HIPAA doesn't name specific products, but it absolutely requires specific technical safeguards. Here's what the Security Rule actually expects from a small practice's IT — in plain language.
Does HIPAA actually require specific IT controls?
Yes. The HIPAA Security Rule requires covered entities — including dental and medical practices of every size — to implement administrative, physical, and technical safeguards for electronic protected health information (ePHI). It doesn't name products or brands, but it names capabilities: access controls, audit logging, encryption, automatic logoff, backup, and a documented risk analysis.
Two things small practices often get wrong. First, there is no such thing as "HIPAA certified" software or a "HIPAA certified" IT provider — no government certification exists. Vendors can support your compliance, but compliance belongs to the practice. Second, the Security Rule applies regardless of practice size. A two-chair dental office has the same categories of obligations as a hospital system; only the scale of the implementation differs.
The good news: for a small practice running Microsoft 365 and a modern practice management system, meeting the technical safeguards is very achievable. Most of it is configuration, not new spending.
The technical safeguards most small practices are missing
After reviewing the IT environments of small healthcare practices, the same gaps appear again and again — and most of them map directly to Security Rule requirements.
Shared logins at the front desk. HIPAA requires unique user identification — every person who touches ePHI needs their own account. A shared "FrontDesk" login means your audit trail can't say who viewed or changed a record, and one phished password exposes everything. This is the single most common finding in small practices.
No multi-factor authentication. MFA isn't named in the 2003 Security Rule text, but regulators treat it as a baseline expectation under "reasonable and appropriate" safeguards, and it's the control most likely to have prevented the breaches that trigger enforcement. Enforce it for every account — especially email and remote access.
No automatic logoff. Workstations in operatories, exam rooms, and reception areas that stay logged in all day are a direct violation of an addressable specification. A screen-lock policy enforced through Intune or Group Policy fixes this in an afternoon.
Unencrypted devices. If a laptop with patient data walks out the door and the disk wasn't encrypted, that's a reportable breach. If it was encrypted, it generally isn't. BitLocker and FileVault are free — they just need to be turned on, enforced, and the keys escrowed somewhere recoverable.
Email, Microsoft 365, and the BAA most practices forgot to sign
Email is where most healthcare breaches start — usually a phished mailbox, not a hacked server. Two requirements matter here.
First, the business associate agreement (BAA). If patient information touches your Microsoft 365 tenant — email, OneDrive, SharePoint, Teams — you need a BAA with Microsoft. Microsoft offers one at no cost on business and enterprise plans, but it isn't automatic; it must be accepted through the admin center or volume licensing terms. Many practices have been running for years without one. The same applies to any vendor that stores or transmits ePHI for you: practice management, imaging, billing, even your IT provider.
Second, sending patient information by regular email. Standard email is not encrypted end to end. Practices should use Microsoft 365 message encryption or a patient portal for anything containing ePHI, and configure data loss prevention rules so a staff member can't accidentally email a spreadsheet of patient records to the wrong address.
Beyond that, the anti-phishing fundamentals apply with more urgency than in other industries: SPF, DKIM, and DMARC on your domain, external sender tagging, and mailbox rules monitored for the forwarding tricks attackers use after compromising an account.
Backups and the contingency plan HIPAA explicitly requires
The Security Rule explicitly requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan. For a small practice this doesn't mean enterprise infrastructure — it means being able to answer three questions: Where is every copy of patient data? How fast can we restore it? When did we last test that?
Cover both systems: your practice management and imaging data (often on a local server the software vendor backs up — verify this, don't assume it), and your Microsoft 365 data. Microsoft's built-in retention is not a backup; deleted mailboxes and ransomware-encrypted files can age out of recovery windows. A third-party Microsoft 365 backup costs a few dollars per user per month.
Test a restore at least annually and write down the result. In an audit or breach investigation, an untested backup plan is treated as no plan.
Where to start: the risk analysis
If your practice has never done a documented security risk analysis, start there — it's the first thing the Office for Civil Rights asks for after a breach report, and the most commonly cited gap in enforcement actions. It doesn't need to be a 100-page document. It needs to inventory where ePHI lives, identify the realistic threats, assess your current controls honestly, and produce a dated remediation plan you actually follow.
A practical sequence for a small practice: individual logins and MFA everywhere, BAAs collected from every vendor that touches ePHI, disk encryption and screen lock enforced on every workstation, email security configured, backups verified and tested, then the risk analysis documented around what you've built.
Intragreat Consulting works with dental and medical offices on exactly this — practical security reviews that map findings to Security Rule safeguards, then remediation through managed IT support. We're careful about claims: we don't certify compliance, because nobody can. We help you build and document the controls the rule expects. Our free security review is a straightforward place to start.