HIPAA Security Rule for SMBs: Checklist, Risks & Automation

A patient can’t log in to your client’s health app. It starts with an innocuous customer support ticket. The issue is resolved in minutes, but later that day, a security analyst flags something unusual—an unauthorized IP accesses metadata tied to that same user. No clinical data was touched, and no ransom demands were made, just a blip.

You dig deeper. Your system logs aren’t encrypted. Your admin dashboard lacks multi-factor authentication. Your breach response plan? A dusty Google Doc from 2020. 

So now you’re scrambling because when you serve healthcare clients, even small gaps in your security posture can spiral fast. HIPAA doesn’t wait for real damage to step in. It penalizes inadequate safeguards. 

Earlier this year, the HHS OCR fined Warby Parker $1.5 million after nearly 200,000 customers’ ePHI was exposed in a cyberattack, which was linked to missing safeguards and a delayed risk assessment.

In this article, we’ll help you understand the HIPAA Security Rule, who needs to comply, and how Sprinto helps.

What is HIPAA security rule?

The HIPAA Security Rule is a set of national standards established by the U.S. Department of Health and Human Services (HHS) to protect individuals’ electronic personal health information (ePHI). It is part of the broader Health Insurance Portability and Accountability Act (HIPAA) and requires organizations to implement administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of sensitive patient data. 

It establishes national standards for the secure storage, access, and transmission of ePHI, protecting it from unauthorized access, alteration, deletion, or disclosure. 

The HIPAA Security Rule applies to:

1. Any healthcare provider who shares health information electronically

1. Health plans like insurers and HMOs
2. Healthcare clearinghouses
3. Business associates such as SaaS providers, cloud storage platforms, analytics tools, and billing services that handle ePHI

Unlike the Privacy Rule, which governs what can be disclosed and to whom, the Security Rule dictates how that information must be protected, using administrative, physical, and technical safeguards.
The Security Rule doesn’t just say ‘keep data safe’; it expects documented proof that your safeguards are active, regularly reviewed, and updated. 

What is PHI?

PHI is any individually identifiable health information created, received, or used by a healthcare provider, health plan, or their business associates. It includes data such as medical records, diagnoses, and personal identifiers that are protected under the Health Insurance Portability and Accountability Act (HIPAA). 

There are three appropriate uses of PHI:

• Treatment: A medical provider will need to share patient information with a nurse so that they can provide proper care.
• Payment: Insurance companies require specific medical information to provide coverage.

Healthcare operations: PHI may also be used in specific administrative, financial, or legal contexts to support business operations.

What is the Purpose of the HIPAA Security Rule?

The HIPAA Security Rule protects ePHI by ensuring organizations maintain strong safeguards across confidentiality, integrity, and availability—the foundational triad of information security. These are not best practices; they are legal requirements for any covered entity or business associate handling healthcare data electronically.

1. Confidentiality

Confidentiality ensures that ePHI is accessed only by authorized personnel and only when appropriate for their role. This involves implementing identity and access management (IAM) controls, encryption, and physical safeguards. 

For example, imagine a SaaS billing platform that stores sensitive patient billing records. If engineers or third-party vendors can access that data without strict access policies or audit trails in place, it could lead to a confidentiality breach, even if no data is leaked.

2. Integrity

Integrity refers to the assurance that ePHI is accurate, complete, and has not been altered either accidentally or maliciously. This is particularly important in healthcare, where minor data discrepancies can have life-threatening consequences. 

If your pharmacy management system changes a prescription dosage from 5.0 mg to 50 mg due to a flawed software update. This error not only endangers the patient’s life but also constitutes a major HIPAA violation, even if the error was unintentional.

3. Availability

Availability ensures that ePHI is accessible to authorized users when and where needed, whether during routine check-ups or critical emergencies. Healthcare organizations must implement disaster recovery plans to ensure continuity of care. 
For example, if your cloud provider suffers an outage and doctors are unable to retrieve patient records for 48 hours, it can significantly disrupt care and trigger a HIPAA compliance violation, even in the absence of a breach.

Who Must Comply with the HIPAA Security Rule?

If your business creates, accesses, stores, or transmits electronic Protected Health Information (ePHI) – even if only indirectly – you are required to comply with the HIPAA Security Rule. Compliance isn’t limited to direct patient care; it extends across the entire ecosystem that touches ePHI in any way.

