- Multi-factor authentication on all systems accessing patient data
- Continuous network monitoring with centralized audit logging
- Tested backup and disaster recovery with a documented recovery time objective
- Endpoint detection and response (EDR) on all devices, not just signature-based antivirus
- Documented policies, annual training records, and current BAAs with every vendor
None of these are optional best practices. They’re either already required under the current Security Rule or explicitly mandated in the proposed update. The practices we work with that pass audits without corrective actions have all 7 in place. The ones that get flagged are usually missing 3 or more. Most of this lives inside a layered cybersecurity program rather than a single tool you buy once.
AI Tools in Healthcare and the HIPAA Compliance Gap Nobody Talks About

AI is entering healthcare workflows faster than the compliance frameworks can keep up. Practices are using AI-powered tools for clinical documentation, patient communication, scheduling optimization, and billing automation. Some of those tools are handling ePHI. And many practices haven’t stopped to ask whether that’s compliant.
Here’s the baseline. Consumer-grade AI tools like standard ChatGPT, Google Gemini, and Claude are not HIPAA-compliant in their default configurations. They don’t sign BAAs, and their standard terms don’t include the protections HIPAA requires for ePHI. Enterprise versions of some platforms may offer BAA-eligible tiers, but your practice has to verify that directly with each vendor and configure the tool accordingly.
Any AI system that touches patient data needs to meet the same standards as every other system in your environment. That means a signed BAA, access controls, audit logging, encryption, and PHI minimization so the tool only accesses the minimum data necessary for its function.
This is an area where we expect OCR enforcement to expand. Build your AI governance now, before it becomes the next risk analysis failure on an investigation report.
When to Bring in a Healthcare-Focused IT Partner

There’s a point where managing IT internally or relying on a general-purpose break/fix provider starts creating more risk than it resolves. If any of these sound familiar, your practice may have reached that point.
- Your last risk assessment was more than 12 months ago, or you’ve never completed one.
- You’re not sure whether all your vendors have signed BAAs.
- Staff members share logins or use personal devices to access patient data without formal policies.
- You don’t have 24/7 monitoring, and you’d have no idea if someone accessed your network at 2 AM.
- Your backup has never been tested through an actual restore.
A healthcare-focused managed IT provider fills these gaps differently than a general IT company. They understand the regulatory landscape, sign a BAA with your practice, support your SRA process, maintain compliance documentation, and build the technical controls your practice needs to meet both current and proposed HIPAA requirements.
What to Look for in a HIPAA-Compliant Managed IT Provider
Not every MSP is built for healthcare. Before signing with any provider, ask these questions.
- Do they have a portfolio of current healthcare clients?
- Have they signed a BAA with your practice?
- Can they support your annual security risk assessment?
- Do they provide 24/7 monitoring and incident response?
- Will they maintain compliance documentation on your behalf?
- Can they demonstrate their own HIPAA compliance program?
If the answer to any of those is no, or if the provider hesitates to discuss them, that tells you what you need to know.
Bias disclosed, because I run a company that does this work. At Uprite, we built Uprite MED℠ specifically for healthcare organizations that need secure, compliant, and reliable IT without building a full internal team. Every tier is designed around the safeguards HIPAA requires, and our team has helped practices across Texas go from failed compliance reviews to clean audit results within 6 months. You can see how that works in practice on our managed IT for healthcare page, or in the way we support healthcare providers in Houston.
Start With the Gap That Would Fail You First
Three things to take from this. Your EHR vendor’s compliance is not your compliance. The proposed Security Rule turns the safeguards you were allowed to skip into safeguards you must document. And a risk analysis you have never written is the single fastest way to turn a breach into a penalty.
So pick the control on the list of 7 you are least sure about and close it this quarter. If you don’t know where to start, start with the security risk analysis, because every other decision depends on what it finds. HHS publishes a free Security Risk Assessment Tool that small practices can run themselves, and it beats doing nothing.
If you’d rather have someone map the whole environment, sign the BAA, and tell you honestly where you stand before OCR does, talk to our healthcare IT team. We’ll walk your practice through a HIPAA-focused technology assessment and give you a prioritized remediation plan, not a sales pitch.
Questions Healthcare Practices Ask About HIPAA-Compliant IT
How often does our practice need to complete a HIPAA security risk assessment?
At minimum, annually. But the SRA also needs to be updated whenever significant changes occur, such as adding new technology, opening a new location, switching EHR vendors, or experiencing a security incident. OCR doesn’t accept a one-time assessment as evidence of ongoing compliance. They want to see a living document that reflects your current environment and the risks you’ve identified and addressed over time.
Can our EHR vendor’s compliance cover our entire practice?
No. Your EHR vendor is responsible for the compliance capabilities of their platform, but your practice is responsible for how that platform is configured, who has access, how data is transmitted, and whether your broader IT environment meets HIPAA standards. If a breach occurs because of weak passwords, unencrypted devices, or a missing BAA with another vendor, the liability falls on your practice, not your EHR provider.
What’s the difference between HIPAA-compliant and HIPAA-certified?
There is no official HIPAA certification issued by HHS or OCR. Any vendor claiming to be “HIPAA-certified” is using a marketing term, not a regulatory designation. HIPAA compliance means an organization has implemented the required safeguards and can demonstrate its good-faith effort through documentation, risk assessments, and ongoing policy enforcement. Third-party compliance verification programs exist, but they are not government certifications.
Do we need a business associate agreement with our IT provider?
Yes, if your IT provider creates, receives, stores, or transmits ePHI on your behalf. That includes managing your servers, handling backups, supporting your EHR, monitoring your network, or providing cloud services. Without a signed BAA, your practice has a compliance gap that OCR will flag during any investigation. Your IT provider should offer a BAA proactively. If they don’t, that’s a red flag.
What should we do first if we’ve never had a formal HIPAA IT review?
Start with a security risk assessment. It’s the foundation of every other compliance activity and it’s the most commonly cited deficiency in enforcement actions. A proper SRA maps where ePHI lives in your environment, identifies threats and vulnerabilities, and produces a prioritized remediation plan. HHS provides a free SRA Tool through healthit.gov, but for a more comprehensive assessment, working with a qualified IT partner or compliance advisor will produce more actionable results.
Are telehealth platforms automatically HIPAA-compliant?
Not automatically. A telehealth platform is only HIPAA-compliant if it encrypts data in transit and at rest, provides access controls and audit logging, and the vendor signs a BAA with your practice. General-purpose video tools like standard Zoom or FaceTime do not meet these requirements without healthcare-specific configurations. The temporary enforcement discretion OCR applied during the pandemic for telehealth has expired, so using non-compliant platforms for patient visits now carries full regulatory risk.










