Understanding and implementing HIPAA requirements is essential to protecting your practice.
In light of recent and upcoming changes in HIPAA laws and the new administration, it is critical for you to understand the policies, forms and procedures needed in your practice to maintain a defensible position. There is much more required under HIPAA than simply having an authorization form and keeping patient files out of sight, including the need for a comprehensive compliance manual that is constantly updated to reflect regulatory changes.
Most complaint investigations quickly go from the original accusation to whether a practice is compliant overall. The government will demand specific parts of your compliance program. The results could be disastrous if you lack a defensible system or cannot provide what they need.
For instance, as of 2024, the “willful neglect” fine—which is often determined by what is missing in your HIPAA program—starts at more than $70,000 per violation, per day. (Fines vary annually and are subject to inflation.)1
According to the US Department of Health and Human Services (HHS)2, HIPAA requires offices to implement policies and procedures tailored to how they access, store, transmit and protect protected health information (PHI), which varies by practice. While HHS does not require a specific page count, our experience indicates that policies often exceed 100 pages of content and completed HIPAA manuals can surpass 300 pages. Furthermore, the program expands each year as documented reviews, evaluations and self-audits are integrated.
Key actions for HIPAA compliance
1. Conduct a comprehensive risk analysis
A risk analysis is a fundamental requirement that identifies potential vulnerabilities in how electronic protected health information (ePHI) is handled. This assessment evaluates your current posture and outlines the next steps for securing data.
The HHS Office for Civil Rights (OCR) requires a risk analysis in every HIPAA-related investigation, regardless of the original complaint. Since 2010, the government has demanded this document in every investigation we’ve supported—no matter the allegation. HHS maintains that if a risk analysis doesn’t exist, regulators assume the practice is not following HIPAA at all.
2. Review and prepare to update your notice of privacy practices
Under the HIPAA Privacy Rule3, chiropractic offices must notify patients of their rights and how their information is used and shared through the notice of privacy practices (NPP). This document should be reviewed and updated regularly.
2024 changes
As of June 25, 2024, and with a compliance deadline of December 23, 2024, HIPAA proposed changes to provide additional protections for reproductive health.4
DCs should closely monitor these proposals and be ready to update their NPPs. Although this new law indicates necessary changes, the government stated it will not be enforced until February 2026.
3. Implement employee training programs
HIPAA requires staff training to ensure compliance with privacy and security rules.5 Employees must be trained to handle PHI, recognize cybersecurity threats and respond to potential breaches properly.6
Best practices
- Annual HIPAA training for all staff.
- Completing HIPAA training for new hires within 30 days is considered a best practice, and we recommend completing this training within a maximum of 45 days at the latest.7
- HIPAA also requires issuing periodic security reminders to your workforce. DCs are often aware of annual training but may overlook onboarding and security reminders. These elements help create a defensible compliance position and reduce regulatory scrutiny.
4. Establish security policies and procedures
The HIPAA Security Rule is being updated to implement administrative, physical and technical safeguards tailored to the practice’s size and complexity.8
Emerging best practices
- Multifactor authentication (MFA) for systems accessing PHI
- Enhanced encryption for patient data
Note: While HIPAA doesn’t require specific operating systems, whatever is used must be secure and supported. For example, Windows 10 will no longer be supported after October 2025. Using outdated software can result in a state of noncompliance, so keep your system updated and minimize the risk of data breaches.
5. Create a breach response plan
Every practice should maintain a formal breach response plan to reduce risk and show accountability. A rapid response can help limit a breach’s impact and demonstrate active compliance.
2024 proposals emphasize:
- A written breach response plan
- Faster reporting with more detailed records
Failing to have a clear, written response plan can leave a practice vulnerable to compliance violations, regulatory penalties and reputation damage. We have resources to assist practices in developing a compliant breach response protocol.
Though not yet final, these updates highlight the need for clear protocols regarding who to notify, how to investigate and how to document breaches.
