Q: How often do I need to conduct a HIPAA risk analysis?

A: At least annually, and whenever significant changes occur — new technology, new locations, security incidents, or changes in how you handle ePHI.

Q: Does HIPAA require encryption?

A: Encryption is an "addressable" specification under the Security Rule, meaning you must implement it or document why an equivalent alternative is in place. In practice, there is no reasonable alternative — encrypt everything.

Q: Do I need a business associate agreement with my IT provider?

A: Yes. Any IT provider that can access, store, or transmit ePHI on your behalf is a business associate and must sign a BAA before work begins.

Q: What happens if I have a breach but my data was encrypted?

A: Encrypted data that is lost or stolen is not considered a breach under HIPAA's breach notification rule, provided the encryption meets NIST standards. This is the "encryption safe harbor" and is one of the strongest reasons to encrypt all ePHI.

Q: Are telehealth systems subject to HIPAA IT requirements?

A: Absolutely. Telehealth platforms must encrypt communications, authenticate users, maintain audit logs, and be covered by a business associate agreement. The temporary COVID-era enforcement discretion ended in 2023.

What HIPAA IT Requirements Apply to Washington State Healthcare Practices?

HIPAA IT requirements for Washington state healthcare practices include encrypting all electronic protected health information (ePHI) at rest and in transit, conducting an annual security risk analysis, implementing access controls with unique user IDs, maintaining audit logs for all systems that touch patient data, and establishing documented backup and disaster recovery procedures. These are not suggestions — they are enforceable obligations under the HIPAA Security Rule, and OCR is actively auditing small practices.

What Are the HIPAA Security Rule Technical Safeguards?

The HIPAA Security Rule organizes IT requirements into three categories: administrative, physical, and technical safeguards. For healthcare practices in Washington, the technical safeguards are where most compliance gaps live. These are the specific IT controls you must have in place:

Access Controls

Every person who accesses ePHI must have a unique user ID. Shared logins — the receptionist and the office manager using the same Windows account — are a direct violation. Your systems must also include:

Emergency access procedures for accessing ePHI during a system outage or emergency
Automatic logoff after a period of inactivity on workstations that access patient data
Encryption and decryption mechanisms for ePHI stored on any device or transmitted across any network

Audit Controls

You must implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use ePHI. This means logging who accessed what data, when, and from where. Many small practices in Western Washington fail this requirement because their EHR system has logging enabled but their file servers, email systems, and cloud storage do not.

Integrity Controls

Electronic measures must be in place to confirm that ePHI has not been improperly altered or destroyed. This includes checksums, version control, and backup verification — not just “we run backups,” but documented proof that backups are complete and restorable.

Transmission Security

Any ePHI transmitted over a network — including email, cloud sync, and remote access connections — must be encrypted. Sending unencrypted patient information over email is one of the most common violations we encounter in healthcare practices across Skagit, Whatcom, and Snohomish counties.

What Does the Annual Security Risk Analysis Require?

The HIPAA Security Rule requires covered entities to conduct a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This is not optional, and “we haven’t had a breach” is not a substitute.

A proper risk analysis must:

Identify all ePHI. Every system, device, and location where patient data is created, received, maintained, or transmitted — including mobile devices, cloud services, and paper-to-digital conversion points.
Identify threats and vulnerabilities. Ransomware, phishing, insider threats, physical theft, natural disasters, and vendor risks all belong in this analysis.
Assess current security measures. Document what controls exist today and evaluate whether they are adequate.
Determine likelihood and impact. For each identified risk, estimate how likely it is to occur and how severe the impact would be.
Document everything. The analysis itself must be documented, along with the resulting risk management plan and any remediation actions taken.

OCR has explicitly stated that the risk analysis is the single most important HIPAA Security Rule requirement. It is also the most frequently cited deficiency in enforcement actions. In our experience conducting HIPAA assessments for healthcare practices across Western Washington, the most common gaps are:

EHR systems assessed, but network infrastructure and email systems overlooked
Risk analysis performed once and never updated
No documentation of remediation actions taken after risks were identified
Mobile devices and cloud services excluded from scope

What Physical Safeguards Apply to IT Systems?

Physical safeguards often get overlooked in small practices, but they are explicitly required:

Facility access controls. Restrict physical access to areas containing servers, network equipment, and workstations that access ePHI.
Workstation use policies. Define how workstations in clinical areas should be positioned (screens not visible to patients), when they must be locked, and who may use them.
Device and media controls. Document procedures for disposing of hardware and electronic media that contained ePHI. A hard drive that goes into the recycling bin without being wiped is a reportable breach waiting to happen.

How Do Washington State Laws Add to HIPAA Requirements?

Washington state adds layers beyond federal HIPAA requirements that healthcare practices must address:

Washington’s data breach notification law (RCW 19.255.010) requires notification to affected individuals within 30 days of discovering a breach — shorter than HIPAA’s 60-day window.
The My Health My Data Act (MHMDA) covers health data that falls outside HIPAA’s scope. If your practice collects any health-related information beyond what HIPAA regulates — patient satisfaction surveys, wellness program data, website analytics on health-related pages — the MHMDA may apply.
Washington’s Consumer Protection Act provides an additional enforcement mechanism. The Attorney General can pursue violations independent of federal HIPAA enforcement.

Understanding the penalties for falling short is critical. HIPAA violation penalties in Washington state can reach $2.19 million per violation category per year, and Washington’s state-level enforcement adds further exposure.

What Are the Most Common IT Failures in Washington Healthcare Practices?

Based on our assessment work with healthcare practices across Western Washington, these are the failures we see most frequently:

No encryption on laptops and mobile devices. A stolen unencrypted laptop containing patient data is an automatic reportable breach.
Shared user accounts. Clinicians sharing a single login to the EHR system eliminates audit trail integrity.
No business associate agreements (BAAs). Cloud providers, IT vendors, billing companies, and shredding services that handle ePHI all require signed BAAs. Missing even one is a compliance gap.
Outdated or missing patches. Systems running unsupported software (Windows 10 after October 2025, for example) with known vulnerabilities cannot meet the Security Rule’s requirements.
Backup testing never performed. Having backups is not enough. You must verify that they can be restored — and document the verification.

How Should Healthcare Practices Approach HIPAA IT Compliance?

The most effective approach treats HIPAA IT compliance as an ongoing program rather than a project:

Start with the risk analysis. Everything else flows from understanding your risks.
Prioritize encryption. It is the single most impactful technical control and provides a safe harbor from breach notification if encrypted data is lost or stolen.
Implement endpoint security across all devices that access ePHI, including managed detection and response.
Document continuously. Policies, procedures, risk analyses, training records, and incident reports must be maintained for six years under HIPAA.
Work with a compliance-aware IT partner. A managed IT provider experienced in healthcare compliance provides the technical controls, documentation, and ongoing monitoring that HIPAA demands.

ROI Technology Inc. provides HIPAA-aligned IT management for healthcare practices across Western Washington. Contact us for a compliance assessment that identifies your gaps before an auditor does.