HIPAA and IT: The Framework Overview
HIPAA's Security Rule requires covered entities and their business associates to implement administrative, physical, and technical safeguards to protect electronic Protected Health Information (ePHI). The rule is intentionally technology-neutral — it doesn't require specific software or hardware. What it requires are outcomes: confidentiality, integrity, and availability of ePHI.
The three categories of safeguards:
- Administrative safeguards (§164.308) — Policies, procedures, workforce training, risk assessments, contingency plans. These are the governance and process requirements.
- Physical safeguards (§164.310) — Facility access controls, workstation use policies, device and media controls. These govern physical access to ePHI.
- Technical safeguards (§164.312) — Access controls, audit controls, integrity controls, transmission security. These are the IT controls.
OCR (the HHS Office for Civil Rights) enforces HIPAA through audits, complaints, and breach investigations. Their enforcement focus has consistently prioritized risk analysis failures, access controls, encryption, and audit logging.
The HIPAA Risk Assessment: Foundation of Everything
Every HIPAA compliance program starts with a documented risk assessment (§164.308(a)(1)). This is the single most commonly cited deficiency in OCR enforcement actions. What it requires:
- Identify where ePHI exists in your environment — servers, workstations, laptops, mobile devices, cloud applications, fax machines, backup media
- Identify threats to each ePHI location — malware, ransomware, physical theft, unauthorized access, system failure
- Assess vulnerabilities that could allow those threats to materialize
- Assess the current controls in place and whether they adequately mitigate the risk
- Document the assessment and produce a risk management plan to address identified gaps
OCR enforcement pattern: The most common path to a multi-million dollar HIPAA settlement is: breach occurs → OCR investigates → discovers no documented risk assessment → settlement includes corrective action plan with monitoring. The breach itself is often far less expensive than the regulatory response to missing documentation.
Technical Safeguards: The IT Control Requirements
Access Controls (§164.312(a)(1))
Required: Unique user identification, emergency access procedure, automatic logoff, encryption and decryption. Addressable: Automatic logoff (implementation is required if appropriate).
- Every user has a unique login — no shared credentials or shared service accounts for ePHI access
- Role-based access control — staff can only access the minimum ePHI necessary for their function
- Automatic screen lock and session timeout after inactivity (typically 15 minutes)
- Multi-factor authentication on all systems with ePHI access (required for most cyber insurance; best practice for HIPAA)
- Emergency access procedure documented for when normal access methods fail
Audit Controls (§164.312(b))
Required: Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.
- Audit logging enabled on all systems containing ePHI (EHR, file servers, email)
- Logs capture: who accessed what, when, from where, and what changes were made
- Logs retained for a minimum of 6 years (HIPAA documentation retention requirement)
- Log review procedure — logs must actually be reviewed, not just collected
- Log integrity protection — logs should be stored where they can't be modified by the accounts being audited
Integrity Controls (§164.312(c)(1))
Required: Policies to protect ePHI from improper alteration or destruction. Addressable: Electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner.
- File integrity monitoring on EHR and critical ePHI repositories
- Backup verification — regular restore tests confirming backup integrity
- Version control or change logging for ePHI records
Transmission Security (§164.312(e)(1))
Required: Technical security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks. Addressable: Encryption of ePHI in transit (required if appropriate — which it is in virtually all cases).
- TLS 1.2 or higher for all web-based EHR and patient portal access
- Email encryption for any ePHI transmitted via email (S/MIME, secure patient messaging portal, or encrypted email service)
- VPN for any remote access to systems containing ePHI
- No ePHI transmitted via unencrypted personal email, text message, or consumer messaging apps (WhatsApp, iMessage used for business)
Physical Safeguards: What IT Covers
Physical safeguards overlap with IT in several areas:
- Workstation use (§164.310(b)) — Workstations with ePHI access must be positioned to prevent unauthorized viewing; screens must lock automatically
- Device and media controls (§164.310(d)(1)) — Formal policies for disposal of hardware containing ePHI; NIST SP 800-88 guidance for media sanitization
- Mobile device controls — Encryption and remote wipe required on all mobile devices with ePHI access; MDM enrollment is the standard implementation
Business Associate Agreements (BAAs): Every Vendor Matters
Any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate under HIPAA and must sign a BAA. Your IT provider is a Business Associate. Cloud vendors storing ePHI (even indirectly) are Business Associates.
