← All posts

Medical practice IT, HIPAA safeguards in 60 to 90 days

A practical 60 to 90 day plan for medical practices to bring HIPAA Security Rule safeguards to a defensible baseline, from risk analysis to access controls to incident response.

· Atticus Rowan

Medical practices occupy a specific regulatory position. As HIPAA Covered Entities, they are directly responsible for protecting electronic protected health information (ePHI) under the Security Rule. Unlike business associates, they have no upstream customer demanding specific controls — the obligation flows directly from federal regulation. The enforcement picture is real. The HHS Office for Civil Rights settlement history, HIPAA right-of-access enforcement and state attorneys-general data breach actions all target covered entities that cannot demonstrate they took the Security Rule seriously.

Most small to mid-size medical practices (3 to 50 providers) did not build their IT environment with HIPAA readiness in mind. The EHR is often cloud-hosted by a vendor that handles some compliance, but the practice’s own environment — workstations, mobile devices, network, backup, email, document management — is often running at general-small-business standards that do not meet Security Rule expectations on close review.

Here is a practical 60 to 90 day plan for bringing a medical practice to defensible HIPAA Security Rule baseline. The plan is scoped to small-to-mid practices where an MSP is typically the hands-on partner. It focuses on the controls that have the highest likelihood of surviving OCR investigation and state audit scrutiny.

Day 1 to 15, assessment and documentation

Before remediation, establish the baseline. HIPAA specifically requires a documented risk analysis — without one, the practice cannot demonstrate compliance regardless of what controls exist.

Risk analysis

A formal assessment covering:

  • Inventory of systems that create, receive, maintain or transmit ePHI
  • Identification of threats and vulnerabilities to each system
  • Assessment of current controls
  • Determination of likelihood and impact per identified risk
  • Documented findings with prioritization

Typical output: 15 to 30 page document. Template-free, written specifically for the practice.

Policy inventory

HIPAA Security Rule requires documented policies and procedures covering specific areas. Most small practices have partial coverage at best.

Required policy set (Administrative Safeguards):

  • Security management process
  • Assigned security responsibility
  • Workforce security
  • Information access management
  • Security awareness and training
  • Security incident procedures
  • Contingency plan
  • Evaluation
  • Business associate contracts

Required policy set (Physical Safeguards):

  • Facility access controls
  • Workstation use
  • Workstation security
  • Device and media controls

Required policy set (Technical Safeguards):

  • Access control
  • Audit controls
  • Integrity
  • Person or entity authentication
  • Transmission security

Deliverable: a documented policy library. For small practices, this can be 8 to 15 policies, each 2 to 5 pages. Short is fine — the goal is accurate reflection of operations, not volume.

Business associate inventory

Every vendor, cloud provider or contractor with access to ePHI requires a Business Associate Agreement. Inventory what exists:

  • EHR vendor (universal)
  • Patient portal vendor (often separate)
  • Practice management system
  • Billing and coding service if outsourced
  • Transcription services if used
  • IT/MSP partner
  • Document management system
  • Secure email platform
  • Any SaaS that stores patient data

Confirm current BAAs for each. Most practices find 2 to 5 vendors without current BAAs, usually at the document-management and communication end of the inventory.

Day 15 to 45, technical safeguards

The core technical work. These controls directly implement Security Rule Technical Safeguards.

Access control and authentication

  • Multi-factor authentication on the EHR, practice management system, email and any remote access. FIDO2 or authenticator-app factors — SMS is increasingly not acceptable.
  • Role-based access to the EHR. Clinical users see clinical data. Billing users see billing data. Administrative users see scheduling. Minimum necessary access per role.
  • Unique user identification. Every workforce member has their own account. Shared accounts for “the front desk” or “the billing team” are Security Rule violations.
  • Automatic session timeout on clinical workstations. 15 to 30 minutes of inactivity locks the screen.

Audit controls

HIPAA Security Rule requires audit controls that record access to ePHI. For most practices:

  • EHR audit log enabled with sufficient detail
  • Log retention minimum 6 years (HIPAA documentation retention requirement)
  • Periodic review of EHR access logs, at minimum quarterly
  • Documented review with findings addressed

Transmission security

  • Encrypted email for external communication containing ePHI
  • Secure file sharing mechanism (not consumer Dropbox, Google Drive personal, or similar)
  • HTTPS/TLS 1.2+ for all external system connections
  • Encrypted messaging for clinical-to-clinical communication if in use

Device and endpoint security

  • Full-disk encryption on every workstation and laptop (BitLocker, FileVault). Document the deployment.
  • EDR with managed detection and response on every endpoint
  • Mobile device management if providers use phones for clinical work. Remote wipe capability tested.
  • Standard browser security baseline applied

Workstation security

  • Workstations in clinical areas positioned to prevent shoulder-surfing
  • Screens lock when clinical staff step away
  • Visitor access policy documented
  • Clean-desk expectations for paper records

Day 45 to 75, administrative safeguards

The human-side controls. These are often where small practices are weakest.

