GLOSSARY · Compliance
Health Insurance Portability and Accountability Act HIPAA
U.S. federal law that sets privacy and security rules for protected health information (PHI). Applies to healthcare providers, health plans, clearinghouses, and any vendor handling their data.
Detailed definition
HIPAA is the U.S. federal law that governs how protected health information (PHI) is handled by healthcare providers, health plans, clearinghouses, and any vendor that processes PHI on their behalf. The Privacy Rule sets what can be done with the data; the Security Rule sets the technical and administrative safeguards required to protect it.
Who has to comply
- Covered entities — healthcare providers (doctors, dentists, therapists, clinics, hospitals), health plans (insurers), and healthcare clearinghouses
- Business associates — any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. MSPs serving healthcare clients are usually business associates.
- Subcontractors of business associates inherit the same obligations
If you handle PHI, you’re in scope. There is no small-business carve-out.
The Security Rule — what IT actually has to deliver
The Security Rule has three categories of safeguards:
Technical safeguards
- Access controls — unique user identification, MFA for remote access
- Audit logs — capture and review access to PHI
- Integrity controls — protect PHI from improper alteration or destruction
- Transmission security — encryption in transit (TLS) and at rest
Administrative safeguards
- Security risk analysis (documented, periodically updated)
- Workforce training on security policies
- Incident response procedures
- Backup and disaster recovery plans
Physical safeguards
- Facility access controls
- Workstation use policies
- Device and media disposal procedures
The BAA — Business Associate Agreement
If you contract a vendor that will handle PHI, you must have a Business Associate Agreement in place before they touch the data. The BAA binds the vendor to the same security obligations and creates legal liability if they breach them.
For MSP clients with HIPAA scope, our managed-IT contracts include a BAA, the security controls map to the Security Rule’s required safeguards, and we maintain documentation that supports our client’s HIPAA risk analyses. See the Security & Compliance service page for the full pattern.
Common HIPAA mistakes we see in SMB healthcare
- No BAA with cloud vendors — using consumer Google Drive or personal Dropbox for patient files is a HIPAA violation
- Unencrypted laptops — a lost device with PHI is a reportable breach unless full-disk encryption was in place
- Shared accounts — every user accessing PHI needs a unique identifier with audit trail
- No documented risk analysis — HHS audits expect to see written analysis, not just “we use good security”
- Backup chains without verification — backups exist but have never been test-restored
The penalty regime is real — six- and seven-figure settlements are common after breaches. The fix isn’t expensive, but it does require deliberate work that small practices often defer.
HOW WE HELP
Related Bytes Unlimited services
Need help applying HIPAA to your business?
We've done this kind of work across New York. First conversation is free.