HIPAA Security Rule
The HIPAA Security Rule, made practical
The Security Rule protects electronic protected health information (ePHI) through administrative, physical, and technical safeguards. This hub brings together everything a small medical or dental practice needs — what's required today, what the 2025 proposed update signals, and the concrete controls that actually move the needle — without the fearmongering.
The honest version: the current Security Rule remains in effect and enforced. A proposed update from HHS/OCR (published early 2025) signals where requirements are heading, but it is not yet law. Our goal here is to help you meet today's obligations and position sensibly for what's proposed — and to strengthen your security posture, not to scare you into a panic purchase.
Start here
The big picture: what the Security Rule requires today, and what the 2025 proposed update signals for tomorrow.
HIPAA Security Rule 2026: What Small Medical and Dental Practices Need to Know Now
The cornerstone overview — current enforceable rule vs. the proposed update.
Read articleHIPAA Compliance for Small Clinics: A Practical Guide
A practical, plain-English compliance walkthrough for small practices.
Read articleAdministrative safeguards
The policies, people, and processes at the heart of the rule — starting with a real risk analysis.
Why Your HIPAA Risk Analysis Cannot Be a Checkbox Exercise
Why the risk analysis is the cornerstone control — and how practices get it wrong.
Read articleSecurity Awareness Training That Actually Works: Beyond Click-Through Compliance
Workforce training that changes behavior, not just click-through compliance.
Read articleBusiness Associates, BAAs, and MSPs: Who Is Responsible for What?
BAAs, vendors, and who is actually responsible for what.
Read articleVendor Risk Management for Small Healthcare Practices
A practical program for managing third-party and vendor risk on a small-practice budget.
Read articleTechnical safeguards
The technical controls that protect ePHI in practice — access, encryption, monitoring, and segmentation.
MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong
Multi-factor authentication: where it matters most and common clinic mistakes.
Read articleEncryption at Rest and in Transit: What That Actually Means for a Doctor's Office
What encryption at rest and in transit actually means for a doctor's office.
Read articleEDR vs. Traditional Antivirus: What Should Your Organization Choose?
Modern endpoint defense vs. legacy antivirus.
Read articleWhy Guest Wi-Fi Should Never Touch Your Clinical Network
Network segmentation: keeping guest Wi-Fi away from clinical systems.
Read articleDevice Code Phishing Is Bypassing MFA: What Small Practices Should Do
How device code phishing bypasses MFA on Microsoft 365 — and how to shut it down.
Read articleKnowing your environment
You cannot protect what you have not mapped. Asset inventories and network maps are increasingly central.
When something goes wrong
Incident response, recovery, and the financial backstop — the difference between a scare and a catastrophe.
HIPAA Incident Response: What Happens in the First 24 Hours Matters
What happens in the critical first 24 hours of an incident.
Read articleThe 72-Hour Recovery Conversation Every Healthcare Practice Should Have
The recovery conversation every practice should have before it needs to.
Read articleBeyond 3-2-1: Why Healthcare Practices Need a 3-2-1-1-0 Backup Strategy
A resilient 3-2-1-1-0 backup strategy built for ransomware reality.
Read articleCyber Insurance, HIPAA, and the New Baseline for Healthcare Security
How cyber insurance now sets a de facto security baseline.
Read articleNot sure where your practice stands?
Start with a free HIPAA self-assessment, or talk with a healthcare-IT expert who works with practices like yours every day. No jargon, no sales pressure.