HIPAA Compliance: Security That Protects Patients and Passes Audits

HHS guidance specifies that a compliant risk analysis must: (1) identify the scope of ePHI held across all systems and media; (2) identify and document all reasonably anticipated threats to ePHI; (3) identify and document potential vulnerabilities to those ePHI systems; (4) assess the likelihood that threats will exploit vulnerabilities; (5) assess the potential impact on ePHI confidentiality, integrity, and availability; and (6) determine the overall level of risk. The analysis must be thorough, accurate, and documented. A checklist or questionnaire that doesn't assess your specific environment does not satisfy these requirements. Vigil Cyber conducts structured risk analyses that produce the documentation OCR investigators require.

Yes — any vendor that creates, receives, maintains, or transmits ePHI on your behalf is a business associate and requires a signed BAA. This includes your EHR vendor, billing service, cloud storage provider, IT managed service provider, transcription service, and any other vendor with access to systems containing ePHI. Business associates are directly liable for HIPAA Security Rule compliance under HITECH — so a BAA is not merely a contractual formality. It establishes the vendor's legal obligations and your right to receive breach notification from them within the required timeframe.

Civil monetary penalties are tiered based on culpability. "Did not know" violations: $137–$68,928 per violation, capped at $2,067,813 per year per violation category. "Reasonable cause" violations: $1,379–$68,928 per violation, capped at $2,067,813 per year. "Willful neglect, corrected": $13,785–$68,928 per violation, capped at $2,067,813 per year. "Willful neglect, not corrected": $68,928 per violation, minimum $68,928, capped at $2,067,813 per year. Multiple violation categories in a single investigation compound the exposure. State attorneys general have independent enforcement authority and can impose additional penalties under state law.

In principle, compliance with the HIPAA Security Rule should produce meaningful security — the rule was designed that way. In practice, many organizations achieve "compliance on paper" by creating policy documents and completing checklists without implementing the underlying controls. The result is documentation that satisfies a surface audit but a security posture that doesn't protect patients. Vigil Cyber implements the technical controls that the policy documents describe — monitoring, access control, endpoint protection, patch management — so your compliance documentation reflects your actual security posture. That's how you satisfy both auditors and adversaries.

Yes. HIPAA applies to all covered entities regardless of size — there is no small practice exemption. A solo physician practice that submits claims electronically is a covered entity with full HIPAA Security Rule obligations. The flexibility in the rule — "reasonable and appropriate" safeguards based on your size, complexity, and capabilities — means that small practices may implement different controls than large hospital systems, but they must implement appropriate controls and document why those controls are proportionate to their identified risks.