HIPAA compliance for IT teams sits in an awkward space — it's not as prescriptive as PCI DSS, not as detailed as NIST 800-171, and yet failure to comply carries some of the largest penalties any non-financial business will face. The Office for Civil Rights (OCR) has been steadily increasing enforcement, and the move toward HHS-recognized security practices (HSP) as a mitigating factor has made the IT controls conversation more concrete. Here's a practical guide to what HIPAA actually requires of IT operations and where most healthcare businesses still have gaps.

The HIPAA Security Rule, in Practical Terms

HIPAA's Security Rule organizes requirements into three categories: administrative safeguards (policies, training, designated security officer), physical safeguards (access controls, workstation security, device disposal), and technical safeguards (access control, audit logging, integrity controls, transmission security). For IT teams, the technical safeguards are where most of the day-to-day work happens, but the administrative side is where enforcement actions most often find deficiencies. An IT environment that's technically secure but has no written policy or no documented training program is at HIPAA-violation risk independent of the security posture itself.

Healthcare IT administrator reviewing HIPAA Security Rule compliance checklist covering administrative, physical, and technical safeguards for protected health information

What OCR Looks For During an Audit

From the audits OCR has conducted and the resolution agreements they've published, a consistent pattern emerges of what auditors examine. The high-frequency findings include:

  • Risk analysis — Is there a documented, current security risk analysis? Most failures involve either no analysis or an analysis so old it predates the current environment
  • Risk management plan — Does the risk analysis lead to a documented plan with actual mitigation steps in progress?
  • Workforce training — Is everyone with PHI access trained, with completion documented, and refreshed annually?
  • Access controls — Are user access rights based on role, with quarterly access reviews, and access revoked promptly on termination?
  • Audit logging — Are PHI access events logged, reviewed, and retained for required periods?
  • Business Associate Agreements — Are BAAs in place with every vendor that touches PHI, including cloud providers, billing services, and IT contractors?
  • Encryption — Is PHI encrypted in transit and at rest, with key management procedures documented?
  • Incident response — Is there a documented breach response procedure, and has it been tested?

The Cloud Services Question

Cloud services are HIPAA-compatible — Microsoft 365, Google Workspace, AWS, Azure, and major cloud platforms all offer HIPAA-eligible service tiers. What makes them compliant is the Business Associate Agreement (BAA), the specific service configuration (some features within these platforms aren't HIPAA-eligible even on the right tier), and the customer's own configuration choices. A common compliance gap: business buys the HIPAA-eligible tier but doesn't sign the BAA, or signs the BAA but uses non-HIPAA-eligible features within the service. The configuration details matter.

HSP — The "Get Out of Penalty" Lever

Since 2021, OCR has been required to consider whether covered entities have implemented "recognized security practices" during the past 12 months when determining fines, audits, or remediation requirements. HSP can be NIST CSF, NIST 800-66 implementation, or HITRUST — and demonstrating adoption can substantially reduce penalty exposure even in cases where a breach occurred. For mid-market healthcare businesses, formally adopting one of these frameworks isn't just security hygiene; it's penalty mitigation that compounds over time.

Practical Next Steps

For healthcare IT teams shoring up HIPAA posture, the high-leverage moves are: complete or refresh the security risk analysis (this is the single most-cited deficiency in OCR enforcement actions), document the risk management plan with concrete mitigations in progress, audit BAAs across the entire vendor inventory, verify cloud service configurations against HIPAA-eligible requirements, formalize an HSP framework and start implementing it, and run a tabletop exercise of the breach response plan within the next 90 days. A HIPAA-focused conversation can help prioritize which of these is the next-most-important investment for your specific environment.

About Leonidas

Leonidas is a managed IT services provider, cybersecurity consulting firm, and unified communications consultancy serving businesses across industries. We offer free 30-minute assessments. Contact us or call 850-614-9343.