HIPAA Readiness Guide
A working reference for mid-market healthcare operators: what the Security Rule actually requires, what multi-site and medical-practice posture looks like and how to close a gap on a payer or inspector deadline.
Most mid-market healthcare operators arrive at HIPAA readiness through a deadline: a payer audit, a state inspection finding, an EHR migration or a customer security review. The Security Rule's 3 categories of safeguards (administrative, physical, technical) are well documented. What is less documented is how the work shapes itself differently for a multi-site senior-care operator, an independent medical practice and the vendor chain extending HIPAA down through Business Associate Agreements. This guide answers 24 of the questions covered entities and business associates ask most often.
HIPAA scope and the Security Rule
HIPAA defines who has to comply, what data is in scope and what safeguards are required. Most mid-market healthcare operators are clear on the first two and unclear on the third. The Security Rule is where the operational work lives.
Who has to comply with HIPAA?
Two categories. Covered entities are health plans, healthcare clearinghouses and healthcare providers who transmit health information electronically (medical practices, hospitals, dentists, senior-care operators with skilled-nursing or home-health work). Business associates are vendors who handle protected health information (PHI) on behalf of a covered entity (MSPs, billing services, document destruction, cloud platforms). Both categories must comply with the Security Rule.
What is PHI and what makes it different from other regulated data?
Protected Health Information is any individually identifiable health information held or transmitted by a covered entity or business associate, in any form. The 18 HIPAA identifiers (name, dates, SSN, medical record numbers and others) define what is identifiable. Electronic PHI (ePHI) is the subset stored or transmitted electronically and is what the Security Rule governs. ePHI is what shows up in EHR systems, billing platforms, email and backup tapes.
What does the HIPAA Security Rule actually require?
Three categories of safeguards. Administrative safeguards (security management process, workforce training, risk analysis, contingency plan, evaluation). Physical safeguards (facility access, workstation security, device controls). Technical safeguards (access control, audit controls, integrity, transmission security, encryption). Within each, individual standards are required or addressable. Addressable does not mean optional. It means documented, justified and either implemented or replaced with an equivalent control.
What is a HIPAA risk analysis and why is it the anchor?
The risk analysis is the documented assessment of where ePHI lives, what threatens it and what controls mitigate those threats. It is the anchor of the Security Rule. Auditors and OCR investigators ask for it first. Most enforcement actions cite missing or inadequate risk analyses. A credible risk analysis is updated annually, includes all systems handling ePHI and links each identified risk to a specific mitigation or accepted residual risk.
What are the HIPAA breach reporting requirements?
Breaches affecting fewer than 500 individuals must be reported to OCR annually. Breaches affecting 500 or more individuals must be reported to OCR within 60 days, to affected individuals within 60 days and to prominent media in the affected geography. State attorneys general may have additional requirements. The 60-day clock starts when the breach is discovered, not when the breach happened. Discovery is operationally defined.
Multi-site senior care operators
Multi-site senior care is a HIPAA environment with operational realities most general-MSP advice does not address. Distributed staff, mixed-use devices, state inspections and the rotating realities of skilled-nursing facilities shape what works.
What HIPAA scope applies to senior care operators?
Senior-care operators with skilled-nursing facilities, home-health agencies or hospice services are typically covered entities. Independent and assisted living without medical services may not be covered, but operators usually treat them as in-scope because shared platforms, shared staff and shared documentation make scope-line distinctions impractical. Most multi-site operators apply HIPAA Security Rule requirements to all sites and all systems by default.
What is different about IT in a multi-site senior-care environment?
Five operational realities diverge from typical mid-market IT. Devices follow workflows across multiple physical locations. Staff turnover is high, so identity provisioning and deprovisioning cadence matters more. Electronic health record systems are vendor-defined and rarely standardized across sites. State inspections audit cybersecurity controls alongside care quality. Network connectivity at remote sites is often unreliable and weather-dependent.
How do state inspections interact with HIPAA?
State health departments inspect senior-care facilities for care quality, life safety and increasingly cybersecurity. Inspectors review training records, access controls, physical safeguards and incident logs alongside resident care metrics. Findings on the cybersecurity side feed into care-quality determinations. The HIPAA Security Rule compliance program is the operational answer to most cybersecurity inspection findings.
