Medical practices that rely on IT service providers to manage their technology infrastructure are making a decision that carries direct HIPAA compliance implications. The IT provider who manages your systems, stores your electronic protected health information, or has access to systems containing ePHI is a business associate under HIPAA. The services they provide must address the specific requirements of the HIPAA Security Rule, not just general IT best practices.
The gap between general IT services and HIPAA compliant IT services is not primarily a documentation gap. It is a substantive gap in what the services cover, how they are structured, and what the provider is contractually accountable for. Medical practices that do not understand this gap frequently assume their IT provider is covering HIPAA requirements when the provider is delivering competent general IT services that do not specifically address the Security Rule.
This article covers what HIPAA compliant IT services must substantively address for medical practices, how to evaluate whether your current IT provider is actually providing HIPAA compliant services, and what the consequences are when the gap exists.
The Business Associate Relationship and What It Requires
Any IT service provider who creates, receives, maintains, or transmits electronic protected health information on behalf of a covered entity is a business associate. For medical practices, this includes managed IT providers, cloud service providers who host systems containing ePHI, email service providers if email contains ePHI, and any other technology vendor with access to patient data.
The business associate relationship requires a signed Business Associate Agreement that specifies the permitted uses and disclosures of ePHI, the safeguards the business associate will implement, the reporting obligations when a breach occurs, and the return or destruction of ePHI upon termination. A BAA is a legal prerequisite for the relationship. It is not evidence that the relationship is HIPAA compliant. A BAA with an IT provider who does not actually implement the Security Rule requirements the agreement references does not protect the medical practice. It creates a contractual obligation that is not being fulfilled.
Verify that a signed BAA is in place with every IT vendor who accesses ePHI, that the BAA specifies actual safeguards rather than containing only generic language about compliance, that it includes breach notification provisions with the 60-day notification timeline, and that it addresses what happens to ePHI when the relationship terminates. What HIPAA is and why it matters for healthcare provides the foundational framework that medical practices need to evaluate whether their business associate relationships satisfy the law’s requirements.
The HIPAA Security Rule: What IT Services Must Address
The HIPAA Security Rule establishes administrative, physical, and technical safeguards for electronic protected health information. HIPAA compliant IT services must address all three categories. Services that address only technical controls while leaving administrative and physical safeguards unaddressed are not providing HIPAA compliant coverage regardless of how sophisticated the technical controls are.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and processes that govern how ePHI is managed. IT service providers play a significant role in supporting administrative safeguard implementation even though administrative safeguards are primarily the covered entity’s responsibility.
The Security Rule requires a security management process including risk analysis and risk management. HIPAA compliant IT services must support this process by conducting or supporting a documented risk analysis that identifies the threats and vulnerabilities to ePHI in the practice’s specific environment. A risk analysis that was completed once and not reviewed since the technology environment changed is not current and does not satisfy the requirement. The services must also maintain documentation of security measures implemented to reduce identified risks, support sanctions for workforce members who violate security policies, and provide review of information system activity through audit logs and security monitoring.
IT services that are HIPAA compliant support the practice’s workforce training requirements by providing training on the specific systems and technologies that handle ePHI. Employees who use systems containing patient data without training on how those systems protect ePHI represent a compliance gap that IT services should support closing.
The Security Rule also requires contingency plans covering data backup, disaster recovery, emergency mode operation, testing and revision procedures, and applications and data criticality analysis. HIPAA compliant IT services must include a documented data backup plan that creates and maintains retrievable exact copies of ePHI with tested restoration, a disaster recovery plan that specifies how ePHI systems will be restored after a disaster with testing documentation, and an emergency mode operation plan that enables continuation of critical business processes while operating in emergency mode. Disaster recovery services built specifically for healthcare environments address the HIPAA contingency planning requirement with the backup isolation and tested restoration documentation that the standard requires.
Physical Safeguards
Physical safeguards protect physical access to systems containing ePHI. IT services must address both the physical security of systems the IT provider manages and the guidance they provide to the practice for physical security of in-office systems.
