TL;DR

  • HIPAA requires specific technical safeguards, not just signed BAAs
  • Most small practices fail audits on encryption, access controls, and logging
  • Washington State's data breach law (RCW 19.255.010) adds extra penalties
  • Real compliance costs $2,000-5,000/year for a 5-10 person practice
  • Your IT provider should document everything they do for HIPAA

The Problem

Last year, a 12-person dental practice in Bellevue got hit with a $50,000 settlement after a laptop with patient records was stolen from an employee's car. The practice had signed a Business Associate Agreement with their IT company and assumed they were compliant. They weren't.

The laptop wasn't encrypted. Access logs didn't exist. There was no offboarding process when employees left. Their IT provider had checked the "HIPAA compliance" box on their service agreement but never actually implemented the required controls.

This happens constantly. Small medical practices, dental offices, physical therapy clinics, and behavioral health providers get sold "HIPAA-compliant IT" that amounts to basic network support with a signed form.

What HIPAA Actually Requires From Your IT Partner

HIPAA's Security Rule has three categories: Administrative, Physical, and Technical Safeguards. Your IT provider is responsible for most of the Technical Safeguards and should help document the Administrative ones.

Technical Safeguards Your IT Partner Must Implement

Access Control (164.312(a)(1)) - Not everyone gets access to everything.

  • User accounts with unique logins (no shared "front desk" passwords)
  • Role-based permissions (medical assistants see different data than billing staff)
  • Automatic logoff after 15 minutes of inactivity
  • Terminated employee accounts disabled within 24 hours

Audit Controls (164.312(b)) - You need to know who accessed what.

  • Logs of PHI access (who opened which patient file, when)
  • Login attempt monitoring (failed passwords, after-hours access)
  • Log retention for 6 years minimum
  • Quarterly log reviews with documentation

Integrity Controls (164.312(c)(1)) - Data can't be modified without tracking.

  • Version control for patient records
  • Checksums or hash verification for backups
  • Alerts when files are modified outside normal workflows

Transmission Security (164.312(e)(1)) - Data in transit must be protected.

  • TLS/SSL for all email containing PHI
  • VPN required for remote access
  • Encrypted file transfers (no emailing unencrypted patient lists)
  • Secure messaging for patient communication

Encryption (164.312(a)(2)(iv)) - Addressable but effectively required.

  • Full disk encryption on all devices (laptops, tablets, phones)
  • Encrypted backups (local and cloud)
  • Encrypted mobile device management
  • Email encryption when sending to external recipients

What This Means for Seattle/Tacoma Medical Practices

If you're a 5-10 person practice in King or Pierce County:

  • You need a signed Business Associate Agreement with every vendor who touches PHI (IT, billing, cloud backups, email)
  • Washington's breach notification law (RCW 19.255.010) requires notifying patients within 30 days of discovering a breach
  • Cyber insurance for medical practices in this area runs $1,500-3,000/year for basic coverage
  • HIPAA violations can cost $100-50,000 per violation, per patient record

Common gaps we find in Puget Sound practices:

  • EHR systems accessible over regular internet without MFA
  • Shared passwords for X-ray or imaging workstations
  • Patient data on personal devices without encryption or MDM
  • No logs of who accessed terminated patient records
  • Offsite backups not encrypted or tested for restore

Real-World Example

A 6-person physical therapy clinic in Tacoma switched to us after failing their first HIPAA risk assessment. Their previous IT provider had:

  • Set up their network and EHR
  • Signed a BAA
  • Charged them $800/month

What they hadn't done:

  • Enable encryption on staff laptops
  • Configure automatic screen locks
  • Set up audit logging in the EHR
  • Create role-based access controls
  • Document any of their security configurations

Cost to remediate: 3,200 one-time plus 400/month ongoing. The clinic now passes audits and qualified for lower cyber insurance premiums that offset part of the cost.
Action Checklist

Ask Your Current IT Provider

  • "Can you show me our audit logs for the last 90 days?" - If they can't produce them, you don't have them.
  • "Which devices have PHI and are they all encrypted?" - Get a specific list, not a vague "yes."
  • "What happens when an employee leaves?" - There should be a documented offboarding checklist.
  • "Do we have signed BAAs with all our vendors?" - Including cloud backup, email, and practice management software.

Verify Yourself

  • Check if your laptop encrypts on sleep - Try accessing files immediately after closing the lid. You should need to log back in.
  • Attempt to email yourself patient data - Your system should either block it or automatically encrypt it.
  • Review your last cyber insurance application - Did your IT provider help you answer the technical questions, or did you guess?

Document Everything

  • Keep a vendor list - Every software, service, or consultant who could access PHI.
  • Maintain a risk assessment - Updated annually, or when you change systems.
  • Save all BAAs - In a folder your IT provider knows about, with dates signed.

What RainCity Does Differently

HIPAA Compliance Assessment (Free for practices in our service area)

  • 45-minute review of your current setup
  • Written gap analysis with specific violations
  • Cost estimate for remediation
  • No obligation, no sales pitch

We don't upsell compliance as an add-on. It's built into our base MSP service because we can't properly manage a medical practice's IT without implementing these controls anyway. You get:

  • Quarterly compliance documentation packets for your records
  • Encrypted email configured and tested
  • Annual risk assessment updates
  • Direct engineer contact (no phone tree)

Schedule 15-min assessment - Learn More

Additional Resources:

OCR HIPAA Audit Protocol - https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html Washington State Data Breach Law - RCW 19.255.010 NIST SP 800-66 - HIPAA Security Rule implementation guide