---
title: "HIPAA Compliance for Small Businesses | Bytes Unlimited"
description: "HIPAA (Health Insurance Portability and Accountability Act) governs the privacy and security of protected health information. Learn what covered entities and business associates need for IT compliance."
canonical: https://www.bytesunlimited.com/glossary/hipaa/
---

 GLOSSARY · Compliance 

#  Health Insurance Portability and Accountability Act HIPAA 

 U.S. federal law that sets privacy and security rules for protected health information (PHI). Applies to healthcare providers, health plans, clearinghouses, and any vendor handling their data. 

## Detailed definition

**HIPAA** is the U.S. federal law that governs how protected health information (PHI) is handled by healthcare providers, health plans, clearinghouses, and any vendor that processes PHI on their behalf. The Privacy Rule sets what can be done with the data; the Security Rule sets the technical and administrative safeguards required to protect it.

## Who has to comply

* **Covered entities** — healthcare providers (doctors, dentists, therapists, clinics, hospitals), health plans (insurers), and healthcare clearinghouses
* **Business associates** — any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity. MSPs serving healthcare clients are usually business associates.
* **Subcontractors** of business associates inherit the same obligations

If you handle PHI, you’re in scope. There is no small-business carve-out.

## The Security Rule — what IT actually has to deliver

The Security Rule has three categories of safeguards:

**Technical safeguards**

* Access controls — unique user identification, MFA for remote access
* Audit logs — capture and review access to PHI
* Integrity controls — protect PHI from improper alteration or destruction
* Transmission security — encryption in transit (TLS) and at rest

**Administrative safeguards**

* Security risk analysis (documented, periodically updated)
* Workforce training on security policies
* Incident response procedures
* Backup and disaster recovery plans

**Physical safeguards**

* Facility access controls
* Workstation use policies
* Device and media disposal procedures

## The BAA — Business Associate Agreement

If you contract a vendor that will handle PHI, you must have a [Business Associate Agreement](/glossary/baa/) in place before they touch the data. The BAA binds the vendor to the same security obligations and creates legal liability if they breach them.

For MSP clients with HIPAA scope, our managed-IT contracts include a BAA, the security controls map to the Security Rule’s required safeguards, and we maintain documentation that supports our client’s HIPAA risk analyses. See the [Security & Compliance service page](/services/security/) for the full pattern.

## Common HIPAA mistakes we see in SMB healthcare

* **No BAA with cloud vendors** — using consumer Google Drive or personal Dropbox for patient files is a HIPAA violation
* **Unencrypted laptops** — a lost device with PHI is a reportable breach unless full-disk encryption was in place
* **Shared accounts** — every user accessing PHI needs a unique identifier with audit trail
* **No documented risk analysis** — HHS audits expect to see written analysis, not just “we use good security”
* **Backup chains without verification** — backups exist but have never been test-restored

The penalty regime is real — six- and seven-figure settlements are common after breaches. The fix isn’t expensive, but it does require deliberate work that small practices often defer.

HOW WE HELP

## Related Bytes Unlimited services

* [ Security & Compliance PCI DSS, HIPAA, and general security posture work. Endpoint protection, MFA, awareness training, audit-ready documentation.](/services/security/)

RELATED TERMS

## See also

* [ BAA ](/glossary/baa/)
* [ PHI ](/glossary/phi/)

AUTHORITATIVE SOURCES

## External references

* [ HHS — HIPAA for Professionals  (opens in new tab) ](https://www.hhs.gov/hipaa/for-professionals/index.html)

##  Need help applying HIPAA to your business? 

 We've done this kind of work across New York. First conversation is free. 

[ Get In Touch ](/contact/) [ Back to Glossary ](/glossary/)

## Sitemap

- [Site map](https://www.bytesunlimited.com/sitemap.md)
- [llms.txt](https://www.bytesunlimited.com/llms.txt)
- [Canonical URL list](https://www.bytesunlimited.com/sitemap.xml)