What multi-site operational controls actually move the needle?
Identity provisioning that works at the speed of a high-turnover workforce. Phishing-resistant MFA on EHR access from any site or device. Mobile device management for tablets and shared workstations. Network segmentation that isolates resident systems and clinical equipment. Backup architecture that survives a single-site ransomware event without disrupting other sites. Monthly evidence collection produced for any inspection or carrier review.
How does a multi-site operator handle backup and recovery for HIPAA?
The 3-2-1-1-0 model applies, with a multi-site twist. The immutable copy must be isolated from any single site's compromise. Recovery time objectives are typically 4 to 24 hours for clinical systems, longer for non-clinical. Tabletop exercises should test single-site failure scenarios because that is the realistic ransomware case for a multi-site operator. We support a multi-site senior-care operator across multiple Ohio sites and the cross-site backup architecture is the most operationally important control.
Medical practice IT in 60 to 90 days
Independent medical practices typically arrive at HIPAA readiness in one of two ways: a payer audit, or a notice from a customer or insurer. Either path produces a 60 to 90 day window to close the gap. The work fits.
What does a 60-90 day medical practice HIPAA arc look like?
Days 1 to 30: documented risk analysis, ePHI inventory across EHR, billing, email and backup, gap assessment against the Security Rule. Days 31 to 60: technical remediation (MFA, EDR, encryption, audit logging, mobile device controls), policy library, workforce training rollout. Days 61 to 90: contingency plan with tested restore, BAAs with all vendors, evidence library and the documentation package an auditor or payer will request.
What technical controls do most practices already have, partially?
Most practices arrive with fragments: MFA on email but not on the EHR or VPN, encryption on workstations but not laptops, EDR on some endpoints but not all, antivirus rather than EDR, backup in place but not tested or not immutable, training records that exist for some staff and not others. The work is rarely starting from zero. The work is finishing the half-deployed posture and producing evidence for it.
How do EHR systems affect HIPAA compliance posture?
The EHR vendor's security posture defines a substantial part of the practice's compliance posture. Cloud EHRs typically handle storage encryption, access logging and backup, but the practice still owns access provisioning, MFA enforcement, training and the policies governing how staff use the system. On-premise EHRs require the practice to own all of it. Both models require a BAA with the vendor and require the practice to verify, not assume, the vendor's controls.
What about email and PHI?
Email containing PHI is one of the highest-risk surfaces in a medical practice. The Security Rule does not prohibit email of PHI, but it requires encryption in transit and reasonable safeguards. Practical controls: enforce TLS for all outbound mail, use encrypted-portal tools for any PHI sent to non-secure recipients, train staff on patient communication preferences (which the Privacy Rule allows patients to specify) and document the policy. Most practice breaches still trace back to email.
How do practices handle workforce training and access cadence?
Training is required at hire and periodically thereafter (annual is the typical cadence). Documentation matters as much as the content: training without documented completion is not training for compliance purposes. Access provisioning should be role-based, with quarterly review and termination procedures that revoke access on the day someone leaves. Most practices fail this control by leaving departed staff in the EHR for weeks. Every audit catches it.
Business Associate Agreements and vendor governance
BAAs are the contractual mechanism that extends HIPAA Security Rule requirements down the vendor chain. The agreement matters. The vendor inventory matters more. Most enforcement actions involve a vendor relationship that lacked a BAA or had a BAA that was never enforced.
What is a Business Associate Agreement and when is it required?
A BAA is a written contract between a covered entity (or upstream business associate) and a vendor that handles PHI on its behalf. Required content is defined in the HIPAA regulations: the vendor's permitted uses, required safeguards, breach notification obligations, subcontractor requirements and termination provisions. Required whenever a vendor creates, receives, maintains or transmits PHI on behalf of the covered entity. No BAA, no permitted disclosure.
Who is a business associate, in practice?
Common categories: MSPs, EHR vendors, billing and revenue cycle vendors, transcription services, document destruction, cloud storage, email security gateways, backup providers, dictation services and telehealth platforms. Anyone who can read, store or transmit PHI is in scope. Some categories appear non-obvious: courier services that handle paper PHI, answering services, fax-to-email gateways, marketing platforms used for patient outreach. Maintain an inventory.
