HIPAA violations cost healthcare organizations an average of $1.5 million per breach, and the OCR is increasing enforcement every year. But compliance isn’t just about avoiding fines — it’s about protecting your patients and your practice’s reputation. Atlantic Computer Systems specializes in healthcare IT and helps medical practices across the Bay Area build and maintain HIPAA-compliant technology environments.
The HIPAA Security Rule: What IT Must Cover
The Security Rule requires three categories of safeguards: Administrative (risk assessments, workforce training, security policies, contingency plans), Physical (facility access controls, workstation security, device disposal), and Technical (access controls, audit controls, integrity controls, transmission security). Every single one of these has IT implications that our managed IT services address.
Required IT Controls for Medical Practices
At minimum, your practice needs: unique user IDs for every employee with role-based access, MFA on all systems containing PHI (see our Cybersecurity Best Practices), encrypted data at rest and in transit, automatic session timeouts, audit logging on all PHI access, daily encrypted backups with tested recovery, email encryption for PHI communications (see our Email Security Guide), and endpoint protection on every device.
EHR and Practice Management System Security
Your EHR system (Epic, Athenahealth, eClinicalWorks, NextGen, etc.) contains your most sensitive data. It must be: hosted on HIPAA-compliant infrastructure, backed up independently, access-controlled by role, and monitored for unusual access patterns. Our team has experience supporting and securing all major EHR platforms. We handle the IT so your clinical staff can focus on patient care.
Annual Risk Assessment
HIPAA requires an annual risk assessment — not a suggestion, a requirement. This must document: all systems containing PHI, current security measures, identified vulnerabilities, threat likelihood and impact, and a remediation plan with timelines. ACS conducts comprehensive HIPAA risk assessments as part of our healthcare IT management.
Employee Training and Onboarding
Every employee with PHI access must receive HIPAA security training at hire and annually. Use our New Employee IT Setup Guide to ensure proper onboarding, and our Offboarding Checklist to ensure departing employees’ access is revoked immediately — a critical compliance requirement.
Get Your HIPAA Assessment
Contact us for a free HIPAA readiness assessment. We’ll identify gaps, prioritize fixes, and give you a clear path to compliance. View our pricing or call 1-650-300-7557.