1. Covered Entities (CEs)

Covered Entities are the core group regulated by HIPAA. If your organization delivers healthcare, processes health-related financial transactions, or pays for medical services, you fall into this category.

Covered Entities include:

• Hospitals, clinics, and urgent care centers
• Physicians, dentists, chiropractors, and psychologists
• Health insurance plans, HMOs, Medicare/Medicaid
• Medical billing services and clearinghouses

Covered Entities must implement administrative, physical, and technical safeguards to protect ePHI. They must have a designated security officer and conduct regular risk assessments. Covered Entities are expected to be the first line of defense, building and maintaining a secure environment for patient data. 

If you’re a covered entity, you should develop and enforce policies for access control, training, and breach response while ensuring that all third-party vendors (Business Associates) you work with are also compliant.

2. Business Associates (BAs)

Business Associates are third parties that perform services on behalf of Covered Entiies involving access to ePHI. Even if you’re not delivering healthcare yourself, if you interact with protected health data through a client relationship, you’re legally required to be HIPAA compliant. 

Who are Business Associates (BAs)?

• SaaS platform that helps clinics manage appointments or prescriptions
• Cloud hosting provider storing patient files
• Data analytics firms analyzing patient demographics
• Billing automation tool processing insurance claims
• Digital marketing agency running campaigns that analyze patient demographics

As a Business Associate, you should sign a Business Associate Agreement (BAA) with every Covered Entity. You should conduct security risk assessments, adopt security policies, encrypt ePHI during storage and transmission, and train staff on HIPAA compliance. Additionally, implement access controls. 

3. Subcontractors of Business Associates

Yes! HIPAA Certification is this deep. If you’re a Business Associate and you hire another vendor (e.g., for analytics, DevOps, QA testing), and that vendor can access ePHI, they become a subcontractor Business Associate.

Examples of Subcontractors:

• DevOps firms managing infrastructure with access to cloud-hosted patient files
• QA testers validating features on a HIPAA-compliant app
• Analytics vendors processing sensitive usage data for healthcare platforms

Subcontractors should enter into a Business Associate Agreement (BAA) with both the Business Associate and the Covered Entity, and maintain the same level of safeguards required by HIPAA for Business Associates. You should also ensure that downstream vendors (if any) also maintain compliance. 

What are the HIPAA security rule requirements?

The HIPAA Security Rule outlines specific administrative, physical, and technical safeguards that covered entities and business associates must implement to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). 

Here are the HIPAA Security Rule requirements:

1. Incident Response and Contingency Planning

Entities must maintain a documented Incident Response Plan (IRP) that includes event triage procedures, root cause analysis workflows, and data breach notification timelines, as required by OCR. The Contingency Plan must consist of automated backups, disaster recovery protocols, and redundancy across the infrastructure, all of which are validated through regular tabletop exercises and system failover tests.

2. Access Controls and Authentication

Entities must implement technical policies to ensure access to ePHI is restricted to authorized users based on job functions. This will include enforcing Role-Based Access Control (RBAC), assigning unique user identifiers, integrating Multi-Factor Authentication (MFA) for privileged and remote access, and configuring automatic session timeouts on endpoints and systems handling ePHI. Least privilege principles should be consistently applied across identity and access management (IAM) policies.

3. Audit Controls and Logging

HIPAA mandates the generation and review of detailed audit logs that capture user access events, authentication failures, permission changes, and data interactions with ePHI. Systems should maintain immutable logs, enable log correlation and anomaly detection, and retain logs in a secure, centralized SIEM environment for post-incident forensics and compliance reporting. Retention schedules must align with HIPAA’s documentation requirements.

4. Risk Analysis and Risk Management

Organizations must conduct enterprise-wide risk assessments that identify vulnerabilities across systems, networks, and third-party services. Each risk must be assigned a likelihood-impact score, along with documented corresponding administrative, physical, or technical mitigations. Controls must be updated as the threat landscape evolves, particularly in areas such as cloud security configurations, API endpoints, and data storage architectures.

5. Workforce Security & Training

Security awareness training must cover phishing recognition, data classification, secure data transmission practices, and endpoint hygiene. Beyond basic awareness, technical staff should be trained on secure configuration baselines, incident handling procedures, and access provisioning and deprovisioning procedures. Organizations should document the acknowledgement of policies and track HIPAA Compliance training at the individual level through audit-ready systems.

What Happens If You Fail To Follow the HIPAA Security Rule?

