What HIPAA IT Compliance Requires for Healthcare Organizations

By Ken Satkunam, CISM  ·  President & Founder, NorthStar Technology Group

March 2026  ·  10 min read

Most healthcare organizations believe they’re HIPAA compliant.

They have antivirus. They bought cyber insurance. Someone in the office attended a training three years ago. There’s a password policy somewhere in a binder.

And when I sit down with them for the first time, the conversation usually goes the same way.

“We’re in pretty good shape.”

Then we run the assessment.

And that’s when the room gets quiet.

HIPAA compliance is not a document you file. It’s an operating discipline your organization either runs or it doesn’t.

I’ve been doing this for 25 years. We’ve supported healthcare organizations of every size — from 10-person clinics to multi-facility systems with hundreds of employees across multiple states. And the pattern is always the same: the organizations that think they’re fine are the ones carrying the most risk.

Not because they don’t care. They do. They’re just operating on outdated assumptions.

This article is the conversation I wish I could have with every healthcare leader before the audit notice arrives. Not to scare you. To give you clarity. Because clarity is what lets you act with confidence instead of scrambling in a panic.

What HIPAA actually requires from your IT environment

Let’s start with what matters. HIPAA has three rules that directly affect your technology. Everything else flows from these.

The Privacy Rule

This controls who can access and share protected health information (PHI). It establishes patient rights over their own data. From an IT standpoint, it means your systems must enforce access restrictions — not just in theory, but in practice. If every staff member can access every patient record, you have a Privacy Rule problem.

The Security Rule

This is where most of the IT requirements live. The Security Rule mandates three categories of safeguards — administrative, physical, and technical — to protect electronic PHI (ePHI). It requires you to assess risk, implement controls, and document everything. This is not optional. This is not a suggestion. It is a requirement with real enforcement behind it.

The Breach Notification Rule

When PHI is compromised — and if your controls are weak, it’s a matter of when, not if — you are required to notify affected individuals, HHS, and potentially the media within specific timeframes. The consequences of fumbling this are severe. Not just financially. Reputationally.

These three rules create the framework. But the question every healthcare leader should be asking is: what does this actually look like inside my organization?

The six controls that actually matter

I could list every technical specification in the HIPAA Security Rule. But that’s not helpful. What’s helpful is understanding the six areas where I see healthcare organizations fail most consistently — and what “good” actually looks like in each.

1. Risk assessment

This is the single most important requirement in HIPAA — and the one most organizations skip entirely. A risk assessment is not a vulnerability scan. It’s a documented evaluation of where your ePHI lives, what threats exist, how likely they are, and what controls you have in place to address them. It must be conducted annually. It must be documented. And it must produce an actionable remediation plan.

When OCR investigates a breach, the first document they ask for is the risk assessment. If you don’t have one, you’ve already lost the conversation.

2. Access controls

Role-based access. Least privilege. Multi-factor authentication. These are not advanced security concepts. They are baseline requirements. Every person in your organization should only have access to the patient information they need to do their job. No more.

If your front desk can see the same records as your clinical director, you have an access control problem. If remote access to your systems requires nothing more than a password, you have an access control problem. MFA is no longer optional in any regulated environment.

3. Encryption

ePHI must be encrypted at rest and in transit. That means laptops, portable drives, file servers, cloud storage, and email. All of it. If a laptop is stolen from a car and the drive is not encrypted, that’s a reportable breach — even if the thief was after the hardware, not the data.

Encryption is the single most effective way to prevent a security incident from becoming a compliance catastrophe. It’s also the control most frequently missing from the organizations we assess.

4. Audit logging

Who accessed what, when, and why. HIPAA requires you to maintain and regularly review audit logs of access to ePHI. Most healthcare organizations either have logging disabled, logs they never review, or logs that could be easily tampered with.

Audit logs are not just a compliance checkbox. They are your forensic evidence when something goes wrong. Without them, you cannot prove what happened, who was responsible, or how you responded.

5. Backup and disaster recovery

Your backups must be encrypted, stored offsite or immutably, and — this is the part most people miss — tested regularly for restorability. A backup you’ve never tested is a hope, not a plan.

Ransomware specifically targets healthcare because the data is sensitive and the pressure to pay is enormous. If your recovery plan is “pay the ransom,” your plan has already failed. Encrypted, tested, recoverable backups are the difference between a bad day and a business-ending event.

6. Incident response

You need a written incident response plan that covers detection, containment, notification, and recovery. It must be tested at least annually — a tabletop exercise counts. And it must be specific to your organization, not a generic template you downloaded and filed away.

