HIPAA Security Rule
The HIPAA Security Rule, made practical
The Security Rule protects electronic protected health information (ePHI) through administrative, physical, and technical safeguards. This hub brings together everything a small medical or dental practice needs — what's required today, what the 2025 proposed update signals, and the concrete controls that actually move the needle — without the fearmongering.
The honest version: the current Security Rule remains in effect and enforced. A proposed update from HHS/OCR (published early 2025) signals where requirements are heading, but it is not yet law. Our goal here is to help you meet today's obligations and position sensibly for what's proposed — and to strengthen your security posture, not to scare you into a panic purchase.
Start here
The big picture: what the Security Rule requires today, and what the 2025 proposed update signals for tomorrow.
HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now
The cornerstone overview — current enforceable rule vs. the proposed update.
Read articleHIPAA Compliance for Small Clinics: A Practical Guide
A practical, plain-English compliance walkthrough for small practices.
Read articleAdministrative safeguards
The policies, people, and processes at the heart of the rule — starting with a real risk analysis.
Why Your HIPAA Risk Analysis Cannot Be a Checkbox Exercise
Why the risk analysis is the cornerstone control — and how practices get it wrong.
Read articleSecurity Awareness Training That Actually Works: Beyond Click-Through Compliance
Workforce training that changes behavior, not just click-through compliance.
Read articleBusiness Associates, BAAs, and MSPs: Who Is Responsible for What?
BAAs, vendors, and who is actually responsible for what.
Read articleVendor Risk Management for Small Healthcare Practices
A practical program for managing third-party and vendor risk on a small-practice budget.
Read articleWho Needs to Sign Your BAA? A Practical Guide for MSPs
The MSP side of the BAA chain — why "conduit exempt" almost never applies and how to build a defensible vendor BAA program.
Read articleAI in Dentistry and Oral Surgery: The HIPAA Questions to Ask First
AI tools are business associates too — why no BAA means no PHI, even for a large language model.
Read articleThe Healthcare Employee Offboarding Checklist Nobody Runs on Time
Termination procedures in practice — a same-day checklist to revoke a departing employee's access to ePHI.
Read articleTechnical safeguards
The technical controls that protect ePHI in practice — access, encryption, monitoring, and segmentation.
MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong
Multi-factor authentication: where it matters most and common clinic mistakes.
Read articleEncryption at Rest and in Transit: What That Actually Means for a Doctor's Office
What encryption at rest and in transit actually means for a doctor's office.
Read articleEDR vs. Traditional Antivirus: What Should Your Organization Choose?
Modern endpoint defense vs. legacy antivirus.
Read articleWhy Guest Wi-Fi Should Never Touch Your Clinical Network
Network segmentation: keeping guest Wi-Fi away from clinical systems.
Read articleDevice Code Phishing Is Bypassing MFA: What Small Practices Should Do
How device code phishing bypasses MFA on Microsoft 365 — and how to shut it down.
Read articleEmail Security for Healthcare Practices: Stopping Phishing
A layered email-defense model — SPF/DKIM/DMARC, staff triage, and response — to stop phishing.
Read articleHow to Secure Remote Access VPN for a Small Healthcare Practice
Securing remote-access VPNs: why they get breached, a hardening checklist, and VPN vs. ZTNA.
Read articleWho Secures Your Patient Data in the Cloud? The Shared Responsibility Model for Healthcare SaaS
The cloud shared-responsibility model — which SaaS security settings you must configure to protect ePHI.
Read articleHow to Audit Third-Party App Access to Your Healthcare SaaS
Connected apps and OAuth tokens can reach ePHI without triggering MFA — how to inventory, scope, and revoke third-party app access.
Read articleHIPAA Audit Controls: Logging and Reviewing Who Accessed ePHI
Audit controls: logging and actually reviewing who accessed ePHI — the required safeguard practices most often leave half-done.
Read articleHow to Secure Remote Access Tools in a Healthcare Practice
RMM and remote-support tools are a top attacker pathway — how to inventory, harden, and monitor remote access to ePHI.
Read articleAnubis Ransomware Is Exploiting Citrix Bleed 2: What to Check
Citrix Bleed 2 (CVE-2025-5777) in the wild: why a gateway flaw plus abused remote-support tools should prompt a remote-access review.
Read articleKnowing your environment
You cannot protect what you have not mapped. Asset inventories and network maps are increasingly central.
When something goes wrong
Incident response, recovery, and the financial backstop — the difference between a scare and a catastrophe.
HIPAA Incident Response: What Happens in the First 24 Hours Matters
What happens in the critical first 24 hours of an incident.
Read articleThe 72-Hour Recovery Conversation Every Healthcare Practice Should Have
The recovery conversation every practice should have before it needs to.
Read articleBeyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy
A resilient 3-2-1-1-0 backup strategy built for ransomware reality.
Read articleCyber Insurance, HIPAA, and the New Baseline for Healthcare Security
How cyber insurance now sets a de facto security baseline.
Read articleNot sure where your practice stands?
Start with a free HIPAA self-assessment, or talk with a healthcare-IT expert who works with practices like yours every day. No jargon, no sales pressure.
About this work: read the origins of The Digital Strategikon — why we publish a working library on the HIPAA Security Rule instead of a sales brochure.