Policies and procedures must limit physical access to systems containing ePHI to authorized individuals. For practices using managed hosting or cloud services, the provider’s data center physical security controls must meet this requirement. For on-premises systems, the practice’s facility security procedures must be documented and the IT provider should be advising on their adequacy.
Every workstation that accesses ePHI must have documented policies governing its use and physical safeguards appropriate to its location. IT services that are HIPAA compliant include workstation configuration that enforces automatic screen locks, prevents unauthorized physical access, and implements appropriate session timeout policies.
The Security Rule requires policies for the movement and disposal of devices and media containing ePHI. HIPAA compliant IT services must cover media sanitization procedures that ensure ePHI is securely destroyed before hardware is disposed of, repurposed, or returned to vendors; mobile device management for smartphones, tablets, and laptops that access ePHI including remote wipe capability; and documentation of device inventories so that the practice knows what devices contain ePHI and where those devices are.
Technical Safeguards
Technical safeguards are the security mechanisms that protect ePHI and control access to it. This is the area where IT services most directly provide compliance value and where the quality difference between HIPAA compliant IT services and general IT services is most visible.
The Security Rule requires technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. HIPAA compliant IT services must implement unique user identification so that every person accessing ePHI can be identified and their activity tracked, since shared credentials that cannot be attributed to a specific individual are not compliant. They must implement automatic logoff that terminates sessions after a defined period of inactivity, encryption and decryption capability for ePHI at rest and in transit, and emergency access procedures that allow authorized personnel to access ePHI in emergencies while maintaining appropriate logging.
Hardware, software, and procedural mechanisms must record and examine activity in information systems containing ePHI. IT services must include audit log generation on all systems that contain or access ePHI, log retention that meets the six-year document retention requirement for HIPAA records, regular review of audit logs since log generation without review provides no actual security value, and alert configuration that identifies suspicious activity for investigation.
Mechanisms must exist to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. IT services should include file integrity monitoring for critical ePHI repositories, verification procedures that confirm data backup integrity, and protection against unauthorized modification through access controls and monitoring.
ePHI transmitted over electronic communications networks must be protected from unauthorized access. HIPAA compliant IT services must ensure encryption of ePHI in transit using current encryption standards, since unencrypted email containing ePHI is a consistent source of HIPAA violations. They must also provide secure remote access through encrypted VPN or equivalent technology for employees who access ePHI remotely, and email security controls that prevent ePHI from being transmitted without encryption to external parties.
What HIPAA Compliant IT Services Must Specifically Cover: A Practice-Level View
Translating the Security Rule requirements into what IT services must actually deliver for a medical practice produces a specific list of capabilities that go beyond what general IT services provide.
Risk Analysis Support
HIPAA compliant IT services include conducting or supporting an annual risk analysis of the practice’s ePHI environment. The risk analysis must be documented, must identify specific threats and vulnerabilities, must assess the likelihood and impact of each, and must produce prioritized remediation recommendations. A risk analysis conducted by an IT provider who manages the practice’s systems but is not specifically trained in HIPAA Security Rule interpretation produces incomplete findings. HIPAA compliant providers have the specific knowledge to identify HIPAA-relevant risks, not just general IT risks. A structured IT risk assessment that maps findings to specific Security Rule standards gives practices the documented evidence that OCR investigations and HIPAA audits require.
Encrypted Backup With Tested Restoration
Backup services for medical practices must encrypt ePHI at rest in backup storage and must be tested through actual restoration to confirm recoverability. The HIPAA requirement for retrievable exact copies of ePHI means that untested backups, backups without encryption, and backups stored in locations accessible through the same credentials that might be compromised in an attack do not satisfy the requirement. HIPAA compliant IT services include quarterly or more frequent backup restoration testing with documented results showing what was tested, the test date, and whether the restoration was successful.
Multi-Factor Authentication
Multi-factor authentication is not explicitly named in the Security Rule text, which predates its widespread use. However, MFA is the access control mechanism that most directly addresses the unauthorized access threat that the access control standard requires protection against. HHS guidance and OCR enforcement patterns consistently reflect the expectation that medical practices implement MFA on systems containing ePHI. HIPAA compliant IT services implement MFA on practice management systems, EHR systems, email systems, remote access, and any other system that contains or accesses ePHI.
