Start here. Five areas where electronic compliance actually matters.

The HIPAA Security Rule covers technical safeguards, and for many independent practices, that phrase alone is enough to trigger avoidance. Technical compliance sounds like something that requires an IT department, a cybersecurity consultant, and a budget that does not exist.

It does not. Most electronic compliance failures are not the result of sophisticated threats or complex technology gaps. They are basic configuration issues — email settings left at defaults, devices without encryption, cloud storage set up by whoever set up the Wi-Fi. These are fixable. Today. Without an IT degree.

Here are five areas where independent healthcare practices most commonly have gaps, what the HIPAA Security Rule actually requires, and what you can do about each one right now.

1. Email: the compliance gap hiding in plain sight

This is the area where the most practices are noncompliant without knowing it.

What the rule requires: The HIPAA Security Rule mandates transmission security — technical measures to guard against unauthorized access to ePHI during electronic transmission (Section 164.312(e)(1)). In practical terms, this means email containing PHI must be encrypted in transit, and the practice must have policies governing what can be sent via email and to whom.

What most practices get wrong: Conventional email — Gmail, Yahoo, Outlook.com personal accounts, and even many business email setups — does not meet HIPAA requirements for transmitting PHI by default. The messages may use TLS encryption in transit (most modern email providers do), but the practice has no control over whether the recipient's server also supports TLS. If it does not, the message is transmitted in plaintext.

Beyond encryption, standard email lacks access controls (anyone with the password can read any message), audit logging (no record of who accessed what), and message recall capabilities (once sent, PHI cannot be retrieved).

What to do now:

• Never send PHI in the body of a standard email unless you have verified end-to-end encryption
• Use a HIPAA-compliant email service or encrypted email add-on that enforces TLS and provides a secure portal for recipients
• Implement policies that specify what types of information can be emailed and require encryption for any message containing identifiable patient data
• Train staff on what constitutes PHI in email — it is not just medical records; a patient's name combined with an appointment date is PHI

2. Cloud storage: compliant by configuration, not by default

What the rule requires: ePHI stored electronically must be protected by access controls (Section 164.312(a)), encryption (Section 164.312(a)(2)(iv) — addressable, but proposed to become required under the 2025 amendments), and audit controls (Section 164.312(b)).

What most practices get wrong: Cloud storage services like Google Drive, Dropbox, OneDrive, and iCloud are not inherently HIPAA-compliant. They can be made compliant — but only with specific configuration and a signed BAA.

The most common failures:

• Using a personal Google Drive or Dropbox account (no BAA available on free or consumer plans)
• Sharing folders with "anyone with the link" — this effectively publishes PHI to the internet
• Storing PHI without enabling the encryption-at-rest settings available in the platform
• No folder-level access controls — every staff member can access every document

What to do now:

• Upgrade to a business or enterprise plan that offers a BAA (Google Workspace, Microsoft 365 Business, Dropbox Business all offer BAAs)
• Sign the BAA — having it available is not the same as executing it; you must actively sign and store it
• Enable encryption at rest if it is not on by default
• Set folder permissions so access is limited to staff who need specific documents
• Disable "share by link" for any folder containing PHI

3. Mobile devices: the BYOD risk no one tracks

What the rule requires: The Security Rule requires device and media controls (Section 164.310(d)), workstation security (Section 164.310(c)), and access controls that extend to any device accessing ePHI.

What most practices get wrong: Staff use personal phones and tablets to access EHRs, check practice email, view schedules, and communicate about patients. This is Bring Your Own Device (BYOD), and in most practices, it happens with zero security controls.

A personal phone with access to the practice's EHR or email that is lost or stolen is a reportable breach. The phone is unencrypted. There is no remote wipe capability. The practice has no inventory of which personal devices have access. The phone's lock screen might be a four-digit PIN — or nothing at all.

What to do now:

• Create a written BYOD policy that specifies which personal devices can access practice systems and under what conditions
• Require device encryption (enabled by default on modern iPhones; must be manually verified on Android devices)
• Require screen lock with biometric or six-digit PIN minimum
• Enable remote wipe capability on any device that accesses practice email or EHR
• Maintain an inventory of all personal devices with access to practice systems
• When a staff member leaves, revoke access on the same day — not the next billing cycle

4. Passwords and authentication: the front door

What the rule requires: Unique user identification (Section 164.312(a)(2)(i)) — every user must have a unique login. Emergency access procedures (Section 164.312(a)(2)(ii)). Automatic logoff (Section 164.312(a)(2)(iii)). The proposed 2025 amendments would add mandatory MFA.

What most practices get wrong: Shared logins are endemic in independent healthcare. "The front desk password" is a phrase that should not exist but does in thousands of practices. When everyone logs in as the same user, there is no audit trail, no accountability, and no way to identify who accessed a specific record.

Beyond shared credentials, password policies are frequently nonexistent. Staff choose simple passwords, reuse them across personal and professional accounts, and never change them. When a staff member leaves, their credentials often remain active for weeks or months.

What to do now:

• Eliminate all shared logins. Every staff member gets a unique username and password for every system. No exceptions.
• Require passwords of at least 12 characters. Length matters more than complexity.
• Enable MFA on every system that supports it. Your EHR, email, cloud storage, and practice management software almost certainly offer MFA. Turn it on.
• Enable automatic logoff after a defined period of inactivity — 10 to 15 minutes for clinical workstations, shorter for publicly accessible terminals
• Create a termination checklist that includes immediate credential revocation for departing staff
• Use a password manager — the practice should provide one so staff do not resort to sticky notes. The Signal app provides guidance on secure communication, and the same principle applies to credential management: give staff tools that make the secure path easier than the insecure one.

5. Backups and disaster recovery: the safeguard everyone skips

What the rule requires: Contingency planning (Section 164.308(a)(7)) including a data backup plan, disaster recovery plan, and emergency mode operation plan. This is a required — not addressable — specification.

What most practices get wrong: Many practices assume their EHR vendor handles backups. Some do. Some do not. And even when backups exist, practices rarely test them. A backup that has never been restored is not a backup — it is a hope.

Beyond EHR data, practices often have no backup strategy for email, documents, images (radiographs, clinical photos), or practice management data. When ransomware encrypts everything, recovery depends entirely on the quality and recency of backups.

What to do now:

• Confirm in writing with your EHR vendor that they perform regular encrypted backups and can restore data within a defined timeframe
• Implement the 3-2-1 backup rule: three copies of data, on two different types of media, with one copy stored offsite or in the cloud
• Test a restore at least once per year. Actually recover files from the backup and verify they are complete and usable.
• Document your disaster recovery plan: who does what, in what order, using what systems, if the primary systems are unavailable
• Include your backup strategy in your risk assessment — it is one of the most commonly overlooked items

Where to go from here

Electronic compliance is not a single project with a finish line. It is a set of ongoing operational practices that become part of how the office runs. Start with the area where you know you have the biggest gap — for most practices, that is email or shared logins — and work through the rest over the next 30 to 60 days.

The HIPAA compliance checklist provides a structured roadmap that covers these technical safeguards and more. The ePHI data flow mapper helps you identify exactly where electronic PHI lives in your practice and how it moves between systems — which is the foundation for everything else.

Healthcare breaches cost an average of $9.8 million per incident (IBM, 2024). Attacks on independent providers have risen 6x since 2021. The technical safeguards are not optional, and the enforcement environment is only getting stricter. But the good news is that most of what needs to be done is within reach — no IT department required.