HIPAA for medical practices

HIPAA Compliance for Medical Practices

Independent medical practices carry the broadest ePHI surface in healthcare — lab integrations, e-prescribing, patient portals, and multi-provider scheduling. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer that covers every requirement without enterprise pricing.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for medical practices.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Medical practices operate under HIPAA as covered entities through the full set of standard electronic transactions — 837 claims submission, 270/271 eligibility verification, 278 referral certification, 835 remittance advice, 820 premium payment, 834 enrollment, NCPDP SCRIPT for e-prescribing. Medicare and Medicaid impose additional documentation requirements for reimbursement and quality reporting (MIPS, ACO programs, value-based-care frameworks). State medical practice acts govern record-keeping. The ONC HITECH meaningful-use legacy continues to shape EHR vendor compliance behavior even after the program transitioned to MIPS.

OCR enforcement patterns

OCR's enforcement record against medical practices is the most extensive of any healthcare segment, including lost or stolen unencrypted laptops and backup tapes, unauthorized employee access to patient records, business associate breaches that cascade to the covered entity, ransomware incidents, improper disposal of paper records, missing breach notification, accounting-of-disclosures failures, and right-of-access denials. The Optum/UnitedHealth Change Healthcare incident in 2024 is the largest healthcare breach on record and continues to reshape OCR's expectations for business associate oversight.

Specialty-specific standards beyond HIPAA

NCPDP SCRIPT for e-prescribing. HL7 v2 and FHIR R4 for clinical interfaces. Section 164.528 accounting-of-disclosures requirements (operationally complex; rarely fully implemented). MIPS quality-measure reporting. ONC certification for EHR vendors creates downstream compliance obligations for practices using certified products. State-specific telemedicine licensure compacts (IMLC for medical, PSYPACT for psychology) where the practice conducts cross-state telemedicine.

Common compliance gaps

The medical-practice compliance gap inventory is large and well-documented: lab partner BAAs missing across the long tail (Quest and LabCorp are signed but specialty labs are not), patient portal access controls and audit logs not integrated with the broader breach response, faxing patterns that produce chronic misdirected-fax exposure, accounting-of-disclosures rarely operationally implemented despite being a §164.528 requirement, business associate oversight that ends at BAA signing rather than continuing through the relationship, and inadequate workforce training on the disclosure scenarios staff actually encounter.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA's six-year minimum; state medical practice acts typically require seven to ten years for adult patients post-last-encounter, with longer timelines for minors (until age of majority plus statute-of-limitations period). Medicare requires retention of certain document categories beyond the state minimum. Malpractice insurance carriers commonly impose retention requirements as a condition of coverage. Imaging records and pathology specimens are often subject to separate retention rules. Federal research contracts (NIH, AHRQ) may require longer retention for research-related records.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to medical practicesbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A medical practice that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis covering EHR, lab interfaces, and care coordination systems
Risk analysis under §164.308(a)(1)(ii)(A) covering EHR (Epic, athenaOne, eClinicalWorks, others), patient portal, electronic claims clearinghouse, lab interfaces (Quest, LabCorp, regional partners), e-prescribing service, telehealth platform, secure messaging tool, hospital and specialist coordination platforms.
Sign current BAAs across the primary care vendor ecosystem
EHR vendor, claims clearinghouse, every lab partner, e-prescribing service, telehealth platform, secure messaging tool, e-fax service, IT support, cloud backup. Each is a BA under §160.103. The lab-partner long tail is the most commonly missed.
Establish accounting of disclosures procedures under §164.528
Patients have the right under §164.528 to request an accounting of certain non-treatment disclosures of their PHI. The accounting must cover six years and include specific information about each disclosure. Most practices have no accounting-of-disclosures system; building one is a one-time policy + system design effort that closes a routinely-missed compliance gap.
Document patient-portal access controls and audit logs
Patient portals are PHI systems requiring full audit-logging, access controls, and breach response integration. The portal-specific compliance program should be documented separately from the EHR's general program even when they share infrastructure.
Designate Privacy and Security Officials, train all staff
Per §164.530(a) and §164.308(a)(2). Training under §164.530(b)(1) including the specific scenarios primary care staff encounter: family-member disclosure requests, insurance utilization review, attorney records requests, hospital discharge coordination.

The real risk

Where medical practices are most exposed.

Lab integrations create ePHI data flows you don't monitor

Lab orders, results, and specimen tracking data move between your EHR, reference labs, and patient portals. Each integration is a data flow that requires a BAA, encryption, and documented access controls. Most practices have never mapped these flows.

E-prescribing adds EPCS and DEA compliance layers

Electronic prescribing for controlled substances (EPCS) requires identity proofing, two-factor authentication, and specific audit trail capabilities. These requirements layer on top of standard HIPAA — make sure your compliance program explicitly addresses EPCS controls.

Patient portals expand your attack surface

Patient portals give patients access to lab results, appointment scheduling, and messaging — but they also create new entry points for attackers. Credential stuffing, session hijacking, and unauthorized access attempts target healthcare portals daily.

