HIPAA Compliance for Non-Technical Practice Managers

HIPAA can feel overwhelming if you're a practice manager, not an IT person. But the OCR doesn't accept "I didn't understand the technology" as a defence. Here's what matters, in plain language.

What HIPAA actually requires of you

HIPAA's Security Rule requires three categories of safeguards: administrative (policies and training), physical (facility access), and technical (systems and data protection). As a practice manager, you're responsible for the administrative side — and for making sure your IT provider handles the technical side correctly.

The five things OCR auditors look for first

1. Risk assessment documentation. You need a written assessment of where patient data lives, who accesses it, and what could go wrong. This must be updated annually — a document from three years ago won't pass.
2. Business Associate Agreements (BAAs). Every vendor that touches patient data — your EHR provider, cloud backup service, billing company, IT provider — needs a signed BAA. No BAA means you're liable for their mistakes.
3. Access controls. Staff should only access patient records they need for their job. When someone leaves, their access must be revoked the same day — not "when IT gets to it."
4. Encryption. Patient data must be encrypted in transit (email, remote access) and at rest (stored on servers and devices). If a laptop with unencrypted patient records is stolen, that's a reportable breach.
5. Staff training records. HIPAA requires annual security awareness training for all staff, with documented completion. "We told everyone in a meeting" isn't sufficient — you need records.

Common mistakes practice managers make

1. Assuming your EHR vendor handles all compliance. Your EHR may be HIPAA-compliant, but how you configure it, who you give access to, and how you handle data outside the EHR is your responsibility.
2. Using personal email for patient communication. Gmail and personal email accounts don't meet HIPAA requirements unless specifically configured with a BAA — which consumer accounts don't have.
3. No incident response plan. If a breach happens, OCR wants to see that you had a plan and followed it. A one-page document covering who to call and what to do is better than nothing.
4. Treating compliance as a one-time project. HIPAA compliance isn't a checkbox — it's ongoing. Staff turnover, new software, and changing threats all require updates to your policies and controls.

What to ask your IT provider

If you're working with an MSP or IT company, ask them directly:

1. Will you sign a Business Associate Agreement?
2. Can you provide documentation for our HIPAA risk assessment?
3. How do you handle access revocation when staff leave?
4. Are our backups encrypted and tested regularly?
5. Do you provide security awareness training for our staff?

If they can't answer these clearly, they're not a HIPAA-ready partner. Security-first MSPs — like teams with actual cybersecurity backgrounds — will have documented answers for all of the above.