When a breach happens, the first 72 hours determine everything. The organizations that survive with their reputation intact are the ones that had a plan, executed it, and documented the response. The ones that scramble? They end up on the HHS Wall of Shame.

Where most organizations actually stand

Here’s the uncomfortable reality.

In our experience assessing healthcare organizations, the majority are operating with significant gaps in at least three of these six areas. The most common pattern: they have some tools in place — antivirus, maybe a firewall — but no documentation, no formal risk assessment, no tested incident response plan, and no structured approach to access controls or audit logging.

They have pieces. They don’t have a program.

And that distinction matters enormously. Because HIPAA doesn’t ask whether you bought a security tool. It asks whether you implemented a security program with documented policies, regular assessments, ongoing monitoring, and continuous improvement.

Having antivirus is not compliance. Having a documented, assessed, monitored, and continuously improved security program — that’s compliance.

The organizations that get this right treat compliance as an operating discipline. It’s embedded in how they run — not something they pull off a shelf when an auditor calls.

The real cost of getting it wrong

Let me be direct about what’s at stake. This is not theoretical.

OCR penalties for HIPAA violations range from $100 to $50,000 per violation, with annual caps up to $1.5 million per violation category. And penalties have been increasing — not decreasing — in recent years. Small practices are not exempt. OCR has fined solo practitioners and small clinics for the same violations that hit major health systems.

But the financial penalty is rarely the worst part.

The worst part is the reputational damage. Patients leave. Referring providers lose confidence. Staff morale drops. Insurance premiums spike or coverage gets denied entirely. And if you’re in a community where word travels fast — and in healthcare, it always does — recovery takes years.

I don’t say this to create fear. I say it because the cost of prevention is a fraction of the cost of failure. And the leaders who act early always wish they’d started sooner. The leaders who wait always wish they hadn’t.

What a compliance-ready organization looks like

When we work with healthcare organizations, the goal is not to check boxes. It’s to build an environment where compliance is structural — built into the technology, the processes, and the culture.

Here’s what that looks like in practice:

•        Annual risk assessments conducted, documented, and producing actionable remediation plans

•        Role-based access controls enforced across all systems that touch ePHI

•        MFA required on all remote access, email, and cloud applications

•        Encryption deployed on all endpoints, file storage, and data in transit

•        Audit logging enabled, centralized, reviewed, and protected from tampering

•        Encrypted, immutable backups tested quarterly for restorability

•        Written incident response plan tested annually with documented results

•        Security awareness training delivered annually with documented completion

•        Policies and procedures reviewed and updated at least annually

•        Ongoing monitoring and continuous improvement — not one-time setup

None of this is exotic. None of it requires bleeding-edge technology. It requires discipline, consistency, and the right partner to implement and maintain it.

Protection is the foundation. Growth is the advantage.

At NorthStar, we call this Protect → Propel.

First, we protect. We lock down the environment. We build the controls. We document everything. We make the audits boring — and that’s exactly how audits should be.

Then, once the foundation is solid, we propel. AI adoption with guardrails. Workflow automation that doesn’t break compliance. Strategic modernization that lets you grow without adding risk.

Most organizations try to modernize before they’ve secured the foundation. That’s building a house on sand. The healthcare organizations that win long-term are the ones that protect first, then propel.

Where to start

If you’re reading this and wondering where your organization stands, there’s a simple next step.

Start with a structured assessment. Not a sales pitch. Not a scare tactic. A clear-eyed evaluation of your current security posture, compliance gaps, and operational risk — mapped against what HIPAA actually requires.

We offer a Security and AI Readiness Check that covers exactly this. It takes the guesswork out of the equation and gives you a prioritized path forward — whether you work with us or not.

Because the worst position to be in is thinking you’re covered when you’re not.

And the best position? Knowing exactly where you stand and having a plan to close the gaps.

Clarity is the antidote to anxiety. And in regulated healthcare, clarity starts with knowing your actual risk posture — not hoping it’s fine.

If you want that clarity, reach out. We’ve been doing this for 25 years. We’ll tell you what we see.

Take the next step

Run a free Security and AI Readiness Check at northstartechnologygroup.com/security-check

Or call us directly: 866-337-9096

ABOUT THE AUTHOR

Ken Satkunam, CISM

President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the Certified Information Security Manager (CISM) credential from ISACA and is the co-author of the Amazon best-seller Cyber Attack Prevention: Why Your IT Department Must Partner with a Third-Party Cyber Security Firm. He has been quoted in eWeek and DM News, and NorthStar has been recognized on the Inc. 5000 list in both 2024 and 2025.

CISM   •   Inc. 5000   •   MSP 500   •   Published Author   •   25+ Years