HIPAA & HITECH, operationalized.
The Health Insurance Portability and Accountability Act, paired with the HITECH Act, governs how protected health information is handled by covered entities and their business associates. We build and run the technical safeguards underneath.
What HIPAA actually requires.
HIPAA is enforced as three overlapping rules: the Privacy Rule (how PHI may be used and disclosed), the Security Rule (administrative, physical, and technical safeguards for electronic PHI), and the Breach Notification Rule (what you do, who you tell, and when, if something goes wrong). HITECH bolted on stricter penalties, mandatory breach notification, and direct liability for business associates.
Most of the operational work an MSP touches lives in the Security Rule. The Privacy Rule is mostly policy work for your privacy officer and counsel. The Breach Notification Rule kicks in only after the other two have failed.
Who has to comply.
If you handle protected health information in any form, electronic, paper, or spoken word, you are in scope. Two broad buckets:
- Covered entities: health plans, healthcare clearinghouses, and any healthcare provider that transmits health information electronically. Specialty practices, dental offices, behavioral health, urgent care, hospital outpatient clinics.
- Business associates: any vendor that creates, receives, maintains, or transmits PHI on a covered entity's behalf. Billing services, EHR vendors, transcription services, cloud storage providers, and increasingly, MSPs themselves.
What we implement.
The Security Rule's technical safeguards map directly to controls we deploy and run. The administrative and physical safeguards are a shared responsibility, covered below.
Access management
Role-based access aligned to job function. Quarterly access reviews documented. Privileged accounts isolated, audited, and time-bound.
Audit logging
Centralized log collection from EHR, Microsoft 365, network gear, endpoints, and identity provider. Retention windows that satisfy six-year minimums. Alerting on unauthorized access patterns.
Encryption
AES-256 at rest on every endpoint, server, and backup target. TLS 1.2 minimum in transit. Disk encryption posture reported, not assumed.
Secure backup
Immutable, geographically separate, verified by restore. Recovery time and recovery point objectives written down per system, not guessed at.
BAA-aligned stack
Every vendor that touches PHI has an executed Business Associate Agreement on file. We maintain a vendor inventory you can hand an auditor without redaction.
Incident response
Documented runbooks for ransomware, lost device, suspected breach, and accidental disclosure. Tested annually. Breach notification timelines baked in.
Who owns what.
On us
- Technical safeguards (access, audit, integrity, transmission security)
- Continuous monitoring of the systems holding PHI
- Evidence collection across the operating year
- Annual technical risk assessment input
- Incident response, technical containment, and forensics support
- BAA tracking for technology vendors
On you
- Privacy officer and security officer roles assigned in writing
- Workforce training plan and sanctions policy
- Risk analysis sign-off (we draft, you adopt)
- BAAs with non-technology vendors (couriers, shredding, etc.)
- Patient rights procedures (access, amendment, accounting)
- Notice of Privacy Practices distribution
Common pitfalls we see.
Email encryption that only works some of the time.
Conditional rules that fire on keywords miss everything else. We default to portal-based secure messaging or always-on transport encryption with attachment scanning, not user-triggered toggles.
Personal devices with cached PHI.
Clinicians using personal phones to check labs, owners using personal laptops on weekends. We move that work onto MDM-enrolled devices with remote-wipe capability before someone loses one.
Backups that have never actually been restored.
A backup that's never been tested is not a backup, it's a hope. Quarterly restore exercises with a written result are non-negotiable for us.
Vendor sprawl with no BAA inventory.
Free file-sharing tools, AI scribes, SaaS add-ons, every one of them is a business associate. We rebuild the vendor list from network traffic, not from memory.
Related frameworks.
If HIPAA applies to you, these usually do too.
Let's talk for 30 minutes.
No slides.
Bring your last risk analysis, your BAA list, or just the next audit you're worried about. We'll come back with a written gap analysis, and what it would cost to close it.
- 30-min discovery, no slide deck
- Free written assessment, yours to keep
- A clear proposal, no pressure
Or call us directly: 904-639-0003
Schedule a call →