5 HIPAA Compliance Tips for Medical Office Managers

Posted by Ian

Medical office managers sit at the center of every operational workflow in a small or mid‑sized practice. They are the people who translate HIPAA’s legal requirements into the daily routines that keep patient information protected, staff aligned with the practice’s workflows, and the practice out of regulatory trouble. Unlike large health systems with compliance departments, privacy teams, and dedicated security personnel, medical practices often rely on a single individual to oversee both the structural elements of a HIPAA compliance program and the practical application of HIPAA in daily operations across reception, billing, clinical support, and administrative functions.
That dual responsibility is demanding even for experienced managers, and it becomes especially challenging when policies, training, and documentation have not kept pace with the way the practice actually operates. This is why practical, operationally grounded tips matter. Office managers need guidance that helps them run a compliant practice in real time, with real staff, real patients, and real constraints.

What HIPAA Requires from Medical Office Managers

Before diving into practical tips, it helps to understand what HIPAA actually requires from medical office managers. HIPAA is made up of three core rules that work together to protect patient information.

The HIPAA Privacy Rule governs how patient information can be used and disclosed, and it gives patients specific rights over their records, including the right to access them.

The HIPAA Security Rule focuses on electronic information and requires practices to put administrative, physical, and technical safeguards in place to keep electronic Protected Health Information secure.

The HIPAA Breach Notification Rule requires practices to notify patients, the HHS Office for Civil Rights, and sometimes the media when unsecured patient information is compromised.

For medical office managers, these rules translate into a set of operational responsibilities. Policies must be written, kept current, and followed in daily workflows. Staff must be trained not only when they are hired but whenever procedures change. Access to patient information must match each person’s job duties, and those permissions must be reviewed regularly.
Although HIPAA applies to the entire practice, medical office managers are often the ones responsible for ensuring that a HIPAA compliance program exists and that it functions in day‑to‑day operations. This includes confirming that required policies are in place, that staff follow them, and that the practice can demonstrate compliance if the HHS Office for Civil Rights reviews its activities.
Vendors who handle patient information must have signed agreements in place before any data is shared. When something goes wrong, the practice must investigate, document what happened, and determine whether notifications are required. Activities such as vendor oversight, incident investigation, breach analysis, and documentation are all core components of a functioning HIPAA compliance program. Understanding these foundational expectations makes the practical tips that follow easier to apply and helps office managers see how their daily decisions shape the practice’s overall compliance posture.

Tip 1: Treat Policies as Living Documents, Not Binders on a Shelf

Many practices have policies that were written years ago, often copied from generic templates, and rarely revisited. These documents may have been accurate at the time they were created, but workflows evolve, technology changes, and staff responsibilities shift. When written policies no longer match observable practice, the HHS Office for Civil Rights routinely treats this as evidence that a compliance program is not implemented.
A practical way to avoid this problem is to treat policies as living documents. Instead of waiting for an audit or a breach to trigger a review, office managers can adopt a steady rhythm of checking one operational area at a time. A single monthly review of a specific workflow, such as patient check‑in, billing inquiries, or clinical documentation, keeps the policy set aligned with reality. This approach prevents the overwhelming task of rewriting everything at once and ensures that the practice’s written expectations reflect what staff are trained to do. It also positions the office manager as a proactive steward of compliance rather than a reactive custodian of paperwork.

Tip 2: Build HIPAA Training into the Practice Calendar Instead of Waiting for Problems

Documented HIPAA training is one of the clearest indicators of whether a practice takes HIPAA seriously. The HIPAA Privacy Rule requires training for new workforce members within a reasonable period after they join, and updated training whenever policies or procedures change. The HIPAA Security Rule requires an ongoing security awareness program for every member of the workforce. Yet many practices still treat training as an onboarding task or something to revisit only after an incident.
A more effective approach is to build training into the practice calendar as a recurring event. When staff know that refresher training happens at the same time every year, it becomes part of the culture rather than an interruption. This predictable cadence also ensures that training records remain current, complete, and easy to produce during a regulatory review. The HHS Office for Civil Rights treats undocumented training as training that never occurred, so maintaining accurate records is as important as delivering the training itself.
For practices that want a structured, scenario‑based curriculum designed specifically for small clinical settings, The HIPAA Journal’s HIPAA Training for Small Medical Practice Employees provides modules tailored to the situations staff encounter daily. The program includes randomized assessments and an administration dashboard that gives office managers real‑time visibility into completion status. Practices can combine this training with The HIPAA Journal’s Cybersecurity Training for Healthcare Employees, creating a unified training solution that addresses both the HIPAA training requirement and the security awareness requirement.