Workforce training

HIPAA-specific training at hire and annually thereafter for every workforce member. Required topics:

  • HIPAA Privacy Rule basics
  • HIPAA Security Rule and workforce responsibilities
  • Practice-specific procedures (how this practice handles specific scenarios)
  • Breach identification and reporting
  • Phishing and social engineering awareness

Completion must be tracked. Training without documentation equals no training for OCR review purposes.

Security incident procedures

Documented plan covering:

  • What qualifies as a security incident
  • Who to notify internally and externally
  • Breach risk assessment framework
  • Notification timelines (HHS within 60 days for breaches affecting 500+ individuals, annually for smaller breaches)
  • Patient notification procedures per HIPAA Breach Notification Rule

Contingency plan

Required by Security Rule. Components:

  • Data backup plan (including ePHI backup, tested recovery)
  • Disaster recovery plan (restoring ePHI access after loss)
  • Emergency mode operation plan (procedures for operating when systems are down)
  • Testing and revision procedures
  • Applications and data criticality analysis

Small practices often have an informal backup but lack the documented contingency plan. Document what exists and improve where needed.

Business associate agreements

For each BA without a current agreement, execute one. Standard BAA templates are widely available. Review carefully for:

  • Permitted uses of ePHI
  • Safeguard obligations
  • Breach notification timeline (default 60 days; increasingly common to require 24 to 72 hours)
  • Subcontractor flow-down
  • Right to audit
  • Termination and data return

Day 75 to 90, evaluation and documentation finalization

The closing phase.

Self-evaluation

Review the controls implemented vs the risk analysis findings. Confirm each significant risk has a documented mitigation or accepted residual risk with rationale.

Documentation finalization

The Security Rule requires HIPAA documentation for 6 years from creation or last effective date. Assemble:

  • Risk analysis
  • Policy library
  • Training records
  • Access review records
  • Incident log
  • Contingency plan documents
  • BAA library
  • Workforce access lists

Store centrally with access controls.

Ongoing cadence

Establish recurring obligations:

  • Annual risk analysis refresh
  • Quarterly access reviews
  • Annual training completion
  • Annual contingency plan test
  • Ongoing BAA maintenance
  • Incident log review monthly

What the 60 to 90 day program doesn’t cover

Worth being honest about. The plan above establishes a defensible baseline but does not address:

  • Ongoing clinical workflow integration. HIPAA obligations interact with daily clinical work in ways that take longer than 90 days to optimize.
  • Advanced threat protection. EDR with MDR is included; SIEM, advanced vulnerability management and penetration testing are not baseline.
  • Certification. HIPAA has no certification body. Some practices pursue HITRUST or SOC 2 for additional assurance, which is a substantially larger program.
  • State-specific requirements. California CMIA, Texas CMSA, state breach notification laws layer on top of HIPAA. Practice location determines what else applies.

The cost

Typical investment for a 10 to 25-provider practice:

  • Risk analysis and policy development: $10,000 to $25,000 (one-time)
  • MFA, encryption, EDR deployment: $30,000 to $75,000 (one-time) + ongoing licensing
  • Ongoing managed services and compliance support: $75,000 to $200,000 annually

The cost comparison is not against “nothing” but against the risk of OCR settlement, state breach notification, business disruption from an incident or practice-reputation damage. The settlement history suggests the investment pays back quickly against the avoided-incident scenarios.

Where we fit

Atticus Rowan supports small to mid-size medical practices as the IT and HIPAA-aligned cybersecurity partner. Our work model is identical to the business-associate-side engagement we describe elsewhere, with the covered-entity-specific scope — direct Security Rule obligation, direct OCR exposure, direct patient-facing privacy responsibility.

We do not issue HIPAA compliance attestations (no such body exists). We build the program the Security Rule actually requires, produce the documentation OCR would want to review and maintain the ongoing discipline that keeps the practice defensible over time.

If your practice has not had a documented HIPAA risk analysis within the past 12 months, or you suspect the current posture would not withstand OCR scrutiny, schedule a discovery call. We can walk through the current state and scope the 60 to 90 day path to defensible baseline.