If you have ever read the actual text of the HIPAA Security Rule, you know the frustration: it tells you to ensure the "confidentiality, integrity, and availability" of protected health information, but it almost never tells you which product, setting, or checkbox gets you there. That ambiguity is deliberate — a solo dental office and a 40-provider group can't reasonably run the same systems — but it leaves most practices unsure whether what their IT company set up is actually enough.
So here is the rule translated into six protections you can picture, each with a simple test. You don't need to be technical to ask these questions. If your current IT provider can't answer them clearly, that itself is the answer.
Access control — who can open what
Every person on your team should be able to reach exactly the information their job requires, and nothing more. The front desk doesn't need the same access as a hygienist, and a departed employee should need none. In practice this means individual logins (never a shared "frontdesk" account), permissions grouped by role, and a reliable routine for switching off access the day someone leaves.
Audit logging — a record of who did what
If a patient record is opened, changed, or exported, something should quietly write down who did it and when. You hope to never need these logs — but the day a patient alleges their record was viewed improperly, or you have to prove a breach didn't happen, the log is the only thing that can answer. Logging that nobody ever reviews is only half the protection; someone has to actually look.
Integrity — data can't be silently altered or lost
Patient information has to be trustworthy: what was entered is what stays there, unless someone with permission deliberately changes it. This is partly about preventing tampering and partly about surviving accidents and attacks — which is why tamper-proof backups belong here. Backups an attacker (or a disgruntled insider) can quietly delete don't protect integrity; backups that cannot be altered after they're written do.
Authentication — proving people are who they say
A password alone is a single point of failure: it gets reused, phished, or guessed. Two-step verification — a code or prompt on top of the password — is the single highest-impact protection most practices can add, and it has to be on every account, not just the owners'. Attackers look for the one inbox without it. A partial rollout is an unlocked back door on an otherwise secure building.
Transmission security — data is protected in transit
Patient information rarely stays in one place — it moves to a lab, a specialist, a billing service, an imaging center. Every one of those handoffs is a moment of exposure. The information needs to travel over protected channels, and email carrying anything sensitive needs encryption or a secure portal rather than a plain message that anyone along the way could read.
Encryption — data is unreadable if it's stolen
Encryption is the protection that turns a disaster into a non-event. A laptop left in a car or a stolen office computer is frightening only if the data on it can be read. When the drive is encrypted, the thief gets an expensive paperweight and you avoid a reportable breach — HIPAA treats properly encrypted data that's lost as far lower risk. It belongs on every laptop, desktop, and phone that touches patient information.
The pattern behind all six
Notice that none of these six are products you buy once and forget. They're conditions you maintain — access that's kept current, logs that get reviewed, backups that are tested, two-step login that covers everyone, every month. That's the real gap we see when we take over for a generalist IT company: the tools were often installed, but no one owned keeping them true over time. HIPAA calls this ongoing work; an auditor calls it evidence.
If you read these six and weren't sure about two or three of them, you're in good company — and it's exactly the kind of thing a short assessment can settle quickly.