HIPAA

When a practice reports a breach, the first document the Office for Civil Rights asks for is the security risk analysis. Not the firewall invoice, not the antivirus license, not the binder of policies someone bought in 2019. The risk analysis, and the records showing the practice actually acted on what it found. Most of the HIPAA trouble we see starts right there: the analysis is years stale, or it was a questionnaire a vendor filled out in an afternoon, or it exists but nothing in the live environment matches it.

That gap between the paperwork and the systems is the whole problem, and it’s the problem we’re built to close. We run the IT for medical and dental practices across Wichita and Southcentral Kansas, and we run HIPAA as part of the same engagement: the risk analysis, the safeguards it calls for, and the documentation that proves both, owned by one team so they can’t drift apart.

Who carries the obligation

HIPAA reaches further than most owners assume. Covered entities are the obvious ones: medical practices, dental practices, behavioral health providers, anyone who transmits health information electronically in connection with claims. But the rule also reaches business associates, the vendors and contractors who touch protected health information on a covered entity’s behalf. Billing companies, IT providers, transcription services, cloud platforms. If your practice hands PHI to a vendor without a business associate agreement in place, that’s a violation before anything has even gone wrong.

Size buys no exemption. OCR enforcement in the last two years has reached single-location providers, a treatment center, small specialty clinics. The agency’s Risk Analysis Initiative exists specifically to enforce the foundational requirement, and its settlement list is not a list of hospital systems.

That matters here, because Wichita’s healthcare market is built out of exactly the organizations that list describes: independent dental groups running two or three locations, physician-owned specialty clinics, behavioral health providers, practices that added a second office in Andover or Augusta without ever revisiting a security program sized for one. Every added location, associate dentist, and remote billing arrangement widens the environment, and the risk analysis is supposed to widen with it. In practice it usually doesn’t.

What the Security Rule actually requires

The Security Rule organizes its safeguards into three families, and all three land on IT in practice.

Administrative safeguards are the operating discipline: the risk analysis required by 45 CFR 164.308(a)(1)(ii)(A), a risk management process that acts on the findings, workforce training, access management, and a contingency plan that gets tested rather than filed. This is where most practices fail, because these safeguards have to be maintained, not installed.

Physical safeguards cover the rooms and the machines: facility access, workstation placement and security, and device and media controls, which includes what happens to the hard drive inside a retired workstation or the copier that stored every scan it ever made.

Technical safeguards are the controls inside the systems: unique user identification, access controls matched to role, audit logging that can actually answer who looked at what, integrity controls, and encryption of electronic PHI in transit and at rest. Encryption currently sits in the rule as an addressable specification, which too many practices have read as optional. It was never optional in practice: an unencrypted lost laptop is a reportable breach, an encrypted one generally is not. That single distinction has decided the outcome of more incidents than any other control.

What enforcement looks like right now

OCR’s enforcement posture has shifted from education to volume. The Risk Analysis Initiative, launched in late 2024, had completed its 13th investigation by spring 2026, and the agency settled four separate ransomware investigations in April 2026 alone, more than a million dollars in penalties across organizations whose breaches together affected over 427,000 people. The pattern in nearly every resolution agreement is the same finding: the organization could not produce an accurate, thorough, current risk analysis covering everywhere ePHI lived.

The settlements that should worry a practice owner are not the headline ones. An Illinois treatment center settled for $103,000 with a two-year corrective action plan. Numbers like that don’t bankrupt a practice, but the corrective action plan that comes with them puts the organization under OCR monitoring for years, and the breach notification that preceded it already did the reputational damage with every patient on the mailing list.

OCR also isn’t the first examiner most practices meet anymore. Cyber insurance carriers now ask Security Rule questions at every renewal: whether multifactor authentication is on, when the risk analysis was last done, whether the backup has ever been restored as a test. Many practices first discover a compliance gap when an insurance application asks questions nobody in the office can confidently answer, and the premium, or the declination, prices that gap years before a regulator would.

The Security Rule update in motion

A major rewrite of the Security Rule has been proposed but not finalized. The January 2025 proposal would make encryption and multifactor authentication mandatory rather than addressable, require a documented asset inventory and network map, and add regular penetration testing and tighter incident response expectations. As of mid-2026 the final rule has not issued and the timeline keeps moving, so confirm the current status before treating any of it as binding.

