Why this guide exists
Most small practices we meet already know they’re “covered by HIPAA.” Fewer know the HIPAA Security Rule has 18 Standards and more than 40 implementation specs — and that a small practice is expected to address every one.
The 20% you’ll see below are the controls that prevent the kind of incidents OCR actually settles. If you’re a 3-person clinic with an EHR, a patient portal, and an email address, this is your starting list.
The 5 controls that prevent 80% of incidents
1. MFA everywhere PHI lives
Every system that touches Protected Health Information (PHI) needs multi-factor authentication. No exceptions, no “just this service account.”
- ✓EHR / practice-management system login
- ✓Patient portal admin access
- ✓Microsoft 365 / Google Workspace (every user, not just admins)
- ✓Remote access / VPN / RDP
- ✓Your cyber-insurance portal and any compliance-documentation platform
Stolen credentials are the #1 cause of HIPAA breaches under 500 records. MFA stops the overwhelming majority of them.
2. Encryption, at rest and in transit
PHI must be encrypted anywhere it can be stolen or intercepted. For small practices, the three places that matter most:
- ✓Full-disk encryption on every laptop, workstation, and mobile device (BitLocker on Windows, FileVault on macOS, device-level encryption on iOS / Android)
- ✓TLS on every internet service you use (HTTPS for patient portals, STARTTLS for outbound email)
- ✓Encrypted backup media — cloud backups count, but verify the vendor encrypts customer data with client-specific keys
HHS treats properly encrypted PHI as “safe harbor” — if a lost laptop’s drive was encrypted, the breach notification obligations are dramatically smaller.
3. Backup + tested restore
“We have backups” is the most dangerous sentence in HIPAA IT. Backups that haven’t been restored lately often turn out to be incomplete, corrupted, or encrypted by the same ransomware that hit production.
- ✓Daily backups of the EHR, your document drives, and your Microsoft 365 / Google Workspace mailboxes
- ✓At least one copy off-site AND immutable (can't be deleted by an attacker with admin credentials)
- ✓A tested restore — literally restore a file, a mailbox, and a workstation image on a scheduled cadence
- ✓Written Recovery Time Objective (RTO) and Recovery Point Objective (RPO) that match what your practice can actually survive
4. Email security that actually catches phishing
Phishing is the delivery mechanism for more than 90% of healthcare ransomware. Small practices almost never have the email stack hardened enough to stop it.
- ✓DMARC enforcement on your domain (not just DMARC monitoring — enforcement)
- ✓SPF and DKIM aligned and published
- ✓An anti-phishing / impersonation-protection layer (Microsoft 365 Defender, OpenText / Zix Email Security, Mimecast, Abnormal, etc.)
- ✓External-sender banners so staff know when an email is from outside the practice
- ✓Scheduled phishing simulations with role-based remediation training for people who click
5. Written policy + incident-response plan
HIPAA does not require you to be perfect. It requires you to be prepared. A written Security Rule policy and a tested incident-response plan are what separate a small practice that handles a breach from one that becomes an OCR settlement.
- ✓A Written Security Rule policy (administrative, physical, technical safeguards) reviewed annually
- ✓A named Security Officer (required under the Security Rule — can be the practice owner for small practices)
- ✓An incident-response plan that includes the 60-day HHS notification clock awareness
- ✓An annual tabletop exercise — walk through a ransomware or phishing-breach scenario with your team
- ✓A list of every Business Associate and a current BAA on file with each
What this guide does NOT cover
This is a starting checklist, not a full compliance program. A complete HIPAA Security Rule implementation also needs:
- ✓A formal Risk Analysis (required under 45 CFR § 164.308) — a specific written exercise, not the same as an IT audit
- ✓Role-based workforce training on HIPAA awareness (beyond phishing-specific training)
- ✓Physical safeguards for your practice: facility access controls, workstation placement, device disposal
- ✓Ongoing audit-log review (not just log collection — someone actually looking)
- ✓Sanctions policy for workforce members who violate HIPAA rules
If you’re preparing for an OCR audit, a client security questionnaire, or a cyber-insurance renewal, the checklist above gets you started — the Risk Analysis and full policy implementation is where most practices need outside help.
What to do this week
Pick one thing. Don’t try to do everything. In order of impact for a small practice:
- Turn on MFA for your Microsoft 365 / Google Workspace tenant if you haven’t. Today. This is free, takes an hour, and stops the most common breach vector.
- Verify your last backup restore actually worked. Ask your IT provider to restore one file to a different location and screenshot it.
- Audit who has admin access to your EHR. Remove anyone who doesn’t need it.
- Check your domain at mxtoolbox.com/dmarc.aspx — if DMARC isn’t on enforcement, that’s probably your fastest phishing-defense win.
- If you don’t have a written Security Rule policy, download a template or call us. The worst policy is the one that doesn’t exist.
How Mako helps small Houston practices
We support mental-health clinics, dental imaging practices, and multi-location medical groups across The Woodlands and Houston metro. Our managed clients get every control above implemented and documented; we hand you the evidence package your auditor or insurer actually wants.
If you’re not ready for full managed IT but want a senior engineer to walk through your current posture and flag the biggest gaps, that’s a conversation we offer standalone. Twenty minutes, no pitch.