Day-to-day HIPAA compliance for practices that need the work done — risk analysis, BAAs, training, audits, policies, and the operational discipline behind each.
55 articles
Compliance Operations covers the recurring, evidence-producing work that keeps a practice in compliance year over year. It's the part of HIPAA that auditors actually examine — risk analyses with documented methodology, training records with completion timestamps, BAA inventories with current signatures, policy revisions tied to regulatory changes, and incident logs with response timelines. The articles below are written for the office manager, compliance officer, or solo practitioner who has to do the work, not just describe it.
COVID-era enforcement discretion ended May 2023. Every telehealth session since must comply with HIPAA in full. This guide covers platforms, home offices, recordings, multi-state practice, and the complete compliance path.
Optometry practices face structurally unique HIPAA challenges: the retail-clinical access boundary, optical lab BAA gaps, dual-billing insurance coordination, and vision-medical record crossover. Here's the complete guide.
A 24-point evaluation framework — eight criteria pulled directly from the 2026 Security Rule NPRM and OCR's expanded enforcement focus — for scoring any HIPAA compliance platform you are evaluating, including ours.
Physical therapy practices face specific HIPAA risks most guides never address: home visit ePHI, PRN staff access gaps, workers' comp records, and exercise app BAAs. Here's the complete compliance path.
Salesforce can be HIPAA compliant — but only on Health Cloud and specific paid editions with a signed BAA. Sales Cloud and Marketing Cloud are not covered, and the gap is where most practices create exposure.
Twilio can be HIPAA compliant on its HIPAA-eligible product set with a signed BAA. SMS, Voice, Video, and SendGrid Email are eligible when contracted correctly. Default accounts are not.
HubSpot can be HIPAA compliant on Enterprise tiers with a signed BAA. Lower plans are not HIPAA-eligible. Here is what is covered, what is not, and how to configure it.
ServiceNow can be HIPAA compliant on enterprise contracts with a BAA. The Healthcare and Life Sciences product line provides healthcare-specific data models. Standard tenants are not HIPAA-eligible by default.
OneDrive can be HIPAA compliant on Microsoft 365 commercial plans with a signed BAA. Personal OneDrive accounts and home subscriptions are not. The configuration after the BAA is where most practices create exposure.
Notion offers a BAA on Enterprise plans, but Notion AI features are explicitly excluded from that coverage. Using AI on a HIPAA workspace breaks the BAA. The boundary is narrow and easy to miss.
Ten cloud storage providers that will sign a BAA, ranked by fit for independent healthcare practices. What each is built for, where each falls short, and the configuration trap behind most cloud breaches.
Seven practice management platforms used by independent practices, ranked by fit. Each handles scheduling, billing, and patient flow differently — and each leaves a different slice of HIPAA work back to the practice.
Chiropractic practices face specific HIPAA challenges most guides never address: personal injury records, open treatment environments, and high-volume billing vendor ecosystems. Here's the complete path to compliance.
Therapy practices handle the most sensitive category of protected health information. This guide covers psychotherapy notes, telehealth BAAs, 42 CFR Part 2, and the step-by-step path to full compliance.
OCR's enforcement data is a public dataset of what actually goes wrong. These are the 10 most-frequently cited violation categories — and the operational gaps behind each one.
There is a version of HIPAA compliance that looks right and works wrong. You complete the forms, generate the policies, train the staff. Then a breach happens anyway. This is the gap most compliance software was not built to close.
Free Gmail fails HIPAA requirements. Google Workspace paid plans with a BAA and the right configuration can work — here is the full breakdown.
Google Workspace supports HIPAA compliance on paid plans with a BAA — but the default settings leave gaps. Here is the full configuration guide.
Dropbox offers HIPAA-eligible plans for healthcare — but only on Business tiers with a BAA. Here is what to configure before storing patient data.
Slack can be HIPAA compliant — but only on Enterprise Grid with a signed BAA and specific admin settings. Most Slack plans do not qualify.
Vendors sell HIPAA certification. The government does not offer one. Understanding the difference protects your practice from false confidence.
Faxing gets a pass under HIPAA that email does not — but cloud fax, online fax services, and email-to-fax gateways create compliance obligations most practices overlook.
Every HIPAA-covered entity must designate a privacy officer and a security officer. For independent practices, that is often one person wearing both hats.
AWS provides HIPAA-eligible infrastructure — Patient Protect runs on it. But using AWS does not automatically make your practice compliant.
HIPAA does not prohibit voicemail. But voicemail messages containing PHI must follow minimum necessary rules, and voicemail systems must meet security requirements.