The operator’s read on that uncertainty: it changes nothing. Every control in the proposal is something a well-run practice should already have, and building them on your own schedule costs less than building them inside the roughly 240-day compliance window the proposal contemplates. Practices that build to the proposed baseline now are done either way.

The pattern we keep finding

When we assess a practice’s environment before taking it over, the gap is rarely a missing firewall. It’s the front-desk employee who forwards patient paperwork to a personal email account to finish from home, putting PHI outside every control the practice thought it had. It’s the imaging workstation that was replaced three years ago while the risk analysis still describes the retired one. It’s the business associate agreement nobody can locate for the billing vendor that’s had remote access for six years, and the contingency plan that has never restored a single file as a test. Each one is invisible until a breach, an audit, or an insurance application makes it very visible. The practice manager usually knows something is stale. What’s missing is a team whose job is to keep it current.

Why the documentation and the systems have to live together

HIPAA compliance is documentation about systems. Split them between a compliance consultant and an IT vendor and the two drift apart the month after the engagement ends: the consultant’s policies describe controls the IT vendor never implemented, and the IT vendor changes systems the policies never hear about. We don’t take on HIPAA work as a standalone project for the same reason we don’t do it for CMMC. The risk analysis, the safeguards, and the Managed IT Services engagement that operates them are one program with one owner. The security layer underneath it is described on our Cybersecurity page, the contingency planning side on our Business Continuity page, and how HIPAA sits alongside the other frameworks we run is on the Compliance Services hub.

Where to start

Book a 30-minute exploratory call. Bring what you have: the date of your last risk analysis if you know it, your EHR and billing vendors, and whatever your cyber insurance application asked that you weren’t sure how to answer. We’ll give you a straight read on where the practice stands, what OCR would ask for tomorrow, and what we’d address first. If your setup is in better shape than you feared, we’ll tell you that too.

Frequently asked questions

Does HIPAA really apply to a practice our size?

Yes. There is no small-practice exemption, and recent OCR enforcement includes single-location providers and small clinics. What changes with size is the scale of the program, not the existence of the obligation. A three-chair dental office needs a current risk analysis, signed business associate agreements, encryption, access controls, and tested backups, the same families of safeguards as a hospital, sized to the actual environment.

What is a security risk analysis, and how often do we need one?

It’s the documented assessment of where electronic PHI lives in your environment, what threatens it, and how likely and severe each risk is, required by 45 CFR 164.308(a)(1)(ii)(A). It is not a one-time document. It has to be reviewed and updated as the environment changes, a new EHR, a new location, a new vendor with access, and the risk management actions it triggers have to be documented too. It’s also the first document OCR requests after a breach, which is why an accurate, current one is the single highest-value piece of paper in your compliance program.

Our EHR vendor says they’re HIPAA compliant. Doesn’t that cover us?

No. A vendor’s compliance covers the vendor’s side of the relationship, and only if a business associate agreement is actually in place. Your practice still owns its own risk analysis, its own access controls, its own training, its own devices, and its own breach notification duties. The EHR is one system among many that touch PHI in a practice: email, the practice management system, the imaging workstation, the billing service, the backup platform. Vendor compliance is one input, not a transfer of responsibility.

What’s changing with the HIPAA Security Rule update?

A proposed rule published in January 2025 would make encryption and multifactor authentication mandatory, require an asset inventory and network map, and add regular penetration testing and tighter incident response expectations. As of mid-2026 it has not been finalized and the timeline is uncertain. Our advice doesn’t hinge on the outcome: every proposed control is current best practice, and building to it now costs less than building to it under a regulatory deadline later.

Can you handle our HIPAA compliance without taking over our IT?

We bundle HIPAA work with Managed IT Services, because the documentation and the live systems have to be owned by one team or they stop matching. If you have an internal IT person, Co-Managed IT covers that split with the responsibilities documented. What we don’t do is write policies for an environment another vendor operates, because that’s how a practice ends up with a binder that describes a network that doesn’t exist.