HIPAA is two main rules: the Privacy Rule (who can see PHI and under what conditions) and the Security Rule (technical and administrative safeguards). The Security Rule is what your IT provider mostly owns. Below is what it actually requires for a small-to-mid medical practice in NY.

A note up front: we are an IT provider, not a healthcare attorney. This guide explains what we implement on the technical side. Your specific compliance obligations should be confirmed with counsel.

Administrative safeguards

The Security Rule requires a documented security management program. In practice for a small practice:

A designated security officer (often the practice manager)
Written policies and procedures (template-driven; do not write from scratch)
Workforce training on HIPAA basics, annually at minimum
Access management — who can access what, documented and reviewed
Sanction policy for HIPAA violations
An annual risk analysis with documented remediation tracking

Physical safeguards

Facility access controls — who can physically access the building, server room, file storage
Workstation security — screens facing away from waiting rooms, auto-lock after inactivity
Device and media controls — what happens when a device leaves the facility (lost, stolen, or end-of-life)

Technical safeguards — where IT lives

This is the core of what we implement:

Access control

Every user has a unique account — no shared logins. Role-based access so a front-desk employee cannot read clinical notes, a clinician can only see their own patients (where appropriate), an admin can see everything.

Audit controls

Every system that touches PHI must log access. Logs must be retained and reviewable. EHRs handle this for the EHR itself; you also need logging on the network, file shares, email, and any other PHI-touching system.

Integrity

Mechanisms to ensure PHI has not been improperly altered. In practice: backup with verification, file integrity monitoring on critical systems, EHR audit logs.

Transmission security

PHI in transit must be encrypted. TLS 1.2+ for web traffic. Encrypted email for any external PHI transmission (Microsoft 365 with Office Message Encryption, or a third-party secure email gateway). VPN with strong encryption for any remote access. Getting these cloud and network controls right is the technical core of HIPAA compliance.

Person or entity authentication

MFA on every PHI-touching system. EHR, email, file shares, VPN, billing, lab integrations. This is now the cybersecurity industry standard, not just a HIPAA recommendation.

What we deploy for medical practice clients

For our HIPAA-aware managed services for medical practices:

Network segmentation between clinical, administrative, and guest networks
MFA enforcement on every PHI-touching system
EDR on every workstation and server
Encrypted backup with off-site replication and immutable storage (so a ransomware attacker cannot encrypt the backups)
Email security with anti-phishing, DLP, and Office Message Encryption
VPN for remote access with MFA
Documented BAAs with every vendor that touches PHI (we sign one with you; you sign one with every vendor)
Annual risk analysis support — we provide the technical input; you or your counsel certifies the analysis
Incident response plan with breach notification readiness
Workforce training platform integration (KnowBe4, Curricula, or similar)

Common pitfalls in small practices

Generic admin passwords in the EHR or on the network equipment
Shared workstation logins at the front desk
No MFA on email — by far the most common entry point for PHI exposure incidents
Public-facing remote access (RDP exposed to the internet, weak VPN)
Backups that have never been tested — sometimes for years
No BAA with vendors that have access to PHI (consider every vendor: your IT provider, your shredding company, your fax service, your cloud storage, your billing service, your AI scribe)
PHI in personal email — staff forwarding to personal Gmail accounts to work from home
No incident response plan — ransomware happens, the practice freezes for days deciding what to do

Breach notification

If PHI is exposed (lost laptop, stolen device, ransomware, accidental disclosure, etc.), HIPAA requires notification to the affected individuals, HHS, and in some cases the media within specific timeframes. This is where having documented incident response and immediate access to counsel matters.

NY also has the SHIELD Act, which has its own breach notification rules and applies to PHI of NY residents in addition to HIPAA.

A note on AI

Practices are increasingly using AI for clinical documentation, scheduling, billing, and patient communication. Every AI tool that touches PHI needs a BAA and a risk analysis. Just because a vendor sells to healthcare does not mean they have signed a BAA — confirm before sharing PHI.

What this costs

For a small medical practice (5–25 endpoints):

Initial HIPAA-aware managed services setup: typically $2,500–$7,500 (one-time)
Ongoing managed services with HIPAA controls: $159/workstation/month (Secure tier)
Server / infrastructure: separately quoted
Risk analysis (annual): $1,500–$3,500 if performed by a third-party assessor; built-in as part of managed services for our clients

What we will not do

We do not sign BAAs as a “HIPAA compliance certifier” — that is a separate engagement, often handled by a healthcare-focused law firm or a HITRUST-style assessor. We sign BAAs as your IT provider, accept responsibility for the controls within our scope, and document everything for your auditor.

How Sage Solutions helps

HIPAA-aware IT for medical practices requires managed IT with purpose-built cybersecurity controls, cloud governance for M365 and EHR integrations, and immutable backup that survives a worst-case ransomware scenario. We deliver all of this as a single managed-services engagement — not as separate point solutions you have to coordinate yourself.

If you operate a medical practice in NY/NJ and want a HIPAA-aware IT review, book a 30-minute call. Free, no obligation.

HIPAA-Aware IT for NY Medical Practices — What You Actually Need