CT · NY · NJ · Stamford HQ

The HIPAA Security Rule sets national standards for protecting electronic protected health information (ePHI). It is not only for hospitals. Many clinics, billing companies, and vendors that handle ePHI must take it seriously—or face contractual and regulatory consequences.

This guide is educational for small and mid-size organizations in CT, NY, and NJ. It is not legal advice. Confirm obligations with qualified counsel for your entity type and agreements.

Impetra’s role: We help with practical security controls, readiness assessments, and operations. We do not replace your privacy officer, attorney, or formal legal determinations. See ImpetraInsights™ HIPAA Readiness.

Who HIPAA typically involves

  • Covered entities — health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with certain transactions
  • Business associates — vendors that create, receive, maintain, or transmit ePHI on behalf of a covered entity (and sometimes subcontractors)

If you are unsure which category you fall into, start with contracts and counsel—not a Google search alone. Article: Who must comply with HIPAA?

Security Rule in plain language

The Security Rule expects reasonable and appropriate safeguards across three families:

  • Administrative — policies, risk analysis, workforce training, vendor oversight
  • Physical — facility and device protections
  • Technical — access control, audit controls, integrity, authentication, transmission security

Many implementations are “addressable,” which means you must implement them if reasonable and appropriate—or document an equivalent alternative. Addressable does not mean optional without analysis.

Risk analysis is foundational

A security risk analysis is not a one-page checkbox. It identifies where ePHI lives, what threats and vulnerabilities matter, and what you will do about them.

  • Inventory systems and data flows (EHR, email, imaging, billing, backups, laptops)
  • Evaluate threats (ransomware, lost devices, mis-sent email, insider misuse)
  • Prioritize remediation
  • Revisit when technology or operations change

Article: HIPAA risk analysis basics.

Administrative safeguards (highlights)

  • Assigned security responsibility
  • Workforce security and training
  • Information access management
  • Security awareness
  • Security incident procedures
  • Contingency planning (backup, disaster recovery, emergency mode)
  • Business associate agreements and oversight

Physical safeguards (highlights)

  • Facility access controls appropriate to your size
  • Workstation security and device policies
  • Device and media controls (encryption, disposal, reuse)

Technical safeguards (highlights)

  • Unique user IDs and emergency access procedures
  • Automatic logoff where appropriate
  • Encryption and decryption as determined reasonable and appropriate
  • Audit controls and integrity protections
  • Person or entity authentication
  • Transmission security for ePHI in motion

In modern SMB environments this often means MFA, endpoint encryption, secure email/file sharing patterns, logging, and least privilege—not a 2005 VPN diagram alone.

Business associates and BAAs

If a vendor handles ePHI for you, you typically need a Business Associate Agreement (BAA) and some confidence they can protect data. Popular cloud tools are not automatically “HIPAA ready” for your use case until contracting and configuration match.

Article: Business associate agreements.

Incidents and breaches

Not every security event is a breach under the Breach Notification Rule—but you need a process to evaluate incidents, mitigate harm, and notify when required. Technical preparation includes logging, IR contacts, and counsel relationships before 2 a.m. ransomware.

Related: Incident response basics, Ransomware recovery.

Technical stack that supports HIPAA goals

Technology does not equal compliance, but weak technology makes compliance claims hollow:

  • Identity: MFA, Conditional Access, least privilege (Identity guide)
  • Endpoints: encryption, EDR, management (Intune guide)
  • Email and collaboration: careful sharing, DLP where appropriate
  • Backup and recovery with tested restores
  • Vendor access control and offboarding

Common mistakes

  1. Assuming “we use a certified EHR” covers email and laptops
  2. No current risk analysis
  3. Shared logins in clinical or billing workflows
  4. BAAs missing for real data processors
  5. Training once at hire, never again
  6. No tested backups for systems that hold ePHI

Where to start this quarter

  1. Confirm covered entity / business associate status with counsel
  2. Map where ePHI actually lives
  3. Enforce MFA and unique accounts on systems touching ePHI
  4. Encrypt portable devices; deploy EDR
  5. Review BAAs and high-risk vendors
  6. Document a lightweight risk analysis and remediation plan
  7. Consider a structured readiness snapshot: ImpetraInsights™ HIPAA

Want help applying this?

Book a free 15-minute review. For a structured baseline—including HIPAA-oriented paths—see ImpetraInsights™.