The healthcare industry experienced a 29% increase in cyberattacks in 2023 compared to the previous year, making it the fourth most targeted sector globally. In 2024, healthcare data breaches affected nearly 180 million individuals.

This is what happens when you don’t comply with the HIPAA Enforcement Rule! The Office for Civil Rights (OCR) uses a tiered structure to penalize violations, based on how aware and proactive you were:

1. Tier 1: You didn’t know about the violation and couldn’t have reasonably known — $100 to $50,000 per violation
2. Tier 2: You should’ve known, but it wasn’t willful neglect – up to $100,000 per year
3. Tier 3: You acted with willful neglect but corrected the issue – up to $250,000 per year
4. Tier 4: Willful neglect, and no effort to correct – up to $1.9 million per year

In 2023, Banner Health agreed to pay $1.25 million to settle allegations of violating the HIPAA Security Rule, following a failure to conduct a proper risk analysis, despite no reported data breach.

A HIPAA violation can damage more than your wallet:

1. Loss of trust: Patients are less likely to stick around after a breach. HCA Healthcare’s 2023 breach, which exposed the data of up to 11 million patients, serves as a stark reminder of what is at stake.
2. Legal headaches: Patients, partners, and/or regulators can file lawsuits against you if they become aware of your non-compliance.
3. Business disruptions: Investigations can halt operations and divert precious resources.

The Three Safeguards That Power HIPAA Security

HIPAA doesn’t just say protect data. It shows you exactly where to look and what to fix. The Security Rule categorizes protections into three layers of defense: your people, your physical spaces, and your technology stack. Here’s how they work:

1. Administrative safeguards

HIPAA compliance begins in the meeting room, not the server rack. These safeguards focus on your internal processes, policies, and personnel.

Administrative safeguards are the policies and processes that help protect sensitive health information and keep your team accountable. Begin by conducting a risk analysis to determine where PHI is stored and identify potential risks if it is compromised. Then, ensure that there are specific people assigned to handle specific security tasks – it shouldn’t be everyone’s job and no one’s responsibility. 

Set up role-based access so that employees only see what they need, and update those permissions when someone changes roles or leaves. Don’t stop at giving a PDR on day one – train your team regularly with real-life examples so they know how to spot and avoid risks. Finally, have an incident response plan that’s actually useful, not just a document that collects dust. It should be reviewed and updated often to help your team act quickly if something goes wrong.

2. Physical safeguards

Let’s get literal: who can walk in, plug in, or peek over your shoulder?

Unlike cloud-native apps, physical safeguards are the ones you can see and touch. They protect actual locations and hardware. 

Ask yourself: Is your office or data center access-controlled, or can just anyone walk in? Do laptops and workstations automatically lock after a couple of minutes of inactivity to prevent prying eyes? What about visitors? Can they enter freely, or are they escorted and required to sign in? And when devices like hard drives or USBs are no longer in use, are they properly wiped or physically destroyed, or are they simply discarded and forgotten? 

These are the kinds of questions every organization should be asking to make sure their physical security measures are strong enough to keep security information safe.

HIPAA applies even to remote setups. If a team member works from a café with open files and no screen shield, that’s a risk you’re liable for.

3. Technical safeguards

Technical safeguards involve leveraging technology to enforce HIPAA—who can access data, how data is protected, and whether there is a record of every interaction. 

Critical checkpoints for your org would be:

1. Authentication & Access Control: Unique logins, least-privilege permissions, and MFA are non-negotiable
2. Encryption: Use HTTPS (TLS 1.2+), encrypt data at rest (AES-256), and never transmit PHI over plaintext email
3. Audit Logging: Keep logs of access, deletions, exports, and changes, and review them regularly
4. Integrity Checks: Spot and stop unauthorized edits, even if it is just metadata.

Together, these safeguards form the backbone of HIPAA’s data protection strategy. Skimp on one, and the whole system’s at risk.

How Does Sprinto Help?

Sprinto operationalizes the HIPAA Security Rule by automating key safeguards. It enforces RBAC and monitors access drift, integrates with cloud infra to track config changes, runs continuous risk assessments, and maps incidents to HIPAA mandates.

Policy acknowledgments, training compliance, and audit evidence are centralized—enabling real-time compliance posture and instant audit readiness.

