TL;DR: HIPAA requires covered healthcare entities to implement administrative, physical, and technical safeguards to protect patient health information. Civil monetary penalties can reach into the millions per violation category annually, with amounts adjusted each year by OCR for inflation. This checklist covers the IT-specific requirements North Carolina healthcare practices must meet, from encryption and access controls to business associate agreements and annual risk assessments.
Is your North Carolina medical practice HIPAA-compliant? Preferred Data Corporation has provided HIPAA-compliant IT services to healthcare providers across North Carolina for over 37 years. Call (336) 886-3282 or contact us for a HIPAA IT assessment.
What Is HIPAA and Who Does It Apply To?
The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare organizations and their technology vendors to protect patient health information. The law applies to covered entities - healthcare providers, health plans, and healthcare clearinghouses - and their business associates, which include IT providers, cloud storage vendors, and software companies that handle protected health information (PHI).
For a small medical practice, dental office, physical therapy clinic, or mental health practice in North Carolina, HIPAA compliance is not optional. The Office for Civil Rights (OCR) within the Department of Health and Human Services enforces HIPAA and conducts both complaint-driven and random audits.
The HITECH Act, passed in 2009, significantly strengthened HIPAA enforcement by increasing penalties and requiring notification when PHI is breached. Most modern HIPAA IT requirements stem from the combined framework of HIPAA and HITECH.
What Are the Three Categories of HIPAA Safeguards?
HIPAA's Security Rule organizes required protections into three categories. IT requirements fall primarily under technical safeguards, though administrative and physical safeguards also have significant technology components.
Administrative Safeguards
Administrative safeguards are the policies, procedures, and training requirements that govern how your practice manages PHI. From an IT perspective, these include:
- Security Officer designation - Assign a specific person responsible for HIPAA IT compliance. In small practices, this is often the office manager or a designated staff member, sometimes supported by a managed IT provider.
- Security awareness training - All staff who access PHI must receive annual cybersecurity and HIPAA training covering phishing awareness, password security, and PHI handling procedures.
- Access management policies - Written policies defining who can access which systems and data, how access is provisioned and terminated, and how access logs are reviewed.
- Contingency planning - Documented procedures for responding to IT emergencies, data loss, or system outages that affect PHI availability.
- Business associate agreements (BAAs) - Written contracts with every vendor or IT provider that accesses, processes, or stores PHI on your behalf. No PHI should flow to any vendor without a signed BAA.
Physical Safeguards
Physical safeguards address the hardware and physical spaces where PHI is stored or accessed.
- Workstation security - Computers that display or process PHI must be positioned to prevent unauthorized viewing and must lock automatically after a period of inactivity (typically 5 to 15 minutes).
- Device encryption - All devices storing PHI - laptops, tablets, smartphones, and servers - must be encrypted so that stolen hardware does not result in a reportable breach.
- Media disposal - Hard drives and storage media must be securely wiped or physically destroyed before disposal. Simply deleting files is not sufficient.
- Facility access controls - Server rooms and areas with PHI must have access controls limiting entry to authorized personnel. Key cards, physical locks, or security cameras are common controls.
- Workstation use policies - Written policies defining what activities are permitted on PHI-capable workstations, including personal use restrictions.
Technical Safeguards
Technical safeguards are the IT controls that directly protect PHI in electronic systems. These are the requirements your IT provider implements and monitors on your behalf.
Access controls:
- Unique user identification - Every user must have their own login credentials. Shared accounts are a HIPAA violation.
- Automatic logoff - Systems automatically terminate sessions after inactivity periods.
- Encryption and decryption - PHI must be encrypted at rest (stored) and in transit (transmitted over networks).
- Emergency access procedures - Documented and tested procedures for accessing PHI during system outages.
Audit controls:
- Hardware and software activity logs for systems containing PHI
- Regular review of those logs for unauthorized access attempts
- Log retention for a minimum of six years
Integrity controls:
- Mechanisms to verify that PHI has not been altered or destroyed in an unauthorized manner
- File integrity monitoring on systems containing PHI
Transmission security:
- All PHI transmitted over the internet must be encrypted using TLS 1.2 or higher
- Email containing PHI must use encrypted email solutions
- Remote access to PHI must occur through encrypted VPN or zero trust access solutions
What Are the Most Common HIPAA IT Violations in Small Practices?
The most frequently cited HIPAA IT violations in OCR enforcement actions and audit findings include:
- No risk analysis - Failure to conduct and document an annual security risk assessment is the single most common HIPAA violation. This is a required implementation specification, not optional.
- Unencrypted PHI on portable devices - Unencrypted laptops, USB drives, and smartphones containing PHI are the leading cause of reportable breaches. Device encryption eliminates this risk.
- Missing or unsigned business associate agreements - Many small practices discover they lack BAAs with cloud storage vendors, software companies, or their IT provider.
- Shared or terminated user accounts - Shared login credentials and failure to disable accounts when employees leave are common violations found during audits.
- No security training documentation - Practices that provide verbal training but lack written documentation of when training occurred and who attended cannot demonstrate compliance.
- Unsecured PHI transmission - Sending PHI via standard (unencrypted) email, including attachments with patient information, is a technical safeguard violation.
- No patch management - Unpatched operating systems and software on PHI-containing systems represent unaddressed vulnerabilities that increase breach risk.
How Much Do HIPAA Violations Cost?
The Department of Health and Human Services enforces HIPAA using a four-tier civil monetary penalty structure based on the level of culpability. OCR adjusts these penalty amounts annually for inflation under the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015, so the actual amounts in effect today are higher than the original statutory figures. For the current adjusted amounts, consult HHS.gov OCR enforcement guidance.
