HIPAA compliance isn’t optional for NYC healthcare practices — and the penalties for non-compliance can be severe. The Department of Health and Human Services levied over $135 million in HIPAA settlements and penalties in recent years, with fines reaching into the millions for practices that failed to implement basic security controls.
But beyond avoiding fines, proper HIPAA-compliant IT practices protect your patients’ most sensitive information and preserve the trust that is fundamental to healthcare. SolvedIT has provided HIPAA-compliant IT services to medical practices, dental offices, mental health providers, and healthcare administrative organizations across New York City, New Jersey, and Connecticut for over a decade. Here’s what your IT provider should be doing to keep you compliant.
HIPAA IT Compliance for NYC Healthcare Practices: A Complete Checklist
Conducting and Documenting a Risk Analysis
HIPAA’s Security Rule requires covered entities to conduct a thorough, accurate, and thorough assessment of potential risks and vulnerabilities to ePHI. This isn’t a one-time checkbox — it must be performed regularly and whenever significant operational or environmental changes occur. SolvedIT performs documented risk analyses for all healthcare clients and maintains the records required during an HHS audit.
Encrypting ePHI at Rest and in Transit
While HIPAA’s encryption requirements are technically “addressable” rather than required, HHS has made clear that failure to encrypt without documented justification constitutes non-compliance. All laptops, workstations, mobile devices, and portable media must encrypt data at rest. All transmission of ePHI — including email, patient portal communications, and file transfers — must use encryption in transit. SolvedIT implements and verifies encryption across all endpoints and communication channels.
Implementing Access Controls and Audit Logs
Only staff who need access to specific patient records to do their jobs should have it. Role-based access controls, unique user IDs, automatic logoff after inactivity, and comprehensive audit logs of who accessed what records are all HIPAA requirements. SolvedIT configures these controls in your EHR system, network, and all supporting applications.
Managing Business Associate Agreements (BAAs)
Every vendor with access to your patients’ data — your IT provider, your cloud backup provider, your email service, your practice management software vendor — must have a signed Business Associate Agreement on file. SolvedIT provides BAAs for all services we deliver to healthcare clients, and helps practices identify and secure BAAs from all other relevant vendors.
Training Staff and Documenting Policies
Human error is the leading cause of HIPAA breaches. Regular staff training on phishing, proper data handling, and breach reporting procedures is required — and must be documented. SolvedIT provides HIPAA security awareness training and helps practices develop the written policies and procedures required for compliance.
Maintaining Secure Backup and Disaster Recovery
HIPAA requires that ePHI remain available and intact. Immutable, encrypted backups stored in HIPAA-compliant infrastructure — with documented recovery procedures and regular testing — are essential. SolvedIT implements backup solutions specifically designed for healthcare compliance requirements.
HIPAA compliance is not something you can delegate entirely to your EHR vendor or your cloud provider. Each covered entity is responsible for the security of the ePHI it creates, stores, and transmits — regardless of where that data lives. The right IT partner makes compliance manageable and defensible.
SolvedIT provides fully HIPAA-compliant managed IT services to medical practices, dental offices, behavioral health providers, and healthcare organizations throughout New York City, New Jersey, and Connecticut. We sign BAAs, conduct risk analyses, implement required technical safeguards, and provide the documentation you need for an HHS audit.
Is your practice truly HIPAA-compliant? Contact SolvedIT today for a confidential HIPAA IT assessment and find out where your gaps are before a breach or an audit does.