6. Use secure communication methods
When communicating PHI via email, text or digital tools, practices must either use encryption or implement a documented, reasonable safeguard instead.9
Although encryption is classified as an “addressable” standard by HHS, that does not mean it is optional. You must either implement it or document why your alternative approach is reasonable based on your size, resources and risk profile.
7. Regularly review and update policies
HIPAA requires chiropractic offices to:
- Conduct annual compliance reviews
- Implement security audits
- Revise policies when regulations change
These updates must be documented in your HIPAA manual to demonstrate ongoing effort and compliance.
8. Ensure business associate agreements are in place
Any third party with access to patient information must have a signed business associate agreement (BAA). Without it, their errors could become your legal liability.
Regularly audit your vendor list, confirm BAAs are current and ensure your associates understand their responsibilities.
9. Implement secure EHR systems
Properly secured electronic health record (EHR) and electronic medical record (EMR) systems enhance compliance—if they meet encryption standards.
10. Document everything
All training, audits, risk assessments and incident responses must be maintained and readily available. HHS expects detailed records showing a “good faith effort” to comply with HIPAA safeguards.
Final thoughts
By following these 10 key actions, you can do more than avoid costly fines; you can strengthen your practice’s security and stay ahead of regulatory changes. HIPAA compliance isn’t just about rules or laws. It’s about protecting your reputation, your practice and the patients who depend on you.
As regulations change, being proactive rather than reactive sets your practice apart and helps ensure long-term success. The time to update your compliance program isn’t after an audit or data breach—it’s now.
Ty Talcott, DC, CHPSE, is a highly respected healthcare compliance professional and a licensed doctor of chiropractic. As the CEO of HIPAA Compliance Services and Power Strategies Inc., Talcott has attended the national cybersecurity symposium in Washington, D.C., and has guided numerous healthcare practices through webinars, live events and practice management consulting. He is dedicated to protecting the chiropractic profession and empowering innovative doctors to safeguard their practices against complaints, errors, cyberattacks and government audits. For more information,
visit drtythecomplianceguy.com, email ty.talcott@gmail.com or call 469-371-8804.
Legal disclaimer: The views expressed in this article are those of the author and are provided for general information only. This content does not constitute legal advice nor establish a provider-client relationship. HIPAA laws are complex and evolving; consult qualified legal or compliance professionals for advice tailored to your practice. No guarantees are made regarding completeness or accuracy, and the author disclaims any liability arising from the use of this content.
References
Annual civil monetary penalties inflation adjustment. A rule by the Health and Human Services Department. August 2024. Federal Register. https://www.federalregister.gov/documents/2024/08/08/2024-17466/annual-civil-monetary-penalties-inflation-adjustment/ . Accessed June 24, 2025.
HIPAA enforcement. US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/ . Accessed June 24, 2025.
The HIPAA privacy rule. September 2024. US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/privacy/ . Accessed June 24, 2025.
HIPAA and reproductive health. June 2025. US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/ . Accessed June 24, 2025.
The security rule. October 2022. US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/security/ . Accessed June 24, 2025.
HIPAA security rule to strengthen the cybersecurity of electronic protected health information. Federal Register. 2025;90(3):898-1022. https://www.govinfo.gov/content/pkg/FR-2025-01-06/pdf/2024-30983.pdf. Accessed June 24, 2025.
Administrative requirements. Code of Federal Regulations. CFR part 164.530. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.530/ . Accessed June 24, 2025.
Does HIPAA permit health care providers to use email to discuss health issues with patients? US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/faq/570/does-hipaa-permit-health-care-providers-to-use-email-to-discuss-health-issues-with-patients/index.html. Accessed June 24, 2025.
Is the use of encryption mandatory in the Security Rule? US Department of Health and Human Services. https://www.hhs.gov/hipaa/for-professionals/faq/2001/is-the-use-of-encryption-mandatory-in-the-security-rule/index.html. Accessed June 24, 2025.
