HIPAA compliance isn't just for hospitals. If your business handles protected health information (PHI) — even as a business associate — you're subject to the same rules. Violations can cost anywhere from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category.
For small businesses, HIPAA compliance often feels overwhelming. This guide breaks it down into manageable steps with practical monitoring strategies.
Who Needs HIPAA Compliance?
You need HIPAA compliance if you are a:
Covered Entity:- Healthcare providers (doctors, hospitals, clinics, pharmacies)
- Health plans (insurers, HMOs, government health programs)
- Healthcare clearinghouses
- Any vendor that handles PHI on behalf of a covered entity
- This includes: billing companies, EHR software vendors, cloud storage providers, email service providers, IT support companies, legal firms, and many SaaS platforms
The Three HIPAA Rules
1. Privacy Rule — Governs who can access PHI and under what circumstances. Patients have rights to access, correct, and obtain an accounting of disclosures of their PHI. 2. Security Rule — Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI). This is the most technical of the three rules. 3. Breach Notification Rule — Requires notification to affected individuals, HHS, and sometimes media when a breach of unsecured PHI occurs.Administrative Safeguards (Security Rule)
These are the policies, procedures, and organizational requirements:
- Designate a Security Officer — Even at a small company, someone must own HIPAA compliance
- Conduct a formal Risk Analysis — Identify all ePHI and assess threats, vulnerabilities, and likelihood of compromise
- Implement a Risk Management Plan — Document how you'll address each identified risk
- Workforce Training — All employees who access PHI must receive HIPAA training at hire and annually
- Access Management — Implement procedures for granting, modifying, and terminating access to ePHI
- Sanctions Policy — Document consequences for employees who violate HIPAA policies
- Contingency Planning — Data backup, disaster recovery, and emergency mode operations
Physical Safeguards
- Control physical access to servers and workstations containing ePHI
- Implement workstation policies (locked screens, clean desk, no unauthorized removable media)
- Track and document hardware containing ePHI throughout its lifecycle
- Sanitize or destroy hardware before disposal (NIST 800-88 guidelines)
- Maintain visitor logs for areas where ePHI is accessed
Technical Safeguards
These are the controls auditors will scrutinize most heavily:
- Unique User Identification — Every user must have a unique login; no shared accounts
- Emergency Access Procedure — Documented process for accessing ePHI in an emergency
- Automatic Logoff — Sessions must time out after a defined period of inactivity
- Audit Controls — Log all access to ePHI and review logs regularly
- Integrity Controls — Prevent unauthorized alteration or destruction of ePHI
- Transmission Security — Encrypt ePHI in transit (TLS 1.2+) and at rest (AES-256)
- Authentication — Verify that a person seeking access is the one claimed; implement MFA
Continuous HIPAA Monitoring: What to Watch
One-time compliance isn't enough. HIPAA requires ongoing monitoring. Here's what to track continuously:
Access logs — Who accessed ePHI, when, from where, and what they did with it. Anomalies like access outside business hours or from unusual locations should trigger alerts. Failed login attempts — Multiple failed logins may indicate a brute force attack. Data transmission — Monitor for large data transfers that could indicate data exfiltration. System configurations — Ensure encryption settings, firewall rules, and security configurations haven't drifted. Vulnerability scan results — Regularly scan for unpatched vulnerabilities in systems handling ePHI. Third-party access — Monitor and log all Business Associate access to your systems. OuterSec runs HIPAA-specific compliance checks automatically, monitoring 13 key controls daily and alerting you when issues are detected. This gives you continuous compliance evidence without manual auditing.Business Associate Agreements (BAAs)
Never share ePHI with a vendor without a signed BAA. The BAA must include:
- What the Business Associate is permitted to do with PHI
- Assurance that the BA will implement appropriate safeguards
- Reporting obligations in case of a breach
- Return or destruction of PHI upon termination of the agreement
HIPAA Breach Response
If a breach occurs:
The 60-day clock starts when you knew or should have known about the breach. Having monitoring tools in place helps establish that you had reasonable safeguards and detected the breach promptly — which can reduce penalties significantly.
Getting Started: A Small Business Action Plan
Week 1: Appoint a Security Officer and inventory all systems containing ePHI. Week 2: Conduct a formal risk analysis. Document all identified risks. Week 3: Implement highest-priority technical controls (MFA, encryption, audit logging). Week 4: Draft or update required policies and conduct employee training. Month 2: Sign BAAs with all vendors and conduct a gap assessment. Ongoing: Monitor continuously, review logs monthly, update the risk analysis annually.HIPAA compliance is a journey, not a destination. Small businesses that invest in automated monitoring and consistent documentation are better positioned to demonstrate compliance — and to respond effectively when something goes wrong.