A single breach can cost you money, your reputation and the trust you’ve worked so hard to build. With the latest HIPAA rules now active, cybersecurity isn’t just smart—it’s required.
The good news? You don’t need to be an IT expert to get this right. You just need to know what’s changed and take action.
HIPAA has tightened up: Here’s what’s new
HIPAA’s updated Security Rule now requires faster responses and tighter safeguards. If your practice experiences a data breach or a patient requests their records, you now have just 15 days to respond—half the time previously allowed. That means your systems and protocols need to be ready to move quickly.
Encryption is now mandatory for all protected health information, whether it’s stored on a server, emailed or backed up to the cloud. HIPAA also requires multi-factor authentication; meaning staff need more than just a password to access patient data.
Patients have new rights, too. They can ask for their health records to be sent to personal health apps and can take pictures of their records during a visit. There are also enhanced protections around reproductive health information, which means you need to update your privacy notices accordingly.
Check your tech and communication tools
Start by talking to your electronic health records (EHR) provider. Ask whether your data is encrypted at rest and in transit, if multi-factor authentication is available and enabled, and if access logs are maintained. If they can’t say yes to all of those questions, it’s time to reassess.
Next, take a good look at your communication platforms. Email, texting, appointment reminders and even mobile apps must all meet HIPAA’s security standards. If you’re storing or transmitting patient data with any of these tools, encryption and secure access are a must.
Think of this like performing a spinal screening on your practice’s technology. Any misalignment in your system could lead to serious consequences.
Why penetration testing is worth your time
Here’s a powerful but often overlooked tool: penetration testing. This is when a cybersecurity expert attempts to “break into” your system—legally—to find weaknesses before a real hacker does.
While not technically required under HIPAA, penetration testing is highly recommended and satisfies the Security Rule’s mandate for risk assessment. It gives you a clear picture of your vulnerabilities and provides practical steps to fix them. You’ll receive a report showing where your systems are strong and where they’re exposed.
This isn’t just smart; it’s proactive protection.
Your vendors matter: Hold them accountable
If you work with third-party vendors who handle patient data, such as billing companies or EHR providers, you’re responsible for their security practices, too.
Every vendor must sign a business associate agreement confirming their commitment to HIPAA compliance. And under the new rules, you’re now expected to verify their security measures annually. That means asking about their encryption standards, breach response plans and data storage practices. Keep that documentation; it’s your safety net in an audit.
Train your team like it’s a priority
Most data breaches come down to human error, not hacking. Someone clicks a malicious link or leaves a screen open and suddenly, you’ve got a HIPAA violation.
That’s why staff training is critical. Everyone in your office should know the new HIPAA rules, understand how to spot phishing attempts and follow proper protocols for handling sensitive data. Make training a regular part of your team meetings and document everything, including who attended, what was covered and when.
Your team doesn’t have to be tech-savvy, but they do need to be alert and informed.
Even small practices need big protection
You might be thinking, “I run a small practice—does this all still apply to me?” It absolutely does. HIPAA doesn’t make exceptions based on size. What it does allow is flexibility in how you meet the standards.
That means you don’t need the same setup as a hospital, but you do need reasonable safeguards. Choose HIPAA-compliant tools. Enable secure logins and encryption on all devices. Make sure your mobile phones and tablets are locked down and your office policies are up to date.
This is about doing what’s appropriate for your practice—without cutting corners.
Your cybersecurity checklist
If you’re wondering where to start, here’s a simple plan:
- Make sure all patient data is encrypted (both at rest and in transit).
- Enable multi-factor authentication wherever protected health information is accessed.
- Update your HIPAA policies to reflect new response timelines and patient privacy rights.
- Train your staff on the new rules and document their participation.
- Review and update vendor contracts; confirm all vendors are HIPAA-compliant.
- Schedule a third-party penetration test to identify vulnerabilities in your systems.
- Maintain documentation of all training sessions, vendor verifications and system upgrades.
Final thoughts: Cybersecurity is an act of trust
Cybersecurity isn’t just about checking off a compliance box. It’s about honoring the trust your patients place in you. When someone walks into your office, they’re entrusting you not only with their spine but with their most personal health information. Keeping that information safe is part of delivering excellent care.
Think of cybersecurity the way you think about patient health: Don’t wait for a crisis to take action. Build your systems. Educate your team. Review and adjust as needed.
Mark Sanna, DC, ACRB LEVEL II, FICC, is the CEO of Breakthrough Coaching, a practice management company for chiropractic and multidisciplinary practices. He is a Board member of the Foundation for Chiropractic Progress, a member of the Chiropractic Summit and a member of the Chiropractic Future Strategic Plan Leadership Committee. Sanna is the author of “Cracking the Code: Marketing Chiropractic—How Chiropractors Align Spines and Minds,” available on amazon.com. To learn more, call 800-723-8423 or visit mybreakthrough.com.
