HIPAA Compliance Tennessee.

/ 01The three HIPAA rules

"HIPAA" is shorthand for the Health Insurance Portability and Accountability Act of 1996 and its subsequent regulations. People say "HIPAA" but mean different parts depending on context. There are three rules you need to understand:

The Privacy Rule (45 CFR Part 164, Subpart E)

Governs who can access Protected Health Information (PHI) and under what circumstances. PHI is the actual medical information — diagnosis, treatment, payment data — in any form (paper, electronic, verbal). This rule is what your front-desk staff and clinical team operate under daily.

The Security Rule (45 CFR Part 164, Subpart C)

Governs how you protect electronic PHI (ePHI). This is the IT-relevant rule and the one this guide focuses on. It requires three categories of safeguards: administrative (policies, training, oversight), physical (facility security, workstation controls), and technical (encryption, access controls, audit logs).

The Breach Notification Rule (45 CFR Part 164, Subpart D)

Governs what you do when ePHI gets exposed inappropriately — who you notify, how fast, and in what format. The thresholds: notify affected individuals within 60 days. If the breach affects 500+ individuals, notify HHS and prominent media within 60 days. Smaller breaches get reported to HHS annually.

Enforcement is handled by OCR (Office for Civil Rights), an HHS sub-agency. Penalties range from $100 per violation (unknowingly violated) to $50,000 per violation (willful neglect, not corrected) with an annual cap of $1.5M per identical violation type. Multiple violation types stack.

/ 02Who HIPAA applies to

Two categories of entity must comply with HIPAA:

Covered Entities

Healthcare providers who transmit health information electronically in connection with covered transactions. In practice: any medical practice, dental practice, hospital, clinic, behavioral health provider, optometrist, physical therapist, or pharmacy that bills insurance or accepts electronic transactions. Practices that only accept cash and don't electronically bill anyone are technically not covered entities under HIPAA, though most state laws (including Tennessee) impose similar requirements separately.

Business Associates

Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This includes:

• IT companies and MSPs supporting medical practices
• Cloud storage providers, email providers, EHR vendors
• Billing companies, transcription services, accounts receivable
• Document shredding services that handle records
• Answering services that take patient messages
• Backup providers, cybersecurity vendors

Business associates have their own direct compliance obligations under the HIPAA Omnibus Rule (2013). If you're a covered entity, every business associate you use must sign a Business Associate Agreement (BAA) — see section 04 below.

/ 03The Security Rule walkthrough

The Security Rule's requirements are organized into three categories. Each requirement is either "required" (you must do it) or "addressable" (you must implement it OR document a reasonable alternative that achieves equivalent protection). Both types are technically mandatory — "addressable" doesn't mean optional.

Administrative Safeguards (§164.308)

Physical Safeguards (§164.310)

Technical Safeguards (§164.312)

/ 04Business Associate Agreements (BAAs)

A BAA is a contract between a covered entity and a business associate. It must include specific language required by §164.504. Every vendor that touches PHI on your behalf must sign one. Period.

Major vendors that will sign a BAA on request (you usually have to ask):

• Microsoft 365 Business Standard, Business Premium, E3, E5 (not free Outlook.com)
• Google Workspace Business Plus, Enterprise (not free Gmail)
• AWS, Azure, Google Cloud (paid tiers)
• Dropbox Business (not free), Box (Business tier+), OneDrive for Business
• Zoom Workplace (not free Zoom)
• Most reputable EHR vendors, billing companies, faxing services

Vendors that will not sign a BAA:

• Free Gmail, free Outlook.com, Yahoo Mail, AOL Mail
• Free Dropbox, free iCloud, free Google Drive (consumer)
• Free Zoom, free Slack, free Trello
• Most consumer messaging apps (SMS, iMessage, WhatsApp, Facebook Messenger)

If you've ever sent a patient's name plus a diagnosis through a personal email or text without a BAA, you've technically created a HIPAA violation. Practices accumulate these by the hundreds per month. OCR usually doesn't pursue individual instances; they pursue patterns of systemic failure.

