For small, independent medical practices, HIPAA compliance can feel overwhelming.
Between patient care, staffing, and daily operations, regulatory requirements often take a back seat. But understanding whether HIPAA even applies to your organization is the first and most important step.
Because not every business that touches healthcare is subject to HIPAA.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards for protecting sensitive patient health information, also known as Protected Health Information (PHI).
But HIPAA does not apply universally. It applies to specific types of organizations based on how they handle healthcare data.
Who Is Required to Be HIPAA Compliant?
HIPAA defines two primary groups: Covered Entities and Business Associates.
Covered Entities (Directly Regulated)
These are organizations that create, store, or transmit PHI as part of delivering healthcare or processing healthcare payments.
Examples include:
- Physician offices and small medical practices
- Dental clinics (yes, fully in scope)
- Hospitals and urgent care centers
- Chiropractors and behavioral health providers
- Pharmacies
- Health insurance companies
If you are providing care and maintaining patient records, you are almost certainly a covered entity.
Business Associates (Indirectly Regulated)
Business Associates are organizations that handle PHI on behalf of a covered entity.
Examples include:
- IT service providers and managed service providers (MSPs)
- Electronic Health Record (EHR) vendors
- Medical billing companies
- Cloud storage providers hosting patient data
- Backup and disaster recovery vendors
- Cybersecurity firms
These organizations are required to comply with HIPAA through contractual obligations, typically defined in a Business Associate Agreement (BAA).
What About Insurance Brokers?
This is where things get nuanced.
Insurance brokers are not always subject to HIPAA.
If a broker is selling health insurance plans and does not access or manage PHI, they are typically not considered a covered entity or business associate. However, if a broker handles PHI directly (for example, assisting with claims, accessing patient-specific data, or working closely with a healthcare provider), they may be considered a business associate and fall under HIPAA requirements.
Simple rule:
If you are touching identifiable patient health data, you are likely in scope.
Who Is NOT Typically Subject to HIPAA?
Many organizations assume they must be HIPAA compliant when they are not.
Examples of organizations typically out of scope:
- Fitness centers and gyms
- Wellness apps that do not share data with providers
- Life insurance companies (generally regulated differently)
- Employers handling employee health information (covered under different laws)
- Marketing agencies working with healthcare companies (unless they access PHI)
However, there is a catch:
If any of these organizations begin handling PHI on behalf of a covered entity, they may become business associates and fall into scope.
The Core Requirements of HIPAA Compliance
Once an organization is in scope, HIPAA compliance centers around three categories: administrative, physical, and technical safeguards.
Administrative Safeguards
- Risk assessments (annual and ongoing)
- Security officer designation
- Policies and procedures
- Employee training
- Vendor management and BAAs
- Incident response planning
Common gap: Treating compliance as a one-time project instead of an ongoing program.
Physical Safeguards
- Secured workstations and servers
- Facility access controls
- Proper disposal of records and devices
- Device and media management
Common gap: Shared devices and unsecured environments.
Technical Safeguards
- Access controls and authentication
- Multi-factor authentication (MFA)
- Encryption of data
- Audit logging and monitoring
- Patch management
- Endpoint protection
- Backup and disaster recovery
Common gap: Outdated systems and lack of visibility into user activity.
Common HIPAA Compliance Hurdles for Small Practices
Even when organizations understand they are in scope, execution is where challenges arise:
Lack of Internal Expertise: Most small practices do not have dedicated security leadership.
Incomplete Documentation: HIPAA requires proof. If it is not documented, it does not count.
Vendor Risk: Missing or outdated Business Associate Agreements are one of the most common compliance failures.
Legacy Technology: Older systems often cannot support modern security controls.
No Continuous Monitoring: Compliance requires ongoing oversight, not periodic check-ins.
How Technology Architects Helps You Get It Right
At Technology Architects, we help organizations first answer a critical question:
“Are we actually subject to HIPAA, and if so, what do we need to do about it?”
From there, we take a structured, practical approach.
Scope & Risk Identification
We determine:
- Whether you are a covered entity or business associate
- Where PHI exists in your environment
- What your current compliance gaps are
Baseline Cybersecurity Assessment
We perform a comprehensive assessment aligned to NIST and CIS frameworks, delivering:
- A clear compliance score
- Identified risks and vulnerabilities
- Prioritized recommendations
Implementation of Required Safeguards
We deploy and manage:
- Identity and access controls with MFA
- Endpoint protection and monitoring
- Secure backups and disaster recovery
- Email security and data protection
- Network security and segmentation
Policy, Documentation, and Training
We ensure your organization has:
- HIPAA-compliant policies and procedures
- Business Associate Agreements
- Incident response plans
- Employee training programs
Ongoing Compliance & Monitoring
Through our managed services, we provide:
- Continuous monitoring and alerting
- Vulnerability scanning
- Patch management
- Quarterly reviews and reporting
Strategic Oversight
Your dedicated consultant helps:
- Prepare for audits
- Align IT with compliance requirements
- Maintain long-term security and governance
HIPAA Compliance Starts with Clarity
One of the biggest misconceptions in healthcare IT is that everyone must be HIPAA compliant.
That is not true.
But if your organization:
- Provides healthcare
- Processes healthcare payments
- Handles patient data on behalf of someone who does
Then HIPAA applies and getting it right matters.
Final Thoughts
HIPAA compliance is not just about avoiding penalties. It is about protecting patient trust, ensuring operational continuity, and building a secure foundation for your practice.
Technology Architects works with healthcare organizations across Minneapolis, Green Bay, and Denver to simplify compliance and turn it into a structured, manageable process.
If you are unsure whether your organization is in scope or where to start, the best first step is understanding your risk.