Secure Email and Communications
Email that contains ePHI must be encrypted in transit to external recipients who are not on the same email system as the practice. Practices that email unencrypted patient information to referring physicians, patients, or insurance companies are creating HIPAA violations with every such email regardless of whether a breach occurs. HIPAA compliant IT services include secure email solutions that encrypt messages containing ePHI automatically or through a simple user action, with recipient access that does not require the recipient to be on the same email platform.
Mobile Device Management
Mobile devices including smartphones and tablets that access ePHI through email, EHR apps, or other means must be managed through a mobile device management platform that enforces security policies and enables remote wipe if a device is lost or stolen. HIPAA compliant IT services include MDM enrollment and policy enforcement for all devices that access practice ePHI, including devices owned by physicians and staff who access practice systems from personal devices.
Endpoint Security With Healthcare-Relevant Configuration
Endpoint security for medical practices must account for the specific threat landscape facing healthcare organizations, which are consistently among the most targeted sectors for ransomware. HIPAA compliant IT services include endpoint detection and response tools with configuration specific to healthcare environments, not just general-purpose antivirus. Managed security services that include healthcare-specific EDR configuration and 24/7 monitoring address the continuous detection requirement that general endpoint protection does not provide.
Security Awareness Training
The Security Rule requires workforce training on security policies and procedures as a condition of employment and when there are material changes to the security program. HIPAA compliant IT services include or support annual security awareness training that covers the specific threats relevant to medical practices, including phishing, social engineering, and the proper handling of ePHI. Training that covers general cybersecurity topics without specific healthcare and HIPAA context does not fully satisfy the workforce training standard.
Incident Response With HIPAA-Specific Procedures
HIPAA compliant IT services include incident response capability with procedures specific to HIPAA breaches. This means the incident response procedures include the breach risk assessment using the four-factor analysis required by HIPAA, notification procedures within the 60-day timeline for individuals, HHS, and media where applicable, and documentation of the breach and response. General incident response capability without HIPAA-specific breach assessment and notification procedures does not satisfy the requirements that activate when a security incident involves ePHI. What a complete cyber incident response plan must include provides the framework that medical practices should verify their IT provider can execute when a security event involves patient data.
Patch Management
Security patches must be applied to systems containing ePHI within defined timeframes. Unpatched systems with known vulnerabilities represent a risk that OCR investigations consistently identify as a failure to implement reasonable and appropriate safeguards. HIPAA compliant IT services include documented patch management procedures with defined patch application timelines and evidence that patches are being applied as scheduled.
Common Gaps in IT Services That Are Not Actually HIPAA Compliant
Medical practices that believe their IT services are HIPAA compliant frequently have providers whose services cover most IT needs but miss specific HIPAA requirements.
No documented risk analysis is one of the most common gaps. IT providers who have never conducted or supported a formal HIPAA risk analysis for the practice are leaving one of the foundational Security Rule requirements unmet. A risk analysis is not optional and cannot be satisfied by a general security review that does not specifically address HIPAA threats and vulnerabilities.
Backup without encryption or testing is another frequent gap. Backup services that do not encrypt ePHI at rest or that have never been tested through actual restoration are not meeting the HIPAA contingency planning requirement even if backups are running correctly. No BAA in place with IT vendors who access ePHI means the relationship is operating outside the HIPAA framework regardless of how good the provider’s security practices are.
Shared credentials on practice management systems or EHR systems cannot satisfy the unique user identification requirement. Every person who accesses ePHI must have individual credentials. Audit logs that are generated but never reviewed provide no security value and no compliance value. And practices that email patient information without encryption to external recipients are creating HIPAA violations systematically, a gap that an IT provider who has not addressed secure email is leaving unresolved.
