In this article
If you run a small medical practice, “HIPAA compliance” can feel like a cloud of paperwork and acronyms hanging over everything you do. A vendor waves a binder at you, uses words like “addressable implementation specifications,” and you nod along hoping it’s handled.
I want to cut through that. A big part of HIPAA is the Security Rule, and a big part of the Security Rule is what it calls technical safeguards — the actual IT controls on your systems. That part is my lane, and it’s more understandable than people make it sound. Here’s the plain-English version for a 1-to-10-provider practice in southwest Riverside County.
What “technical safeguards” actually means
Technical safeguards are simply the security controls built into the technology that touches your patient data — your EHR, your email, your computers, your backups. HIPAA doesn’t hand you a brand-name shopping list. It describes outcomes: only the right people can see patient data, that data is protected in storage and in transit, and you can prove who did what.
In practice, that comes down to a handful of things: access control, encryption, audit logging, and backup and recovery. None of it is exotic. Most of it is about doing ordinary IT carefully and documenting that you did.
Access control: the right people, and only them
Every person on your team should have their own login — never a shared “frontdesk” account that five people use. Each login should reach only the data that role needs. And when someone leaves, their access should be shut off the same day, not three months later.
I set this up using the tools most practices already pay for. If you’re a Microsoft 365 shop, your identity controls live in Entra ID, and your EHR — whether that’s athenahealth or another system — has its own role-based permissions. The work is in configuring them properly and keeping them current as your team changes.
Encryption and MFA: the two that carry the most weight
If I could get a small practice to do only two things, it would be these.
Encryption scrambles patient data so a stolen laptop or phone is a worthless brick instead of a reportable breach. We encrypt the hard drives on your computers, protect data moving across the internet, and make sure your backups are encrypted too.
Multi-factor authentication (MFA) means a password alone isn’t enough to get in — there’s a second check, usually a tap on your phone. This is the single biggest thing standing between your practice and a stolen-password breach. It also matters because the proposed 2025 update to the HIPAA Security Rule moves strongly toward making controls like MFA and encryption mandatory across the board rather than optional. Practices that adopt them now won’t be scrambling later.
Backup, recovery, and the “what if it all disappears” plan
Ransomware doesn’t care how small you are. The protection is boring and effective: regular, encrypted, tested backups, including a copy kept somewhere ransomware can’t reach. I keep an off-site, recovery- focused copy of your data precisely so that a bad day stays a bad day instead of becoming a closed practice.
The word that matters here is tested. Plenty of practices have backups that have never once been restored. I restore from yours on a schedule, so we both know it actually works before you ever need it.
Where my lane ends — and who covers the rest
Here’s where I’ll be straight with you, because too many IT vendors aren’t. HIPAA is bigger than technical safeguards. There are also administrative safeguards (policies, staff training, a risk analysis) and physical safeguards (who can walk up to your server). And the whole thing rests on a signed Business Associate Agreement between us — which I always provide, because I’m handling your patient data.
I deliver the technical-safeguards layer and the BAA, and I help build the security plan behind it. For the formal policy documents, the risk analysis sign-off, and attestation, I partner with a dedicated HIPAA compliance vendor. No honest local IT person should claim to make you “guaranteed compliant” or “audit-proof” on their own — that’s not how HIPAA works, and I won’t tell you it is.
I’m a local, business-hours specialist based in Menifee, serving small practices in Murrieta, Temecula, Sun City, Wildomar, and Lake Elsinore. If you’d like a plain-English read on where your technical safeguards actually stand, let’s set up a free check. It’s a short call, no obligation, and I never ask you to share patient information.
This article is general information, not legal or compliance advice.