Multi-provider practices need per-provider access controls

When multiple physicians, NPs, and PAs share a practice, each provider needs role-appropriate access to patient records. Shared logins, over-permissioned accounts, and missing audit trails are the most common findings in OCR audits of medical practices.

What HIPAA requires

Regulatory requirements specific to medical practices.

Lab Integration Security

BAAs with all reference labs, pathology services, and lab information systems. Encrypted data transmission for all lab orders and results. Documented ePHI data flow mapping for laboratory workflows.

E-Prescribing Compliance

EPCS identity proofing and two-factor authentication for controlled substance prescriptions. Audit trails meeting DEA requirements. Documented security procedures for prescribing workflows.

Patient Portal Security

Strong authentication for patient portal access. Session management controls. Audit logging for all patient data access through the portal. BAA with portal vendor.

Multi-Provider Access Controls

Unique credentials per provider and staff member. Role-based access with least-privilege enforcement. Documented access review procedures. Audit trails per user.

Your state, your rules

State-specific HIPAA rules for medical practices.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

How Patient Protect helps

Built for medical practices, not hospital systems.

Comprehensive ePHI data flow mapping

The risk assessment covers lab integrations, e-prescribing, patient portals, and every other system touching patient data. See your complete ePHI surface — not just what your EHR vendor tells you.

Multi-vendor BAA management

Track BAAs with labs, pharmacies, EHR vendors, billing services, patient portal providers, and every other business associate. Alerts before any agreement expires.

Secure clinical communication

BAA-gated messaging replaces unsecured email and personal texts between providers, staff, and referring practices. Referral tracking from send to acceptance.

Practice-wide compliance dashboard

See compliance standing across all providers and departments. Identify which workflows have the most exposure. Prioritize based on risk score, not guesswork.

Lab interface compliance for Quest, LabCorp, and regional partners

Most primary care practices order labs through one or more of Quest, LabCorp, regional reference labs, plus specialty labs for specific test categories. Each lab interface is a covered transaction surface; each lab is a BA. Patient Protect's BAA tracking pre-loads the standard lab ecosystem and surfaces the long-tail specialty labs that get missed.

Hospital coordination and referral compliance

Care coordination with hospitals, specialists, and external providers involves continuous PHI exchange — admission notifications, discharge summaries, specialist consult notes. The platform handles the coordination workflow under §164.506 (treatment-purpose exception) while maintaining audit trails for the §164.528 accounting-of-disclosures requirement.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for medical practices.

What HIPAA requirements apply to independent medical practices?

All of them. Independent medical practices are covered entities subject to the full HIPAA Security Rule, Privacy Rule, and Breach Notification Rule — the same 45+ requirements that apply to hospital systems. Practice size does not reduce obligations.

How does Patient Protect handle lab integration compliance?

Patient Protect's risk assessment maps ePHI data flows across lab integrations, identifying gaps in BAA coverage, encryption, and access controls. The platform tracks BAAs with all lab vendors and monitors compliance status continuously — not annually.

Do we need a HIPAA compliance officer?

HIPAA requires a designated Security Officer and Privacy Officer (one person can fill both roles). Patient Protect doesn't replace the designation, but it automates 90% of what that role requires — risk assessments, policy management, training, BAA tracking, and audit documentation.

What does HIPAA compliance cost for a medical practice?

Compliance consultants charge $5,000–$15,000 per year for medical practices, depending on size and complexity. Patient Protect starts at $39/month ($468/year) for Core and $99/month for Pro, with no contracts — covering every HIPAA requirement for independent practices.

Do primary care practices need patient authorization for hospital coordination?

No, generally. Section 164.506 permits PHI disclosure for treatment, payment, and healthcare operations without specific patient authorization. Hospital coordination, specialist referrals, and care-team communication fall under treatment purposes and are permitted disclosures. The practice must still provide the required Notice of Privacy Practices and maintain audit trails of disclosures under §164.528.

How does HIPAA apply to patient portals?

Patient portals are PHI-handling systems and require the full HIPAA compliance framework: BAA with the portal vendor (most EHR vendors include the portal under their EHR BAA), access controls, audit logs, encryption in transit and at rest, and integration with the practice's broader breach response. Portal-specific compliance is sometimes overlooked because operators treat the portal as 'patient-facing' rather than 'clinical.'

Is faxing PHI still HIPAA-compliant in 2026?

Traditional analog faxing is permitted but disfavored — risks include misdirected faxes, unattended fax machines, and call-tracing exposure. Electronic fax services (e-fax) are generally compliant when the vendor signs a BAA, but the practice remains responsible for confirming the recipient's number and using cover sheets that limit incidental disclosure. OCR has enforced against practices for chronic fax-misdirection patterns.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Therapists Chiropractors Optometrists Physical Therapists Telehealth Dermatology Pediatrics Psychiatry Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Your medical practice has the broadest ePHI exposure in healthcare.

See your compliance gaps today. Free risk assessment — no login required.