Healthcare Compliance

What is HIPAA?

The federal law that governs how your medical practice handles patient information — and what happens when it goes wrong.

The Short Version

HIPAA stands for the Health Insurance Portability and Accountability Act. In plain English: if your business creates, stores, or transmits patient health information, the US federal government requires you to protect it in specific ways. This includes your computers, your email, your cloud storage, your backups — everything.

If you don't comply and a breach occurs, the fines start at $100 per violation and can reach $1.9 million per violation category per year. Repeat violators face criminal charges.

Who Needs to Comply?

If you are any of the following, HIPAA applies to you:

  • Medical practice of any size — solo practitioner to large group
  • Dental office
  • Mental health practice
  • Physical therapy or chiropractic practice
  • Pharmacy
  • Any business that handles billing, coding, or scheduling for a healthcare provider
  • Any IT company, cloud provider, or software vendor with access to patient data

The last point matters: your IT company is required to sign a Business Associate Agreement (BAA) with you. If yours hasn't, you're already non-compliant.

What Does HIPAA Require From Your IT?

The Security Rule — the part of HIPAA that covers technology — requires you to implement specific safeguards:

  • Access controls: Only the right people can see patient records
  • Audit logs: A record of who accessed what, and when
  • Encryption: Patient data must be encrypted when stored and when transmitted
  • Backup and recovery: You must be able to restore patient data after a disaster
  • Device security: Laptops, tablets, phones with patient data must be secured and remotely wipeable
  • Email security: Patient information sent by email must be encrypted
  • Risk assessments: You must regularly document your security risks and how you address them
  • Employee training: Your staff must be trained on HIPAA requirements

What Happens When You Don't Comply?

The Office for Civil Rights (OCR) at the Department of Health and Human Services enforces HIPAA. Penalties are tiered:

  • Tier 1 — Did not know: $100–$50,000 per violation
  • Tier 2 — Reasonable cause: $1,000–$50,000 per violation
  • Tier 3 — Willful neglect, corrected: $10,000–$50,000 per violation
  • Tier 4 — Willful neglect, not corrected: $50,000 per violation, up to $1.9M per year

A "violation" is each individual record that was exposed. A breach affecting 500 patients is 500 violations.

How Digital Armor Helps

We implement and maintain all the technical safeguards HIPAA requires, including:

  • Encrypted storage and email for patient data
  • Access controls and user management
  • Audit logging across all systems
  • Secure backup and disaster recovery
  • Device management and remote wipe capability
  • Annual risk assessment documentation
  • Business Associate Agreement on file
  • Staff security awareness training

We don't just set it up — we maintain it and document it, so when an auditor asks, you have the paperwork to prove compliance.

Is Your Practice HIPAA Compliant?

Most small medical practices aren't — not because they're careless, but because nobody told them what was required from a technology perspective. We can tell you exactly where you stand.

Book Your Assessment