5 HIPAA IT Requirements Your RGV Medical Practice Might Be Missing

HIPAA compliance isn't just about patient privacy policies and staff training. The Security Rule contains specific Technical Safeguards that apply directly to your IT infrastructure — and in our experience working with clinics and DAHS centers across the Rio Grande Valley, these are the requirements most commonly overlooked.

1. Unencrypted Workstations and Laptops

If a staff member's laptop is stolen and the hard drive is not encrypted, that's a reportable breach — regardless of whether PHI was actually accessed. HIPAA requires encryption or an equivalent technical control on all devices that store or access patient data. BitLocker (Windows) and FileVault (Mac) are built-in and free. Most RGV medical offices we assess have never enabled either.

2. Missing or Weak Access Controls

HIPAA requires that each user have a unique login — shared passwords are not acceptable. Role-based access means your front desk staff shouldn't be able to access clinical notes they don't need, and your billing team shouldn't have access to medication records. Every access should be logged. If you can't answer "who accessed this patient's record and when," you have a gap.

3. Unsecured Email for PHI

Sending patient information over standard unencrypted email violates HIPAA's transmission security requirements. This includes appointment reminders with any patient-identifiable information, lab results, referral letters, and anything else containing PHI. Microsoft 365 with proper configuration supports encrypted email — but out of the box, it's not configured for HIPAA compliance.

4. No Documented Backup Procedure

HIPAA requires documented, tested procedures for backing up and recovering electronic PHI. "We think it's being backed up somewhere" is not a procedure. You need a written policy, automated backups with verification, offsite or cloud copies, and documented restore testing. Ransomware attacks on healthcare providers are at record highs — your backup is your last line of defense.

5. No Business Associate Agreement With Your IT Provider

If your IT provider can access systems containing PHI — and almost any managed IT provider can — they are legally a HIPAA Business Associate. You are required to have a signed BAA with them. Many IT companies in the RGV either don't know this or refuse to sign. IT Umbrella Group signs a BAA with every healthcare client as a standard part of our engagement.

If any of these five items describes your current situation, the good news is that all of them are fixable. A proper HIPAA IT assessment typically takes less than a day and produces a clear remediation roadmap.