HIPAA compliance is the body of administrative, physical, and technical safeguards required when handling Protected Health Information (PHI). Tennessee healthcare practices, dental offices, behavioral health providers, billing companies, and any vendor touching patient data must comply.
Who HIPAA applies to
- Covered entities: Healthcare providers (any size), health plans, healthcare clearinghouses
- Business associates: Anyone handling PHI on behalf of a covered entity — MSPs, billing companies, transcription services, cloud providers, EHR vendors
- Subcontractors of business associates — the chain extends
The HIPAA Security Rule (technical requirements)
- Access controls — unique user IDs, automatic logoff, emergency access procedures, encryption of PHI
- Audit controls — logging of system activity, regular review of audit logs
- Integrity controls — prevent improper alteration of PHI
- Transmission security — encrypt PHI in transit (TLS, encrypted email for messages containing PHI)
- Risk analysis — documented assessment of risks to PHI, performed regularly
What practices actually need to do
- Sign Business Associate Agreements (BAAs) with every vendor that handles PHI — including your MSP, cloud backup provider, EHR, and Microsoft 365 (Microsoft signs BAAs for HIPAA-eligible plans)
- Implement encryption on workstations, servers, and mobile devices
- Configure email encryption for any PHI sent externally
- Run annual security risk analyses with documented remediation
- Train staff on HIPAA requirements at hire and annually
- Maintain incident response procedures for potential breaches
Penalties
HIPAA violations can run from $100 to $50,000 per violation, with annual caps of $1.5M for repeat violations. State attorneys general can also enforce. The reputational damage from a breach typically exceeds the fines.
Have a different question?
Talk to a real engineer — free 30-minute consultation, no pressure pitch.
Ask Maverick
615-274-9555