/ 05Common violations OCR actually fines

OCR publishes enforcement actions. The patterns are remarkably consistent. The top violation categories that produce six-figure-plus fines:

1. Lost or stolen unencrypted devices — a laptop or phone gets stolen, it had ePHI on it, it wasn't encrypted. This single failure produces more enforcement actions than any other. Fix: full-disk encryption on every device that touches ePHI (BitLocker on Windows, FileVault on Mac, mobile device encryption + MDM).
2. No risk analysis on file — OCR's first document request is your risk analysis. If you don't have one or it's three years old, you've already failed the audit. Risk analysis should be done annually and after any significant environment change.
3. Improper disposal of PHI — throwing records in regular trash, donating computers without wiping drives, leaving old patient files in the closet of a closed practice.
4. No BAA with a vendor that had PHI — usually discovered after that vendor has their own breach. OCR fines you for not having the BAA.
5. Inadequate access controls — shared logins, no termination procedure (people who left months ago still have access), no role-based access.
6. Insider snooping — employees viewing celebrity records, ex-partner's records, family members' records they have no business need to see. Detected via audit logs (which is why audit logging is required).
7. Failure to provide patient records on request — patients have a right to their own records. Refusing or unreasonably delaying produces fines under both the Privacy Rule and the 21st Century Cures Act.

/ 06What an audit looks like

OCR audits typically start with one of two triggers:

• A complaint — usually from a patient, sometimes from an ex-employee. OCR opens an investigation focused on that specific issue, but evidence found during the investigation can broaden into other areas.
• A reported breach — once you've reported a breach to HHS (mandatory for breaches affecting 500+ individuals), OCR may open a compliance review. For breaches affecting under 500, the report happens annually and OCR audits less aggressively but still does.

OCR audits are largely document-driven. They send a written request for documents within 10 business days. The standard initial request includes:

1. Most recent risk analysis
2. Risk management plan and implementation documentation
3. HIPAA policies and procedures (often 20-40 documents)
4. Workforce training records and curriculum
5. List of business associates and copies of BAAs
6. Security incident logs
7. Audit trail / access log samples
8. Encryption documentation
9. Contingency plan and most recent test results

If the documentation exists and is current, the audit typically wraps at this stage with no findings or minor recommendations. If documentation is missing, OCR escalates to interviews, site visits, and ultimately to a Corrective Action Plan (CAP) or civil monetary penalty (CMP).

/ 07Practical compliance checklist

Here's a realistic, practice-sized checklist. If you can answer "yes, and we have documentation" to all of these, you're in better shape than most Tennessee practices we audit:

• ☐ Annual risk analysis conducted (within the last 12 months), documented in writing
• ☐ Written HIPAA policies and procedures, reviewed annually
• ☐ Designated Security Officer (named individual)
• ☐ Workforce training conducted annually, with sign-off logs
• ☐ Written incident response plan with named responders
• ☐ BAAs signed with every vendor that touches PHI (M365 / Google Workspace, EHR, backup provider, IT/MSP, billing company, transcription, fax service)
• ☐ Full-disk encryption on every workstation, laptop, server, and mobile device
• ☐ MFA enforced on email, EHR, remote access, admin accounts
• ☐ Unique user accounts (no shared logins)
• ☐ Automatic logoff configured (typically 10-15 minutes)
• ☐ Audit logs enabled on all systems containing ePHI; reviewed periodically
• ☐ Backups running, monitored, and restoration tested at least quarterly
• ☐ Termination procedure for departing workforce (accounts disabled within 24 hours)
• ☐ Patch management current (no unsupported OS versions running PHI)
• ☐ Antivirus/EDR on every endpoint, monitored centrally
• ☐ Email security: BAA-signed provider, encryption available for outbound PHI
• ☐ Physical access controls: server/network gear in locked area; visitor logs
• ☐ Workstation positioning: screens not visible to non-authorized people
• ☐ Disposal procedures: certified shredding for paper, wiping or destruction for drives
• ☐ Six years of records retained: policies, training, risk analyses, BAAs, incident logs

Most practices that get fined have multiple "no" answers on this list. Most practices that pass audits have all "yes" answers and the documentation to prove it.

What to ask your IT provider

If you're using an MSP or internal IT person, they should be able to:

• Sign a BAA with you
• Produce documentation of encryption status on every device
• Demonstrate audit logging is active
• Provide quarterly compliance reports
• Participate in your annual risk analysis
• Help you respond to OCR document requests if needed

If your IT person says "what's a BAA?" you have a serious problem.