Key BAA requirements:
- The BAA must specify how the BA will use and safeguard ePHI
- The BA must report breaches to you without unreasonable delay and within 60 days of discovery
- You must maintain a list of all BAs and their signed BAAs
- BAAs must be reviewed and updated when service agreements change
Vendors that commonly need BAAs that practices miss: Cloud backup services, email providers (if ePHI is ever in email), practice management software, billing services, IT managed service providers, phone system providers (if voicemails contain patient information), answering services, and cloud storage (Dropbox, Google Drive, OneDrive) if ePHI is stored there. Most major vendors have standard BAAs available — ask specifically for one.
Encryption Requirements: The Practical Standard
HIPAA technically classifies encryption as "addressable" rather than required — meaning covered entities must implement it if appropriate (and assess and document if they determine it's not). In practice, OCR has made clear that not encrypting ePHI is extremely difficult to justify, and virtually all enforcement guidance treats encryption as effectively required.
The encryption standards that satisfy HIPAA:
- Data at rest: AES-256 encryption on all devices and storage containing ePHI; BitLocker (Windows) or FileVault (Mac) for workstations and laptops
- Data in transit: TLS 1.2 or higher for network transmission; no ePHI over unencrypted protocols (plain HTTP, FTP, Telnet)
- Portable media: Encrypted USB drives only if ePHI must be transported on removable media; encrypted backup tapes
Backup and Disaster Recovery (Contingency Plan — §164.308(a)(7))
HIPAA requires a contingency plan with five components:
- Data backup plan — Documented procedures for creating and maintaining retrievable exact copies of ePHI
- Disaster recovery plan — Documented procedures to restore lost data
- Emergency mode operation plan — Procedures to enable continuation of critical business processes during a system emergency
- Testing and revision procedures — Procedures to periodically test and revise contingency plans
- Applications and data criticality analysis — Assessment of the relative criticality of specific applications and data to prioritize recovery
What this means in practice
A backup that runs every night is not the same as a HIPAA contingency plan. The plan must be documented, tested, and reviewed. Testing means actually restoring from backup and verifying the restore works — not just checking that the backup completed successfully. Most practices that have "backups" have never tested a restore from them.
Breach Response: The 72-Hour and 60-Day Rules
When a HIPAA breach occurs (or is suspected), the response timeline:
- Immediately upon discovery: Contain the incident, preserve evidence, begin forensic investigation
- Within 60 days: Notify affected individuals (written notice); notify HHS via the Breach Notification Portal; notify media if the breach affects 500+ residents in a state
- For Business Associates: Notify the covered entity without unreasonable delay and within 60 days of discovery
Smaller breaches (under 500 individuals) can be reported to HHS in an annual log submitted within 60 days of the end of the calendar year. Large breaches trigger immediate media notification requirements.
What Your IT Provider Must Do for HIPAA
- Sign a Business Associate Agreement (BAA) with your organization
- Implement and document all required technical safeguards (access controls, audit logging, encryption, transmission security)
- Conduct or support your annual HIPAA Security Risk Assessment
- Maintain documentation of all security controls for a minimum of 6 years
- Implement and test a documented backup and disaster recovery plan
- Provide 24/7 incident response coverage for suspected breaches
- Assist with breach notification process including forensic analysis to determine scope
- Maintain their own internal HIPAA compliance program (as a BA, they have the same obligations)
Frequently Asked Questions
What is the HIPAA Security Rule and who does it apply to?
The HIPAA Security Rule establishes standards for protecting electronic Protected Health Information (ePHI). It applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates — including IT providers who access systems with ePHI. Your IT provider must sign a BAA.
What is a HIPAA risk assessment and how often is it required?
A HIPAA risk assessment documents potential risks and vulnerabilities to ePHI confidentiality, integrity, and availability. No specific frequency is mandated, but OCR recommends conducting one whenever your environment changes significantly, and best practice is annually. It must be documented and drive your risk management plan.
What are the penalties for a HIPAA breach?
Civil penalties range from $100–$50,000 per violation with annual caps up to $1.9M. OCR settlements often reach $1–$5M. Beyond financial penalties, mandatory breach notification to individuals and HHS creates reputational and class action liability.