Tip 3: Review Access Permissions Regularly, Not Only After a Role Shift

Access control is one of the most important and most frequently overlooked requirements of the HIPAA Security Rule. The Administrative and Technical Safeguards require practices to authorize access based on job responsibilities, ensure that each user has the minimum access needed to perform their duties, and modify or terminate access when roles change.
In theory, this means permissions should be updated whenever someone’s responsibilities shift. In practice, however, small medical offices often adjust duties informally or temporarily without documenting the change. Someone helps with billing for a week, covers the front desk during lunch, or stops performing a task without anyone updating their system access. Over time, these small changes accumulate, and staff end up with access that no longer reflects what they do.
This is why access permissions must be reviewed in two ways: whenever responsibilities change and on a periodic basis. Reviewing access after a role shift ensures that permissions remain aligned with job duties as they evolve. But periodic reviews serve as a safety net that catches the informal, undocumented shifts that happen in every small practice. These regular reviews help identify outdated permissions, unnecessary access, and accounts that should have been modified or disabled long ago.
A predictable review cycle also strengthens the practice’s compliance posture. If the HHS Office for Civil Rights ever investigates a breach or conducts a compliance review, one of the first things they examine is whether access permissions reflect actual job functions. Being able to demonstrate a documented, recurring review process shows that the practice takes the HIPAA Security Rule’s access control requirements seriously and that access is intentional, monitored, and tied to real responsibilities rather than historical habits.

Tip 4: Establish Clear Security Incident Procedures Before Something Goes Wrong

Security incidents are not limited to major breaches or headline‑worthy events. Under the HIPAA Security Rule’s Administrative Safeguards, every practice must have procedures for identifying, reporting, and responding to any security incident, including suspicious activity, misdirected communications, unusual system behavior, or minor mistakes that could expose electronic Protected Health Information. These requirements exist independently of the HIPAA Breach Notification Rule. In other words, a practice must have a process for handling incidents even when the event does not qualify as a breach.
Small practices often rely on informal communication or assume staff will “speak up if something seems wrong,” but this approach breaks down quickly under pressure. Staff may hesitate, minimize the issue, or assume someone else will handle it. A clear, written procedure removes ambiguity. It tells staff exactly what counts as a potential incident, who they should notify, and what information to provide. It also ensures that the office manager can begin the required steps: assessing what happened, determining whether PHI was involved, documenting the event, and deciding whether the HIPAA Breach Notification Rule applies.
Having a predictable, well‑communicated process also strengthens the practice’s compliance posture. If the HHS Office for Civil Rights ever reviews an incident, one of the first things they examine is whether the practice had a documented procedure and whether staff followed it. A simple, accessible workflow, such as a one‑page incident reporting form and a clear escalation path, helps ensure that issues are caught early, documented consistently, and handled in a way that aligns with both the HIPAA Security Rule and the HIPAA Breach Notification Rule. It also reinforces a culture where staff understand that reporting is expected, supported, and essential to protecting patient information.

Tip 5: Track Business Associate Agreements the Same Way You Track Staff Credentials

HIPAA Business Associate Agreements (BAAs) are one of the most frequently overlooked components of HIPAA compliance. Any vendor that creates, receives, maintains, or transmits Protected Health Information on behalf of the practice must have a signed agreement in place before services begin. These agreements must contain specific provisions required by the HIPAA Privacy Rule and HIPAA Security Rule, and they must be retained for six years after the relationship ends.
In many practices, BAAs lapse simply because no one is tracking renewal dates. A practical approach is to treat BAAs the same way staff credentials are treated: as items with expiration dates that require periodic review. Maintaining a single list of all vendors who handle PHI, the date each agreement was signed, and the next review date prevents surprises during audits and reduces the risk of discovering an unsigned agreement after a breach.
HIPAA compliance software can simplify this process by centralizing agreements, automating reminders, and ensuring that documentation is complete and accessible. For office managers who already juggle policies, risk analysis, training, and incident documentation, software support reduces administrative burden and keeps the practice audit‑ready throughout the year.

HIPAA Compliance Software for Office Managers

Managing HIPAA compliance manually through paper binders, spreadsheet tracking, and generic policy templates creates administrative burden and leaves gaps that purpose‑built software is designed to eliminate. For medical office managers who carry simultaneous responsibility for policies, risk analysis, Business Associate Agreements, workforce training, access reviews, and incident documentation, a dedicated compliance platform reduces the operational effort involved in maintaining each of these program components and keeps the practice audit‑ready on a continuous basis.
HIPAA compliance software designed for Covered Entities supports the exact functions office managers are responsible for executing. Policies are generated dynamically based on the practice’s operational profile and Security Risk Analysis responses, rather than from generic templates that the HHS Office for Civil Rights treats as inadequate substitutes for practice‑specific documentation. The Security Risk Analysis module guides office managers through an assessment tailored to the practice’s actual administrative, physical, and technical safeguards, routing around irrelevant questions and focusing attention on vulnerabilities that apply to that specific environment.
A well‑designed compliance platform does not replace the office manager, it gives them leverage. It centralizes documentation, standardizes workflows, and provides the structure needed to demonstrate that the practice’s HIPAA compliance program is active, monitored, and functioning. For small and mid‑sized practices, this level of organization is the difference between scrambling during an audit and being able to produce everything the HHS Office for Civil Rights requests with confidence.

