← Back to all articles
HIPAA 8 min read

The 6 security protections HIPAA requires — and how to tell if you actually have them

The HIPAA Security Rule never hands you a shopping list. It describes outcomes and leaves the "how" to you and your IT provider. Here's that list in plain English — and the questions that reveal whether your practice truly has each one.

Jaccob OQuinn
Jaccob OQuinn
Founder, Front Range Health IT · Updated June 2026

If you have ever read the actual text of the HIPAA Security Rule, you know the frustration: it tells you to ensure the "confidentiality, integrity, and availability" of protected health information, but it almost never tells you which product, setting, or checkbox gets you there. That ambiguity is deliberate — a solo dental office and a 40-provider group can't reasonably run the same systems — but it leaves most practices unsure whether what their IT company set up is actually enough.

So here is the rule translated into six protections you can picture, each with a simple test. You don't need to be technical to ask these questions. If your current IT provider can't answer them clearly, that itself is the answer.

1

Access control — who can open what

Every person on your team should be able to reach exactly the information their job requires, and nothing more. The front desk doesn't need the same access as a hygienist, and a departed employee should need none. In practice this means individual logins (never a shared "frontdesk" account), permissions grouped by role, and a reliable routine for switching off access the day someone leaves.

How to tell if you have it
Ask: "If I fire someone this afternoon, how fast is their access to our practice software, email, and files gone — and who confirms it?" A good answer is measured in minutes and is written down.
2

Audit logging — a record of who did what

If a patient record is opened, changed, or exported, something should quietly write down who did it and when. You hope to never need these logs — but the day a patient alleges their record was viewed improperly, or you have to prove a breach didn't happen, the log is the only thing that can answer. Logging that nobody ever reviews is only half the protection; someone has to actually look.

How to tell if you have it
Ask: "Can we see a record of who accessed a specific patient's chart last month?" If the answer is "I don't think we can pull that," the protection isn't really there.
3

Integrity — data can't be silently altered or lost

Patient information has to be trustworthy: what was entered is what stays there, unless someone with permission deliberately changes it. This is partly about preventing tampering and partly about surviving accidents and attacks — which is why tamper-proof backups belong here. Backups an attacker (or a disgruntled insider) can quietly delete don't protect integrity; backups that cannot be altered after they're written do.

How to tell if you have it
Ask: "If someone with admin access tried to delete our backups, could they?" The reassuring answer is no — they're immutable for a set retention period.
4

Authentication — proving people are who they say

A password alone is a single point of failure: it gets reused, phished, or guessed. Two-step verification — a code or prompt on top of the password — is the single highest-impact protection most practices can add, and it has to be on every account, not just the owners'. Attackers look for the one inbox without it. A partial rollout is an unlocked back door on an otherwise secure building.

How to tell if you have it
Ask: "Is two-step login required on every staff account, with no exceptions?" "Most of them" means the protection has a hole in it.
5

Transmission security — data is protected in transit

Patient information rarely stays in one place — it moves to a lab, a specialist, a billing service, an imaging center. Every one of those handoffs is a moment of exposure. The information needs to travel over protected channels, and email carrying anything sensitive needs encryption or a secure portal rather than a plain message that anyone along the way could read.

How to tell if you have it
Ask: "When we email a patient's information to a specialist, what makes that message secure?" There should be a concrete answer — encryption or a portal — not a shrug.
6

Encryption — data is unreadable if it's stolen

Encryption is the protection that turns a disaster into a non-event. A laptop left in a car or a stolen office computer is frightening only if the data on it can be read. When the drive is encrypted, the thief gets an expensive paperweight and you avoid a reportable breach — HIPAA treats properly encrypted data that's lost as far lower risk. It belongs on every laptop, desktop, and phone that touches patient information.

How to tell if you have it
Ask: "If a work laptop were stolen tonight, would we have to report a breach?" If encryption is on, the honest answer is usually no.

The pattern behind all six

Notice that none of these six are products you buy once and forget. They're conditions you maintain — access that's kept current, logs that get reviewed, backups that are tested, two-step login that covers everyone, every month. That's the real gap we see when we take over for a generalist IT company: the tools were often installed, but no one owned keeping them true over time. HIPAA calls this ongoing work; an auditor calls it evidence.

If you read these six and weren't sure about two or three of them, you're in good company — and it's exactly the kind of thing a short assessment can settle quickly.

Want to know which of the six you're missing?

We'll walk your practice through all six in a free, no-pressure assessment — and tell you plainly where you stand.

Book a Free Assessment