Jordan Polasek on HIPAA Compliance: The IT Requirements Texas Medical Offices Actually Miss

If you run a medical practice in Texas and your IT provider has told you that you are "HIPAA compliant," I have uncomfortable news: almost certainly no one has told you in specific terms what they have done to make you compliant, or which clauses of the Security Rule your controls actually map to. I see this pattern in a majority of the medical practices I take over at BVTech LLC — not because the prior provider was careless, but because the medical IT vendor industry has developed a habit of treating compliance as a marketing word rather than a checklist.

This article is a practitioner's take on what the HIPAA Security Rule actually asks a small Texas medical office to do on the IT side. I'm writing for office managers, practice administrators, and physician owners who want to understand — in specific, defensible terms — what controls they should already have in place and what an OCR investigator would reasonably expect to see in an audit.

The Security Rule, in plain English

The HIPAA Security Rule is shorter than people think. Stripped of preamble, it asks covered entities (and their business associates) to implement three categories of safeguards to protect electronic protected health information (ePHI): administrative, physical, and technical. The technical safeguards — the ones your IT provider is responsible for — sit in 45 CFR § 164.312 and comprise five specific requirements: access control, audit controls, integrity, person or entity authentication, and transmission security.

Each of those is further specified as "required" or "addressable." "Addressable" does not mean optional, which is the single most common misreading in the medical IT field. It means you must either implement it, implement a documented equivalent, or document in writing why it is not reasonable for your practice. In a small Texas medical office, the honest answer is almost always "implement it" — the cost of genuine alternatives generally exceeds the cost of just doing the thing.

Access control: the part most offices get half-right

Access control under HIPAA requires unique user identification for every person who touches ePHI, emergency access procedures, automatic logoff, and encryption and decryption. The first three are straightforward. The fourth — encryption — is where small offices typically stall, because consumer-grade software makes it easy to feel encrypted without actually being encrypted.

In a correctly-built Texas medical practice, every workstation drive is encrypted with BitLocker (Windows) or FileVault (macOS), with recovery keys escrowed centrally — not written on a sticky note, not in an email. Every shared network folder containing ePHI sits on a storage system with encryption at rest. Every EHR database is encrypted both in the application and at the storage layer. Every backup, local or cloud, is encrypted with keys your practice controls.

The "half-right" pattern I see: the EHR vendor has encrypted their application, but the workstation itself is not encrypted. A laptop is stolen from a physician's car. The EHR data is safe, but the cached local files — the temporary PDFs, the downloaded attachments, the clipboard history — are not. That is a reportable breach regardless of how secure the EHR itself was. Full-disk encryption is not hard. Most practices have simply not turned it on.

Audit controls: the logs you have and the logs you don't

45 CFR § 164.312(b) requires your practice to implement hardware, software, and procedural mechanisms that record and examine activity in information systems containing ePHI. Translated: every system that touches patient data must log who did what, when, and those logs must be reviewable.

Every major EHR handles this natively. The failure mode I see most often is not the EHR's logging — it's everything around the EHR. The Windows file server where staff save scanned intake forms. The shared mailbox where insurance verification correspondence flows. The network-attached storage where the imaging system dumps files. These systems often have logging disabled by default, or enabled with retention measured in days rather than the months an investigation would require. Turning on Windows Event logging with a reasonable retention policy is a one-hour job. It rarely gets done.

Integrity: what "alteration or destruction" really means

The integrity requirement asks your practice to ensure that ePHI is not improperly altered or destroyed. In practice, this means three things: access controls that prevent the wrong person from editing a record, audit logs that record when records are changed, and backup systems that can restore a previous version of a record if one is altered or destroyed in error.

The backup part is where most practices are technically non-compliant without realizing it. A single daily snapshot of the EHR database, retained for thirty days, does not satisfy integrity requirements in a scenario where a ransomware event encrypts the database and the infection is not noticed for two weeks. You need immutable, ideally air-gapped backups with retention long enough to pre-date a plausible incident. For most small Texas medical practices, that means a local backup appliance plus a cloud target with ninety-day retention minimum.

Person or entity authentication: why passwords alone failed in 2012

HIPAA requires your practice to implement procedures to verify that a person or entity seeking access to ePHI is the one claimed. That requirement is at least nominally satisfied by a password; it is robustly satisfied only with multi-factor authentication. The Department of Health and Human Services' Office for Civil Rights has been increasingly clear in settlement guidance that MFA on ePHI-bearing systems is now the expected baseline. Practices that suffer breaches attributable to credential theft and did not have MFA enforced are receiving larger settlements than those that had it.