Meet Our CEO, Matt Rosenthal
With more than 30 years of experience in business and technology leadership, Matt Rosenthal has guided healthcare organizations through HIPAA Security Rule implementation and the selection and evaluation of IT service relationships that meet the specific requirements that healthcare creates. As President and CEO of Mindcore Technologies, Matt leads a team that provides HIPAA compliant managed IT services and cybersecurity compliance support for medical practices across the country.
Matt’s approach to HIPAA compliant IT services is grounded in the recognition that compliance is not a feature that IT services either have or do not have. It is a set of specific substantive requirements that must be verifiably met through documented implementation, regular assessment, and accountability structures that general IT service relationships frequently do not include.
Frequently Asked Questions
Does using an EHR system that is HIPAA compliant mean our IT services are HIPAA compliant?
No. A HIPAA compliant EHR system handles the ePHI within that specific application according to HIPAA requirements. It does not address the security of the network through which the EHR is accessed, the workstations that run the EHR application, the email system that staff use to communicate about patients, the backup systems that preserve ePHI, or the physical security of the devices that access the EHR. All of these are covered by the Security Rule and must be addressed by HIPAA compliant IT services independent of the EHR platform’s own compliance status.
How often should a HIPAA risk analysis be conducted?
The Security Rule requires a risk analysis when the security environment changes materially, which in practice means at minimum annually for most medical practices given the rate of change in technology environments and the threat landscape. Risk analyses should also be triggered by significant events including adoption of new technology systems, changes in practice location, workforce changes that affect ePHI access, and security incidents. An IT provider who conducted a risk analysis at the beginning of a client relationship but has not updated it since the practice adopted a new EHR or moved to cloud-based systems has not maintained current compliance support.
What happens if an IT provider causes a HIPAA breach?
When a business associate causes a breach of unsecured ePHI, the covered entity, the medical practice, has notification obligations to affected patients, HHS, and potentially media. The practice may also face OCR investigation and potential civil monetary penalties. OCR enforcement actions have included penalties against covered entities for inadequate oversight of business associates, meaning the practice cannot simply point to the IT provider as the responsible party. The practice bears regulatory accountability for ensuring its business associates comply with HIPAA. Ransomware in healthcare and how to stay HIPAA compliant covers the specific breach response and notification obligations that activate when ePHI is compromised through a security incident.
Does HIPAA require specific certifications for IT service providers working with medical practices?
HIPAA does not require IT service providers to hold specific certifications. It requires that covered entities enter into BAAs with their business associates and that those business associates implement appropriate safeguards. There is no government-issued HIPAA certification for IT providers. Providers who claim to be HIPAA certified are typically referring to internal assessments or third-party audits against HIPAA frameworks, not government certification. Evaluating a provider’s actual HIPAA compliance posture requires reviewing their specific practices, not their certification claims.
What are the financial consequences of HIPAA non-compliance for medical practices?
OCR can impose civil monetary penalties ranging from $100 to $50,000 per violation category per year, with a maximum of $1.9 million per violation category per year. The penalty tier depends on the level of culpability, from violations where the practice did not know and could not have known with reasonable diligence, up to violations resulting from willful neglect that is not corrected. State attorneys general can also impose penalties under state law. Beyond financial penalties, breaches trigger notification costs, legal fees, and reputational consequences that affect patient relationships and practice revenue. The true cost of HIPAA non-compliance details the full financial exposure that medical practices carry when Security Rule requirements are not met.
Verify Your IT Services Actually Cover What HIPAA Requires
Medical practices cannot assume that IT services marketed as HIPAA compliant actually address the full scope of Security Rule requirements. The verification requires asking specific questions about what is covered, reviewing documentation of what has been implemented, and confirming that ongoing activities like risk analysis, backup testing, and log review are actually occurring rather than just described in marketing materials.
Mindcore’s managed IT services and cybersecurity compliance services provide medical practices with IT support that specifically addresses the HIPAA Security Rule requirements that practice-facing healthcare IT must cover. If your practice wants to assess whether your current IT services are meeting HIPAA requirements or needs to build a compliant IT foundation, contact Mindcore to begin that assessment.
