You wouldn’t assume that a reimbursement check’s really in the mail, that a patient who says “I’ll call to reschedule” actually will, or that “training complete” always means “training passed.”
So why assume your practice is fully HIPAA compliant when the cost of being wrong could be $1.5 million in fines and your reputation?
Because compliance is complicated, too many practices assume IT has them completely covered (they don’t). Some overlook physical security (they shouldn’t). And others underestimate the critical role of administrative safeguards.
It’s a costly lesson learned by some practices: Covering compliance isn’t about checking boxes. It’s about fostering a culture of protection for patient data, your people, and your practice — all committed to continual improvement.
HIPAA 101: A reminder of what you need to know
Whether you’re new to HIPAA or need a refresher, here are some of its key terms and concepts.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a U.S. federal law that sets standards for protecting patient information and defines who can access, share, or store it.
What is HIPAA compliance?
HIPAA compliance means meeting the legal and procedural requirements for safeguarding protected health information (PHI). Compliance applies not just to electronic data, but to every form of PHI — written, verbal, or digital.
What is the HIPAA Security Rule?
The Security Rule governs how providers must protect electronic PHI (ePHI) from breaches, loss, or unauthorized access. It requires every covered entity and business associate to maintain technical, physical, and administrative safeguards — and to document how those safeguards are managed and reviewed.
Who enforces HIPAA?
The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), enforces HIPAA compliance. When practices fall short, OCR can issue corrective actions or financial penalties.
How assumptions compromise compliance
Being unaware of a HIPAA gap doesn’t protect you from its consequences, so don’t get lulled into a false sense of security. Here are some of the most dangerous myths that put practices at risk:
| HIPAA Myth | HIPAA Reality |
|---|---|
| Once you’re compliant, you’re always compliant. | You must constantly monitor, assess, and improve compliance. |
| Small practices aren’t audited. | Practices of every size are required to meet all compliance standards. |
| We’re good because all our data is encrypted and stored in the cloud. | Agreements and safeguards are still required. |
| If a patient authorizes another person to access their PHI, you’re covered. | You need a signed Authorization to Release Protected Health Information on file to share a patient’s PHI. |
| IT handles HIPAA. | OSHA and administrative processes must be considered, too. |
| Our EMR says it’s HIPAA compliant. | This doesn’t cover all safeguards. |
The three HIPAA safeguards every practice must manage
The HIPAA Security Rule defines three safeguard categories that work together to protect patient information: technical, physical, and administrative.
1. Technical safeguards keep digital data secure
These are what most people think of when they hear “HIPAA compliance.” IT providers play a crucial role, but their work alone doesn’t equal full compliance.
Examples include:
- Encrypting email when sending PHI
- Rotating and securing passwords
- Role-based access to sensitive data
- Firewalls, antivirus, and malware protection
Technical safeguards are essential — but on their own, they’re not enough.
2. Physical safeguards protect your office and offline information
Often overlooked, physical safeguards matter just as much as technology. They ensure your practice’s environment supports compliance.
Examples include:
- Securing offices, physical files, and equipment
- Restricting back-office areas
- Using screen protectors and privacy filters
- Device and media controls for laptops, phones, and USB drives
Many compliance gaps start here — not from hackers, but from unlocked doors or unattended screens.
3. Administrative safeguards frame the structure to support compliance
Administrative safeguards are the backbone of compliance. They define how your organization trains staff, documents policies, and maintains oversight across all other safeguards.
Examples include:
- Completing an annual risk assessment
- Maintaining Business Associate Agreements (BAAs)
- Documenting policies and procedures
- Training staff and building a culture of compliance
- Establishing incident response and contingency plans
Without these processes, even the best security technology can’t ensure compliance.
Why the HIPAA risk assessment matters (and what to do about it)
If you’re unlucky enough to be audited, one of the first questions an OCR auditor will ask is:
“Do you have a current HIPAA risk assessment?”
This assessment is not optional — it’s a legally required part of the Security Rule. Without it, you can’t verify where you’re protected and where you’re not.
In one case, a healthcare organization was fined $1.5 million after a subcontractor’s stolen laptop exposed PHI — not because of the theft itself, but because there was no signed BAA documenting responsibility. One missing document led to a seven-figure penalty.
For a clear picture of your practice’s protection, you can use software like Rectangle Health’s 267-question assessment that saves your responses from year-to-year. If you’re not ready to fully commit, you can start with its fast, free practice self-assessment tool.
Building a complete compliance program
Effective compliance requires balance. The technical, physical, and administrative safeguards must all work together — supported by policies, staff awareness, and continuous monitoring.
Practices that approach compliance as an ongoing program, not a one-time project, are best equipped to protect patients and avoid costly audits.
That’s where the right technology can help.
A culture of compliance: Make sure your practice is audit ready
Compliance isn’t just about ticking checkboxes to meet regulations. It’s about building confidence that every safeguard — technical, physical, and administrative — is secure.
Learn more about how Practice Management Bridge gives thousands of practices and healthcare organizations the visibility and assurance to prove it when an auditor calls.