The full MFA scope for a Texas medical practice: EHR login, email, remote access, cloud backup console, financial systems, and the admin account of every single cloud service the practice uses. "We have MFA on email" is a sentence I hear often; "we have MFA on the EHR administrator account" is rarely heard and rarely true.

Transmission security: email, portals, and the quiet problem of fax

The final technical safeguard asks you to guard ePHI against unauthorized access while it is in motion — across your network, the public internet, and any external systems. Most practices handle the obvious cases: TLS on the EHR portal, encrypted email options for patient communications, VPNs for remote providers.

The less-obvious failure is fax. Many Texas medical practices still fax patient records because referring physicians and insurance companies demand it, and the fax is frequently routed through an on-premises analog line or a VoIP fax adapter. Analog fax over a real phone line is generally considered acceptable under HIPAA's transmission requirements. A fax sent over a VoIP connection without proper T.38 handling is, depending on the carrier and configuration, potentially a breach in every transmission. If your practice faxes ePHI, your IT provider should have verified your fax path end-to-end, and the verification should be in writing.

HIPAA compliance is not something you buy. It is something you do — continuously, with documentation that matches reality.

The administrative controls IT providers are expected to support

The technical safeguards above are the ones IT providers most often own outright. But the Security Rule's administrative safeguards — 45 CFR § 164.308 — also contain specific items your IT provider should be actively supporting.

A written risk analysis, updated at least annually and after any material change to the environment, is required. Your IT provider should be producing that document, not just telling you you need one. The risk analysis should identify the systems in scope, the specific threats and vulnerabilities, the likelihood and impact of each, and the controls in place to mitigate them. A three-page risk analysis for a practice with twenty employees is not a risk analysis; it is a cover sheet.

Workforce security — the onboarding and offboarding of employees — also requires IT support. When a medical assistant leaves the practice on a Friday, their EHR account must be disabled on Friday, not eventually. The workstation they used should be reviewed for data, reassigned or wiped, and the action documented. This is a process problem more than a technology problem, but it requires a provider who will follow through.

Business Associate Agreements: who has yours?

Every vendor that creates, receives, maintains, or transmits ePHI on your practice's behalf needs a signed Business Associate Agreement. For most Texas medical practices, that list is longer than it first appears: the EHR vendor, the cloud backup provider, the email system, the document management system, the remote-access tool, the IT provider itself, and often the managed service handling phone transcription or AI note-taking.

Part of your IT provider's job is to maintain an inventory of these vendors and the current status of each BAA. If your provider cannot hand you that inventory, ask them for it; it is a reasonable test of whether they are actually engaged in your compliance or just running your tickets.

The seven things I check first

When BVTech takes over a Texas medical practice, here is the order in which I check the common failure points. It is not a full audit; it is the list of things I have seen bite small practices most often.

1. Full-disk encryption on every workstation and laptop. Verified, not assumed.
2. MFA enforcement on EHR, email, and remote access. The admin accounts especially.
3. Backup with tested restore. When was the last time the provider actually restored a file from backup?
4. Off-site, immutable backup copy with ninety-day retention minimum.
5. Written risk analysis, dated within the last twelve months, specific to the practice.
6. BAA inventory with every current vendor listed and current signed agreements.
7. Audit logging enabled on all ePHI-bearing systems, with retention measured in months, not days.

If all seven are in place and documented, your practice is in better shape than most of the ones I walk into. If three or fewer are in place, which is the common case, you have work to do — and it is not work you need to finish in a weekend, but it is work you cannot reasonably defer another quarter.

Writing and reality, kept in sync

The single most important HIPAA-compliance discipline is keeping your documentation current with what your practice actually does. A beautiful policy binder that describes controls you have not implemented is worse than no binder at all; in an audit it documents the gap.

At BVTech, every medical client gets a living environment document that I update quarterly or on material change. It lists the systems in scope, the users and roles, the controls in place, and the exceptions where any addressable requirement is met through an alternative. It is the document I hand to the client's compliance officer when they need it, and it is the document I would hand to OCR in an investigation. That is the standard. Anything less and you are relying on luck.

If you're running a Texas medical practice and you'd like an honest read on where your current environment sits against the items above, I am happy to walk through them with you. Consultations are no-cost and no-pressure, and I will tell you the truth about what I see even if we are not ultimately the right fit for your practice.