Cupertino has a dense concentration of medical and dental practices โ pediatric offices, dental groups, optometry clinics, and specialist practices that handle protected health information (PHI) every day. Most of them run on a patchwork of systems: a cloud-based EHR, a Microsoft 365 or Google Workspace account, maybe a local server for imaging, and a front-desk computer that doubles as the check-in station.
Most of them are also not as HIPAA-compliant as they think.
This isn’t a criticism โ it’s a structural problem. HIPAA compliance is a moving target that requires ongoing attention, and most small practices don’t have an IT person whose job is to track it. This post covers what the regulation actually requires from your IT environment, and the gaps we see most frequently.
What HIPAA Requires from IT โ The Short Version
HIPAA’s Security Rule covers electronic PHI (ePHI) โ any patient information stored or transmitted electronically. The requirements fall into three categories:
Administrative safeguards โ written policies covering how your staff handles ePHI, who has access to what, and what happens when there’s a breach. This includes a workforce training program and a designated Security Officer.
Physical safeguards โ controls over physical access to devices and workstations that hold ePHI. Workstations should auto-lock, screens should not be visible to waiting patients, and devices should be inventoried.
Technical safeguards โ the IT controls. This is where most small practices have gaps.
The technical safeguards that matter most:
- Access controls โ unique login credentials for every user. No shared passwords. Role-based access so front desk staff can’t access clinical notes they don’t need.
- Audit controls โ logging who accessed what records and when. Your EHR probably handles this for clinical data. Your Microsoft 365 or Google Workspace audit logs often don’t get configured.
- Transmission security โ ePHI in transit must be encrypted. Email containing patient information must use encrypted transport or a secure messaging system.
- Integrity controls โ systems to detect unauthorized alteration of ePHI.
- Automatic logoff โ workstations must lock after a period of inactivity.
The Gaps We See Most Often in Cupertino Practices
Shared login credentials. Front desk staff sharing a single Windows login is the single most common HIPAA violation we find. Every person who touches ePHI needs their own account. This is non-negotiable, and it’s testable during an audit.
No Business Associate Agreements with IT vendors. If your IT provider has access to systems containing ePHI โ and they do โ they must sign a Business Associate Agreement (BAA). Most break-fix IT shops never offer one. If you don’t have a signed BAA with your IT provider, you have a compliance gap that could cost you significantly in the event of a breach investigation.
Microsoft 365 audit logging is off. M365’s unified audit log is disabled by default in older tenants. It needs to be manually enabled. Without it, you have no record of who accessed what in SharePoint, OneDrive, or Exchange โ which is exactly what an auditor or breach investigator will ask for first.
Backup does not cover ePHI in Microsoft 365. M365 is not a backup. If a staff member accidentally deletes a folder containing patient documents, or ransomware encrypts your SharePoint, Microsoft’s recycle bin gives you a limited recovery window. You need a third-party backup solution that creates point-in-time snapshots of your M365 data โ Veeam, Spanning, or Backupify are common choices.
No MFA on email. Email is the most common vector for both credential compromise and accidental PHI disclosure. Every account that can send or receive patient-related email needs multi-factor authentication. If a staff member clicks a phishing link and their email account gets compromised, every patient whose information was accessible through that account is potentially a reportable breach.
Imaging systems on the same network as internet-connected workstations. X-ray and imaging systems often run outdated operating systems (Windows 7 or earlier is common) because the imaging software vendor hasn’t updated their compatibility. These systems should be on an isolated network segment โ not on the same flat network as internet-connected computers.
What a Properly Configured IT Environment Looks Like
For a typical Cupertino medical or dental practice with 5โ20 staff:
- Microsoft 365 Business Premium (includes Intune for device management, Defender for endpoint protection, and advanced compliance features)
- MFA enforced on all accounts via Conditional Access
- Unified audit logging enabled in the M365 compliance portal
- Third-party M365 backup (Spanning or Veeam)
- Separate network VLAN for imaging and clinical systems
- Workstation auto-lock policies enforced via Intune (5-minute timeout)
- Unique user accounts for every staff member, with role-based access
- Signed BAA with your IT provider, your EHR vendor, and any other vendor accessing ePHI
- Annual workforce security training with documented completion records
- Written incident response plan โ even a one-page version is better than none
Getting a BAA and Assessment
If you’re not sure where you stand, the right starting point is a written IT assessment โ not a verbal conversation, but a documented review of your systems against the HIPAA Security Rule requirements.
LineSight Digital provides free IT assessments for Cupertino medical and dental practices, including a HIPAA Security Rule gap analysis. We sign BAAs and have experience with the specific compliance requirements for healthcare practices in Santa Clara County.
You can also use our AI IT Advisor to get immediate answers about your current setup, or call us directly at (408) 805-4799.
For more on the IT requirements for medical and dental offices, see our IT support page for medical and dental practices in the Bay Area.
Looking for Cupertino IT support? Looking for general IT support across all business types in Cupertino? See our Cupertino IT support page for a full overview of services and response SLAs.