What does the BAA actually obligate the business associate to do?
The BAA flows the Security Rule's safeguards down to the vendor. The vendor must implement administrative, physical and technical safeguards equivalent to the covered entity's. The vendor must report breaches within agreed timeframes. The vendor must require its own subcontractors to sign downstream BAAs. The vendor must return or destroy PHI on contract termination. Most BAA violations come from breach notification gaps, not control gaps.
How should covered entities verify business associate compliance?
Three practical layers. Initial due diligence at vendor selection (SOC 2 report if available, security questionnaire response, BAA review by counsel). Annual review (re-confirm BAA in force, request updated SOC 2 or self-attestation, review any breach notifications received). Ongoing monitoring (track which vendors have access to which PHI, review access on quarterly cadence, terminate access immediately when contracts end). The vendor inventory is the foundational artifact.
What does Atticus Rowan as a business associate look like?
We sign a BAA with every covered-entity client before any work involving PHI access begins. The BAA flows the Security Rule down to us, our subcontractors and our tools. We maintain administrative, physical and technical safeguards equivalent to the requirements we help clients meet, document them and produce evidence on request. We report any incident touching client PHI per the BAA's defined timeframe. We coordinate with the client's compliance lead, not around them.
Working with Atticus Rowan
Atticus Rowan operates the security program a HIPAA risk analysis describes. We are the MSP that produces evidence for OCR and state inspectors, not a HIPAA legal counsel and not a SOC 2 audit firm. The roles do not overlap.
When should covered entities engage Atticus Rowan?
Three common entry points: a payer or customer audit producing a deadline, a state inspection finding requiring remediation, or a planned EHR migration or multi-site expansion that opens the operational window. The earliest engagement compounds across all three. Engagements are scoped per organization with the 30-day assessment as the entry point. The assessment includes a HIPAA gap review and produces the work plan.
What does an Atticus Rowan HIPAA engagement include?
Documented risk analysis, ePHI inventory, gap assessment against the Security Rule, technical remediation across the administrative, physical and technical safeguards, policy library, workforce training rollout with documented completion, contingency plan with tested restore, BAA review and gap-close, vendor inventory, evidence library setup, breach response runbook and ongoing monthly evidence collection. We coordinate with the client's compliance officer or counsel, not around them.
Does Atticus Rowan handle the Privacy Rule too?
We focus on the Security Rule, the operational and technical side. Privacy Rule work (notice of privacy practices, patient access requests, accounting of disclosures, complaints handling) is typically handled by the client's compliance officer, practice administrator or HIPAA legal counsel. We coordinate with whoever owns the Privacy Rule workstream and ensure our Security Rule controls support what the Privacy Rule requires. We do not displace counsel or compliance leadership.
What outcomes do covered entities typically see?
Practical outcomes vary by starting posture. Typical engagements produce documented risk analysis updated annually, the Security Rule safeguards implemented and evidenced, BAAs in force with all vendors, workforce training documented, contingency plan tested and an evidence library that supports OCR investigations, payer audits, state inspections and customer security reviews. The engagement also establishes a quarterly cadence that maintains posture across compliance cycles. The library compounds.
Related cornerstone reading
-
Medical practice IT, HIPAA safeguards in 60 to 90 days
step-by-step arc for an independent practice closing the gap on a payer or customer deadline.
-
IT for senior-care operators, HIPAA, multi-site and the state inspection
multi-site operational realities and what state inspectors actually review.
-
HIPAA for business associates, what's in a BAA and what's not
the contractual structure that flows the Security Rule down the vendor chain.
-
How to build a cybersecurity program document your customers accept
the documentation deliverable that supports HIPAA risk analysis and customer review.
-
3-2-1-1-0: the new backup baseline
backup architecture that satisfies the HIPAA contingency plan requirement and survives ransomware.
Audit, inspection or migration coming up?
If your practice or facility is responding to a payer audit, a state inspection finding or a planned EHR migration in the next 6 months, schedule a conversation. We can walk through current posture, identify the Security Rule gaps that move audit findings or inspection ratings and scope what a credible 60 to 90 day arc looks like inside your deadline.
Schedule a Discovery Call