Eight EHR platforms that sign BAAs and serve independent practices, ranked by fit. The compliance gap most practices miss: an EHR's BAA is the floor, not the ceiling.
There is no government agency that issues a HIPAA compliant stamp. HIPAA compliance is a continuous obligation. This guide covers the ten steps to achieve it and the system to maintain it.
OCR investigators don't fish for sophisticated vulnerabilities. They look for predictable operational gaps. These are the ten signs they find most often — visible to the practice long before the audit notice arrives.
The Security Rule's technical safeguards are the controls that actually protect ePHI inside your systems. This is the complete reference — every standard, every implementation specification, and what each one means for your practice.
A signed BAA is HIPAA's required floor — but most BAAs that practices sign protect the vendor far more than the practice. These are the six clauses that separate a real contract from a checkbox.
DocuSign supports HIPAA compliance — but only on Business Pro and Enterprise plans with a signed BAA and correct configuration. Lower-tier plans do not qualify.
HIPAA requires workforce training. Most practices know that much. What they don't know: exactly what topics must be covered, when training must happen, what documentation OCR expects, and what changes with the proposed 2026 Security Rule amendments.
OCR investigations start somewhere. Knowing the triggers that begin the process — and the inputs the practice controls — is the difference between a managed program and a reactive one.
Notion can be HIPAA compliant — but only on the Enterprise plan with a signed BAA and the right workspace settings. Most healthcare practices using Notion are on plans that do not qualify.
Intuit does not sign Business Associate Agreements for QuickBooks — not Online, Desktop, Self-Employed, or Payroll. If your billing data contains PHI, QuickBooks is a compliance gap.
Square will sign a BAA — but it covers payment processing only. Square Appointments, Messages, Invoices, and Marketing are not HIPAA compliant and should never handle PHI.
Business associate agreements are one of the most commonly violated HIPAA requirements. This checklist covers what a BAA must include, which vendors need one, and how to manage the entire lifecycle.
The HIPAA risk analysis is the single most-cited gap in OCR enforcement. Most independent-practice risk analyses fail in one of seven predictable ways — all visible before any audit.
Apple does not sign Business Associate Agreements for any consumer service. iCloud, iMessage, FaceTime, and Apple Health are all off-limits for PHI.
Mailchimp cannot be used for healthcare email marketing involving PHI. Intuit refuses to sign a BAA for any Mailchimp plan — Free, Essentials, Standard, or Premium.
HIPAA compliance checklists run to hundreds of items. The eleven below are the ones independent practices most often skip — and the ones that surface most often in OCR enforcement actions.
OCR enforcement isn't random. Eight patterns recur across the public settlement record — and each one is a preview of the audit findings a similar practice can expect.
You don't need a law degree or an IT department to be HIPAA compliant. You need three things, one afternoon, and a plan that doesn't make your head spin.
HIPAA gives patients specific, enforceable rights over their health information. Most independent practices comply with some of them and overlook the rest.
Most practices think physical security means locking the server room. It actually means controlling every point where someone could see, touch, or walk away with patient data.
Every device that touches ePHI is a potential breach vector. This step covers encryption, mobile device management, BYOD, patching, and the endpoint controls that keep patient data off the dark market.
If everyone in your practice can access every patient record, you do not have access controls. You have a breach waiting for a trigger.
Before you can build a compliant practice, you need to know exactly what HIPAA requires of you — and that depends entirely on your entity classification.
A risk assessment is not a form you fill out once a year. It is a living map of every threat to the patient data your practice holds — and the foundation of every HIPAA safeguard you implement.
Policies without enforcement are just paper. This step covers how to designate HIPAA officers, build policies that reflect real operations, and train your workforce to follow them.
Most HIPAA checklists give you boxes to check. This one gives you a sequence to follow — from risk assessment through incident response — so your practice builds compliance that holds up under scrutiny.
If your marketing agency collects patient inquiries through web forms, they are handling PHI. Most practices have no BAA in place to cover this.
Having an EHR, a privacy policy, and annual training does not make you HIPAA compliant. Here is what OCR actually looks for — and why most practices fall short.
Not all HIPAA compliance tools are created equal. Some barely scratch the surface of legal compliance — others offer automation without the security backbone. Here is what to demand in 2026.
Patients are paying attention to how their data is handled. Practices that treat compliance as a trust-building tool — not just a legal requirement — outperform on retention, reputation, and referrals.
Related references
147+ provisions mapped to platform features
10-minute readiness scan, no login
How to compare HIPAA platforms
When HIPAA applies to direct primary care + 5-step compliance path
Telehealth-pharmacy stack, state consumer-health law overlay
