35 articles on compliance operations for independent healthcare practices.
Chiropractic practices face specific HIPAA challenges most guides never address: personal injury records, open treatment environments, and high-volume billing vendor ecosystems. Here's the complete path to compliance.
Therapy practices handle the most sensitive category of protected health information. This guide covers psychotherapy notes, telehealth BAAs, 42 CFR Part 2, and the step-by-step path to full compliance.
There is a version of HIPAA compliance that looks right and works wrong. You complete the forms, generate the policies, train the staff. Then a breach happens anyway. This is the gap most compliance software was not built to close.
Free Gmail fails HIPAA requirements. Google Workspace paid plans with a BAA and the right configuration can work — here is the full breakdown.
Google Workspace supports HIPAA compliance on paid plans with a BAA — but the default settings leave gaps. Here is the full configuration guide.
Dropbox offers HIPAA-eligible plans for healthcare — but only on Business tiers with a BAA. Here is what to configure before storing patient data.
Slack can be HIPAA compliant — but only on Enterprise Grid with a signed BAA and specific admin settings. Most Slack plans do not qualify.
Vendors sell HIPAA certification. The government does not offer one. Understanding the difference protects your practice from false confidence.
Faxing gets a pass under HIPAA that email does not — but cloud fax, online fax services, and email-to-fax gateways create compliance obligations most practices overlook.
Every HIPAA-covered entity must designate a privacy officer and a security officer. For independent practices, that is often one person wearing both hats.
AWS provides HIPAA-eligible infrastructure — Patient Protect runs on it. But using AWS does not automatically make your practice compliant.
HIPAA does not prohibit voicemail. But voicemail messages containing PHI must follow minimum necessary rules, and voicemail systems must meet security requirements.
There is no government agency that issues a HIPAA compliant stamp. HIPAA compliance is a continuous obligation. This guide covers the ten steps to achieve it and the system to maintain it.
The Security Rule's technical safeguards are the controls that actually protect ePHI inside your systems. This is the complete reference — every standard, every implementation specification, and what each one means for your practice.
DocuSign supports HIPAA compliance — but only on Business Pro and Enterprise plans with a signed BAA and correct configuration. Lower-tier plans do not qualify.
HIPAA requires workforce training. Most practices know that much. What they don't know: exactly what topics must be covered, when training must happen, what documentation OCR expects, and what changes with the proposed 2026 Security Rule amendments.
Notion can be HIPAA compliant — but only on the Enterprise plan with a signed BAA and the right workspace settings. Most healthcare practices using Notion are on plans that do not qualify.
Intuit does not sign Business Associate Agreements for QuickBooks — not Online, Desktop, Self-Employed, or Payroll. If your billing data contains PHI, QuickBooks is a compliance gap.
Square will sign a BAA — but it covers payment processing only. Square Appointments, Messages, Invoices, and Marketing are not HIPAA compliant and should never handle PHI.
Business associate agreements are one of the most commonly violated HIPAA requirements. This checklist covers what a BAA must include, which vendors need one, and how to manage the entire lifecycle.
Apple does not sign Business Associate Agreements for any consumer service. iCloud, iMessage, FaceTime, and Apple Health are all off-limits for PHI.
Mailchimp cannot be used for healthcare email marketing involving PHI. Intuit refuses to sign a BAA for any Mailchimp plan — Free, Essentials, Standard, or Premium.
You don't need a law degree or an IT department to be HIPAA compliant. You need three things, one afternoon, and a plan that doesn't make your head spin.
HIPAA gives patients specific, enforceable rights over their health information. Most independent practices comply with some of them and overlook the rest.
Most practices think physical security means locking the server room. It actually means controlling every point where someone could see, touch, or walk away with patient data.
Every device that touches ePHI is a potential breach vector. This step covers encryption, mobile device management, BYOD, patching, and the endpoint controls that keep patient data off the dark market.
If everyone in your practice can access every patient record, you do not have access controls. You have a breach waiting for a trigger.
Before you can build a compliant practice, you need to know exactly what HIPAA requires of you — and that depends entirely on your entity classification.
A risk assessment is not a form you fill out once a year. It is a living map of every threat to the patient data your practice holds — and the foundation of every HIPAA safeguard you implement.
Policies without enforcement are just paper. This step covers how to designate HIPAA officers, build policies that reflect real operations, and train your workforce to follow them.
Most HIPAA checklists give you boxes to check. This one gives you a sequence to follow — from risk assessment through incident response — so your practice builds compliance that holds up under scrutiny.
If your marketing agency collects patient inquiries through web forms, they are handling PHI. Most practices have no BAA in place to cover this.
Having an EHR, a privacy policy, and annual training does not make you HIPAA compliant. Here is what OCR actually looks for — and why most practices fall short.
Not all HIPAA compliance tools are created equal. Some barely scratch the surface of legal compliance — others offer automation without the security backbone. Here is what to demand in 2026.
Patients are paying attention to how their data is handled. Practices that treat compliance as a trust-building tool — not just a legal requirement — outperform on retention, reputation, and referrals.
