HIPAA Compliance for Indiana Medical Practices: A Plain-English Checklist

What HIPAA actually requires

Strip away the legalese and HIPAA boils down to this: if you handle protected health information (PHI), you must take reasonable steps to keep it confidential, available to authorized people, and intact. The Department of Health and Human Services translates that into a few hundred pages of rules — but the practical compliance bar can be summarized in a checklist.

The minimum technical bar

If your practice doesn't have these in place today, your HIPAA posture is genuinely weak — regardless of what your last consultant told you.

• Encryption everywhere. Disk encryption on every laptop, desktop, and server. Encryption in transit on every system that handles PHI. Email encryption for any external PHI exchange. Modern operating systems make this nearly free; missing it is inexcusable.
• Multi-factor authentication on every account. Especially email, EHR, and any cloud platform. Stolen credentials are the cause of most healthcare breaches. MFA reduces that risk by 99%+.
• Workstation lock-out policies. Idle systems should auto-lock within 10-15 minutes. Sounds trivial. Causes real breaches when a tablet gets left at the front desk.
• Centralized backup with off-site copies. Daily, automated, monitored, tested. Your backup is also your ransomware insurance.
• Endpoint security with active threat detection. Antivirus by itself is not enough in 2026.
• Audit logging. Who logged in, who accessed what records, when. Required by the Security Rule. Most practices think their EHR handles this; most EHRs only handle the EHR side.

The minimum administrative bar

The Privacy Rule and Administrative Safeguards are where most practices stumble. The technical controls are almost easier.

• A current Risk Analysis. Not a template you signed three years ago. An actual review of where PHI lives, how it moves, and what could go wrong. Updated annually.
• A written Security Policy. Plus a Privacy Policy, an Incident Response Plan, a Breach Notification Procedure, and a Sanctions Policy. The HHS Office for Civil Rights asks for these specifically when they investigate.
• Documented workforce training. Every employee with PHI access. At hire, annually after, and whenever something material changes.
• Business Associate Agreements (BAAs). With every vendor who touches your PHI. EHR vendor, IT provider, billing service, transcription, cloud backup — every single one.
• Access controls based on role. The receptionist doesn't need access to clinical notes. The hygienist doesn't need access to billing. Document this, enforce it.
• Termination procedures. When someone leaves, how do their accounts get disabled, badge access revoked, and equipment returned? Document the process.

The audit you'll actually face

HHS audits are rare for small practices. Breach investigations are not. If a practice loses an unencrypted laptop, has an EHR account compromised, or sends an email to the wrong patient list, the resulting investigation will request these documents in the first 72 hours. Practices that have them in order pay smaller fines. Practices that don't have them pay much larger fines and often end up in Corrective Action Plans for years.

What we see go wrong in Indiana practices

Patterns we've consistently seen in Indiana medical practices we've assessed:

• EHR vendor lock-in masking real gaps. The EHR is HIPAA-compliant. The practice's email, file storage, and backups often aren't. PHI lives in all three.
• Forgotten cloud services. Dropbox accounts from years ago. Old Google Drive folders. PHI ends up there during projects and stays after.
• Personal devices accessing PHI. Doctors checking email on personal phones. Without MDM, that's a HIPAA exposure.
• BAAs that weren't actually signed. Or were signed with one entity but the work is being done by a different entity. We see this almost every audit.
• "We have IT" being treated as the same as "we have HIPAA compliance." It isn't. Most general-purpose MSPs are not HIPAA-aligned by default.

The cost of getting this wrong

HIPAA penalties scale with negligence. "Did not know" violations start around $100 per violation. "Willful neglect" can hit $50,000 per violation, with annual caps over $1.5 million. Per the OCR's own enforcement data, the average settlement for small practices in the last few years has been in the $50,000-$300,000 range — plus the cost of the corrective action plan, the legal fees, and the patient notification process.

The cost of doing it right is a fraction of that.

How to start

If you're at a practice and you're not sure where you stand, start with a real Risk Analysis. Not a template. An actual assessment, by someone who has done HIPAA work specifically. Our cybersecurity service includes HIPAA-aligned assessment as a starting point. Schedule a free conversation and we'll tell you honestly what your gaps are. You can fix them yourself, fix them with us, or fix them with someone else — but at least you'll know.