Must checkout: HIPAA compliance checklist

3 Common Misconceptions About the HIPAA Security Rule

Even though the HIPAA Security Rule has been in effect for over 20 years, there is still considerable confusion, especially among newer healthcare vendors or tech companies entering the space. 

Let’s clear a few:

Myth 1: HIPAA only applies to hospitals and clinics

Reality: The HIPAA Security Rule applies to covered entities and their business associates, which includes any organization that ‘creates, receives, maintains, or transmits ePHI’.

Whether you’re building patient intake forms, an AI co-pilot for doctors, or a billing microservice, if your infrastructure handles ePHI, you’re subject to the Security Rule. This means encryption at rest and in transit, strict access controls, and audit capabilities.

Myth 2: Encryption is optional if you trust your hosting provider

Reality: HIPAA Encryption is listed as an ‘addressable’ implementation spec, not ‘optional’. This means that you must either:

• Implement NIST-compliant encryption (e.g., AES-256 for storage, TLS 1.2 or later for transmission).
• Or document why encryption isn’t ‘reasonable and appropriate’ and describe an equivalent safeguard.

In practice, OCR expects encryption by default, especially for cloud-based platforms or multi-tenant SaaS models. The ‘addressable’ label is not a loophole; it is an accountability clause. 

Myth 3: Once we’re HIPAA compliant, we’re good forever

Reality: HIPAA compliance is not a static concept. You’re required to:

• Conduct periodic technical and non-technical risk assessments
• Update policies when your tech stack, workforce, or threat landscape changes
• Maintain audit logs and incident response plans that evolve with your infrastructure

Sprinto enables real-time compliance visibility, ensuring these controls don’t degrade over time and that updates are version-controlled and automatically enforced across environments.

Get HIPAA Compliant With Sprinto

Managing HIPAA compliance manually is time-consuming, error-prone, and often incomplete. Sprinto automates the heavy lifting, giving you a clear path to compliance without getting bogged down in spreadsheets.

Here’s how Sprinto makes it easy:

Pre-built HIPAA Compliance Program: You don’t have to build your compliance program from scratch. Sprinto gives you everything out of the box – policy templates, risk assessment tools, training modules, and incident response plans. All mapped to what the HIPAA Security Rule requires.

Automated Risk Assessments: Know your risks before they become issues. Sprinto helps you identify threats, prioritize them, and associate each one with specific safeguards, allowing you to address the gaps without guesswork. 

Continuous Monitoring & Drift Detection: Monitor key security controls in real-time and get alerts when a control fails, misconfigurations occur, or critical assets deviate from baseline.

Breach Response & Incident Management: Access structured workflows for breach notification, root cause analysis, and response planning, reducing time-to-containment.

Vendor & BAA Tracking: Centralize all Business Associate Agreements (BAAs) and receive notifications when reviews or renewals are due, enabling efficient assessment of vendor risks.

Built-in Employee Training: Assign HIPAA training, track completions, and stay audit-ready without needing a separate Learning Management System (LMS).

Audit-ready Evidence Collection: Sprinto compiles and organizes all compliance activity in the background, creating a real-time audit trail that satisfies OCR requirements.

Take a platform tour and kickstart your journey.

Frequently Asked Questions

Who is responsible for security under HIPAA?

The Department of Health and Human Services (HHS) takes the lead, with its Office for Civil Rights (OCR) responsible for enforcing HIPAA’s Privacy and Security Rules. They’re the ones ensuring that personal health information and data remain safe and secure.

What is the main purpose of the HIPAA Security Rule?

The goal of the HIPAA Security Rule is to ensure the confidentiality, accuracy, and accessibility of electronic health information (ePHI). The Security Rule encourages organizations to implement proper protections so that the data people trust you with remains protected.

Who must comply with the HIPAA Security Rule?

If you’re a healthcare provider, health plan, or clearinghouse that handles electronic health data, you’re required to comply. Even third-party vendors (aka Business Associates) who touch that data are expected to follow the same rules.

What are the three safeguards under the HIPAA Security Rule?

HIPAA breaks it down into:

1. Administrative (policies, training, and risk management)
2. Physical (who gets access to buildings and devices)
3. Technical (Access control, encryption, and audit logs)

Each layer addresses a distinct type of risk, and together they form a robust shield around ePHI.

Who enforces the HIPAA Security Rule?

The Office for Civil Rights (OCR) at HHS enforces it by conducting audits and investigating breaches. They can issue penalties if you’re not playing by their rules.