Most small medical and dental offices think they’re HIPAA compliant because they signed a BAA with their EHR vendor and trained staff once a year. That’s not compliance. That’s paperwork.

The Office for Civil Rights (OCR) โ€” the HHS division that enforces HIPAA โ€” has levied millions in fines against practices with fewer than 10 employees. The violations aren’t usually about someone snooping through records. They’re about misconfigured systems, missing controls, and IT setups that were never designed with PHI in mind.

Here’s what an actual HIPAA-compliant IT environment looks like for a small Bay Area medical or dental practice.

What HIPAA Actually Requires from Your IT

The regulation breaks down into three safeguard categories. Most practices obsess over the Administrative side (policies, training, risk assessments) and completely neglect the Technical and Physical safeguards โ€” which is exactly where OCR auditors look first.

Technical Safeguards (45 CFR ยง 164.312) cover:

  • Access controls โ€” who can get to PHI, and how
  • Audit controls โ€” logging who accessed what and when
  • Integrity controls โ€” ensuring PHI isn’t altered or destroyed without authorization
  • Transmission security โ€” encrypting PHI in transit

Physical Safeguards cover workstation use, device controls, and facility access. A shared front-desk PC with no screen lock and a sticky note password is a HIPAA violation waiting to happen.

The Gaps I See Most Often in Small Practices

1. No encryption on workstations or laptops

If a laptop gets stolen and the drive isn’t encrypted, that’s a reportable breach โ€” regardless of whether anyone actually accessed the data. Under HIPAA, unencrypted PHI on a lost or stolen device is a presumed breach. BitLocker on Windows, FileVault on Mac. No exceptions.

2. Microsoft 365 without a BAA or proper configuration

Microsoft will sign a Business Associate Agreement for Microsoft 365 โ€” but you have to request it, and the default M365 configuration is not HIPAA-ready out of the box. You need:

  • A signed BAA with Microsoft (available through the admin portal)
  • Audit logging enabled across Exchange, SharePoint, and Teams
  • Data Loss Prevention policies scoped to PHI
  • MFA enforced on every account โ€” no exceptions for the doctor or office manager

If you’re using the free or personal tier of any Microsoft product to handle patient data, stop. It’s not covered by a BAA.

3. Shared credentials

Front-desk staff sharing a single login to your practice management system is extremely common and completely noncompliant. HIPAA requires unique user identification so you can audit who accessed what. Shared accounts make that impossible.

4. No formal audit log review

Having logs isn’t enough โ€” you’re required to regularly review them. Most practices have logging turned on and nobody ever looks at it. Implement at minimum a monthly review process, and document it.

5. Texting PHI

Standard SMS is not encrypted. If your staff is texting patient appointment details, diagnoses, or anything tied to a patient record using their personal phones or even a standard business number, that’s a violation. Secure messaging platforms like TigerConnect or Klara exist specifically for this.

6. No documented risk analysis

This is the single most common finding in OCR audits. HIPAA requires a formal, documented risk analysis โ€” not a checklist you found online, but an actual assessment of where PHI lives in your environment, what the threats are, and what you’re doing to address them. It needs to be updated whenever your environment changes significantly.

What a Compliant IT Setup Looks Like

For a practice with 5โ€“30 users, a solid HIPAA-compliant baseline includes:

  • Endpoint encryption โ€” BitLocker enabled and escrowed via Entra ID or Intune
  • MFA on everything โ€” M365, EHR/practice management software, remote access
  • Unique user accounts โ€” no shared credentials, ever
  • Role-based access โ€” front desk staff shouldn’t have access to clinical notes
  • Audit logging โ€” enabled in M365, your EHR, and your network
  • Automatic screen lock โ€” 5-minute timeout on all workstations
  • Encrypted backups โ€” stored off-site or in a HIPAA-eligible cloud service, tested regularly
  • BAAs with all vendors who handle PHI โ€” your EHR, your MSP, your cloud storage provider, your IT support company
  • Documented risk analysis โ€” reviewed annually or after major changes
  • Incident response plan โ€” a written process for what happens when something goes wrong

The BAA Question People Miss

Most practice owners know they need a BAA with their EHR vendor. What they miss is that any vendor who touches PHI needs a signed BAA โ€” including your IT provider.

If your managed IT company has remote access to systems that contain patient data, they’re a Business Associate. No BAA means you’re exposed, regardless of how good their security is.

At LineSight Digital, we sign BAAs as a standard part of our agreements with medical and dental clients. It’s not optional, and any MSP working in healthcare should treat it the same way.

Backup and Disaster Recovery Under HIPAA

HIPAA’s Contingency Plan standard (ยง 164.308(a)(7)) requires:

  • A data backup plan
  • A disaster recovery plan
  • An emergency mode operation plan
  • Testing and revision procedures

“We back up to an external drive in the office” doesn’t satisfy this. You need offsite or cloud backup, encryption at rest, and documented recovery procedures that have actually been tested. If your practice went down tomorrow โ€” ransomware, fire, hardware failure โ€” do you know exactly how long recovery would take and what the steps are?

If you don’t have a written answer to that question, you have a gap.

If OCR Shows Up

Audits are triggered by breach reports, patient complaints, or random selection. When OCR investigates, the first things they ask for are:

  1. Your most recent risk analysis
  2. Evidence of workforce training
  3. Audit logs
  4. Your policies and procedures

If any of those don’t exist or can’t be produced quickly, the conversation gets expensive fast. Fines start at $100 per violation and scale dramatically based on negligence level โ€” up to $50,000 per violation category, per year.

The good news: documented effort matters. Practices that can show they identified gaps and were actively working to close them receive significantly more favorable treatment than those with no documentation at all.

Where to Start

If you’re not sure where your practice stands, start with a structured IT assessment focused on HIPAA technical safeguards. It doesn’t take weeks โ€” a thorough review of your endpoints, M365 configuration, access controls, and backup posture can be done in a day and gives you a clear picture of what’s compliant, what isn’t, and what to fix first.

That’s exactly the kind of assessment LineSight Digital does for Bay Area medical and dental practices. If you want a no-fluff evaluation of your current setup, reach out and we’ll schedule time to walk through it.

LineSight Digital provides managed IT and HIPAA compliance support for medical and dental offices across the Bay Area. We sign BAAs, support EHR integrations, and handle the technical side so you can focus on patient care.