HIPAA compliance explained
HIPAA compliance is a set of continuous administrative, physical, and technical safeguards that most independent practices have never fully implemented.
The three rules
Who can access PHI and under what conditions
Establishes national standards for the protection of individually identifiable health information. Applies to covered entities and business associates.
Where practices fall short
Most practices have a privacy policy but have not operationalized it — staff do not know the minimum necessary standard, and there is no enforcement mechanism in the workflow.
How ePHI must be protected across systems
Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information.
Where practices fall short
This is where independent practices have the widest gap. Encryption, access controls, audit logging, and risk assessments are required — but most offices rely on their EHR vendor and hope for the best.
What happens after a breach occurs
Requires notification to affected individuals within 60 days, notification to HHS, and for breaches affecting 500+ individuals, notification to local media.
Where practices fall short
If your practice cannot detect a breach within days, the 60-day notification clock becomes a compliance failure before you even begin responding.
What this means in practice
HIPAA does not recognize a compliance 'completion date.' The regulation requires ongoing assessment, monitoring, and remediation. A practice that was compliant last year may not be compliant today.
Having policies on paper means nothing if staff do not follow them. OCR audits focus on operational evidence — who accessed what, when training was completed, how incidents were handled.
Every vendor that touches ePHI must have a Business Associate Agreement. If a vendor is breached and you do not have a signed BAA, the liability falls on your practice.
There is no size threshold for HIPAA compliance. A solo dental office has the same regulatory obligations as a hospital system — with a fraction of the resources.
FAQ
No. HIPAA requires continuous compliance — ongoing risk assessments, regular training, policy reviews, and active monitoring. A one-time assessment does not satisfy the regulation.
Penalties range from $100 to $50,000 per violation (up to $1.5 million per year per category). Beyond fines, breaches cause patient lawsuits, reputational damage, and — for small practices — closure. 35-40% of small practices close within two years of a breach.
Not necessarily. Platforms like Patient Protect replace the consultant model with automated workflows, continuous monitoring, and built-in training — at a fraction of the cost.
Next step
