HIPAA basics for small Michigan medical practices

A common misconception in small medical practices: "We're too small for HIPAA to really apply." Wrong on the law and wrong on the risk. HIPAA's Security Rule applies to every covered entity that handles protected health information — full stop. The size of the practice doesn't change the requirements.

Below is a practical breakdown of the IT-side controls every Michigan medical office should have in place. None of it is exotic — it's just good operational discipline applied to a regulated context.

The four IT-side categories you have to address

1. Access controls

Every person who touches PHI needs a unique account — no shared logins, no "the front-desk login is taped to the monitor." Multi-factor authentication on email and any remote-access path. Conditional access policies that restrict where and when accounts can be used.

2. Audit logging

You have to know who accessed what, when. Most EHR vendors handle this for the PHI inside the application — but the IT layer underneath (endpoints, identity, file shares) needs logging too. If an account is compromised, you need to be able to show what it touched.

3. Integrity and transmission security

Disk encryption on every endpoint (BitLocker on Windows, FileVault on Mac). Encrypted email when sending PHI externally. TLS on every web-facing application. The principle: PHI in motion or at rest is encrypted by default.

4. Contingency planning

Backups, recovery and incident response. If your EHR is unavailable, what's the plan? If a ransomware event hits, who restores from where, and how long does it take? These need to be written down before you need them.

Business Associate Agreements (BAAs)

Every vendor who can access PHI on your behalf needs a signed BAA. That includes your MSP. It also includes your cloud-backup provider, your email security vendor, your document-management system. If a vendor refuses to sign one, that's your signal to find a different vendor.

HIPAA's penalties scale with the size of the breach and the willfulness of the failure. "We didn't know" is the most expensive answer.

Practical next steps

• Inventory every system that touches PHI — including ones you might not think of (printer spools, fax servers, scanned-document folders).
• Verify MFA on every account that can read PHI.
• Confirm encryption on every endpoint and every backup. If it's not on, you're not covered.
• Sign a BAA with every vendor in scope.
• Document an incident-response plan. One page is fine — but write it down.

If any of this feels overwhelming, that's the right reaction — and exactly why an outside team helps. We work with small medical and dental practices across the Lansing area and run this checklist as part of the standard managed-IT engagement.