The four tiers, ordered from least to most severe:
| Tier | Culpability Level | Per Violation (original statute) | Annual Cap (original statute) |
|---|---|---|---|
| 1 | Lack of knowledge - did not know of the violation | $100 to $50,000 | $25,000 |
| 2 | Reasonable cause - knew or should have known | $1,000 to $50,000 | $100,000 |
| 3 | Willful neglect, corrected within 30 days | $10,000 to $50,000 | $250,000 |
| 4 | Willful neglect, not corrected | $50,000 | $1.9 million |
Because OCR inflation-adjusts these caps each year, current maximums are higher than the statutory amounts shown above. OCR enforcement has resulted in settlements and penalties exceeding $1 million in numerous cases, with a single breach investigation capable of resulting in multi-million dollar resolution agreements.
Beyond OCR penalties, HIPAA breaches trigger breach notification requirements: affected patients must be notified within 60 days, HHS must be notified, and if more than 500 patients in a state are affected, media notification is required. Breach notifications damage patient trust and can affect a practice's reputation in ways that are difficult to quantify.
Cybersecurity insurance typically requires HIPAA compliance as a condition of coverage. A breach at a non-compliant practice may result in denied claims on top of regulatory penalties.
What Is a HIPAA Risk Assessment?
The HIPAA risk assessment (formally: security risk analysis) is a required annual activity that identifies threats and vulnerabilities to PHI in your practice. The assessment must:
- Identify where PHI is stored, received, maintained, and transmitted (including all systems, devices, and paper records)
- Identify potential threats to the confidentiality, integrity, and availability of PHI
- Assess the likelihood and impact of each identified threat
- Identify current security measures and evaluate their effectiveness
- Document risk levels and prioritize remediation
A proper HIPAA risk assessment is not a checklist - it is a documented analysis that demonstrates your practice understands its risk environment and has implemented appropriate controls.
PDC conducts HIPAA risk assessments for healthcare practices across North Carolina and provides a written report that satisfies OCR requirements. Contact us at (336) 886-3282 to schedule your assessment.
HIPAA IT Compliance Checklist for NC Healthcare Practices
Use this checklist to evaluate your current HIPAA IT posture. Every unchecked item represents a compliance gap that needs remediation.
Administrative:
- ☐ Designated HIPAA Security Officer with documented responsibility
- ☐ Annual security risk assessment conducted and documented
- ☐ HIPAA security training provided and documented for all staff annually
- ☐ Signed Business Associate Agreements with all vendors accessing PHI
- ☐ Written information security policies and procedures
- ☐ Documented contingency plan for PHI systems outage or breach
- ☐ Annual review and update of policies and procedures
Physical:
- ☐ All laptops and mobile devices storing PHI are encrypted
- ☐ Server room or equipment closet with restricted access controls
- ☐ Workstations auto-lock after 5 to 15 minutes of inactivity
- ☐ Secure destruction policy for hard drives and storage media
- ☐ Workstations with PHI positioned to prevent unauthorized viewing
Technical:
- ☐ Unique login credentials for every user - no shared accounts
- ☐ Multi-factor authentication for remote access to PHI systems
- ☐ All PHI encrypted at rest (AES-256 or equivalent)
- ☐ All PHI encrypted in transit (TLS 1.2 or higher)
- ☐ Encrypted email solution for sending PHI externally
- ☐ VPN or zero trust access for remote workers
- ☐ Active audit logging on all PHI-containing systems
- ☐ Quarterly review of access logs
- ☐ Automated patch management for all operating systems and software
- ☐ Endpoint Detection and Response (EDR) solution on all workstations
- ☐ Offsite encrypted backup with tested restoration procedures
- ☐ Terminated employee accounts disabled within 24 hours of departure
How Can a Managed IT Provider Help with HIPAA Compliance?
A HIPAA-compliant managed IT provider serves as a business associate under HIPAA and signs a BAA as part of the service agreement. PDC provides HIPAA-focused managed IT services for healthcare practices across North Carolina that include:
- Annual HIPAA security risk assessment with written report
- Deployment and management of required technical safeguards
- Encrypted backup with healthcare-specific retention policies
- Security awareness training for clinical and administrative staff
- 24/7 monitoring of systems containing PHI
- Incident response support for potential breaches
- Assistance with OCR audit preparation
Frequently Asked Questions
Does HIPAA apply to my small private practice?
Yes. Any healthcare provider that transmits PHI electronically - including for billing purposes - is a covered entity subject to HIPAA. The size of the practice does not exempt you from compliance requirements, though it may affect how controls are implemented.
What is a Business Associate Agreement?
A Business Associate Agreement (BAA) is a written contract between a covered entity (your practice) and any vendor that creates, receives, maintains, or transmits PHI on your behalf. This includes your EHR vendor, cloud storage provider, managed IT provider, billing service, and any other company with access to patient data. HIPAA requires BAAs with all business associates.
How long do I need to keep HIPAA-related records?
HIPAA requires covered entities to retain policies, procedures, and documentation of compliance activities for six years from the date of creation or the date it was last in effect, whichever is later.
What triggers a HIPAA breach notification requirement?
Any unauthorized acquisition, access, use, or disclosure of unsecured PHI is presumed to be a breach unless the covered entity can demonstrate a low probability that PHI was compromised. Encrypting all PHI is the most reliable way to avoid breach notification requirements, because encrypted data that is lost or stolen is not considered unsecured PHI under HIPAA's Safe Harbor provision.
Can PDC help my practice get HIPAA-compliant?
Yes. Preferred Data Corporation provides HIPAA-compliant managed IT services for healthcare practices throughout North Carolina. We serve medical offices, dental practices, physical therapy clinics, behavioral health providers, and other healthcare organizations. Call (336) 886-3282 or contact us to schedule a HIPAA IT assessment.