The post 5 HIPAA Compliance Tips for Medical Office Managers appeared first on The HIPAA Journal.

CISA Launches Initiative to Improve Critical Infrastructure Resilience During Geopolitical Conflicts

Posted by Steve Alder

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has announced a new initiative aimed at improving critical infrastructure cyber resilience during geopolitical conflicts, and is urging critical infrastructure operators to improve their defenses against disruptive and destructive cyberattacks through proactive isolation and recovery planning. CISA warns that adversaries have already embedded themselves in critical systems and are positioning themselves to cripple operational technology in the event of a wider geopolitical conflict.

During geopolitical conflicts, critical infrastructure entities face an increased risk of cyberattacks, where nation-state actors may attempt to disrupt and destroy the operational technology running the United States. Attacks may target healthcare providers to disrupt patient care, telecommunications infrastructure to damage phone and internet services, food production facilities, and energy and wastewater entities. At all times, critical infrastructure entities must continue to deliver crucial services to Americans. They must therefore isolate vital systems from harm, continue operating them in an isolated state, and be able to rapidly recover any systems that are successfully compromised.

The initiative, dubbed CI Fortify, is aimed at boosting public health and safety, critical defense infrastructure, national security, and ensuring the continuity of the economy. CISA explains that critical infrastructure operators must assume that, in the event of a conflict scenario, third-party connections such as telecommunications, vendors, service providers, upstream dependencies, and the internet are likely to be unreliable, and threat actors will have access to certain parts of the operational technology network.

Operators must plan for such scenarios and improve resilience through isolation and incident recovery practices. Isolation involves proactively disconnecting operational technology systems from third-party business networks to prevent operational technology cyber impacts and sustain essential operations in a degraded communications environment. Processes need to continue to ensure service delivery in the event of an incident, rather than being forced to completely shut down.

Critical infrastructure operators should identify critical customers and set a service delivery target based on their needs, determine vital operational technology and supporting infrastructure to meet their targets in isolation, and update business continuity plans and engineering processes to ensure safe operations while isolated, which could be weeks or even months. They should track CISA and Sector Risk Management Agency (SRMA) guidance to know when to isolate. For healthcare and public health organizations, the Department of Health and Human Services is the designated Sector Risk Management Agency (SRMA), with those duties handled by the Administration for Strategic Preparedness through the Office of Critical Infrastructure Protection.

For recovery, it is essential to ensure that systems are documented, critical files are backed up, and procedures are practiced for replacing critical systems and transitioning to manual processes in the event of systems or components being rendered inoperable. It is also vital to address communications dependencies for recovery, such as licensing servers or business network connections.  “Regardless of the source for any disruption, these emergency planning efforts will leave operators with more resilient infrastructure that is easier to defend and keep running,” explained CISA. CISA has set up a webpage with further information and resources to help critical infrastructure entities isolate systems and enable recovery.

This week, the Joint Commission and AHA announced a new Cyber Resilience Readiness Program for hospitals and health systems to ensure they can sustain clinical operations during cyberattacks that disrupt critical information technology systems. The program dovetails with CISA’s CI Fortify initiative, according to John Riggi, AHA national advisor for cybersecurity and risk.

The post CISA Launches Initiative to Improve Critical Infrastructure Resilience During Geopolitical Conflicts appeared first on The HIPAA Journal.

Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers

Posted by Steve Alder

Healthcare organizations are exposing a vast amount of patient data by failing to implement even basic security measures for DICOM servers, according to a recent Trend Micro TrendAI analysis. TrendAI identified thousands of internet-facing DICOM servers belonging to hundreds of entities. The lack of security protections puts patient privacy at risk and gives hackers the opening they need for lateral movement and ransomware attacks.

Medical images generated from X-rays, MRI, CT, and ultrasound scans are captured, stored, processed, transmitted, and viewed using the Digital Imaging and Communications in Medicine (DICOM) standard. Work on a standard for communicating medical imaging information started in the early 80s and culminated in the DICOM standard. DICOM defines a file format for medical images and a network protocol for communicating those images between different devices and systems, including equipment such as scanners, workstations, and printers, software, network hardware, and Picture Archiving and Communication Systems (PACS). DICOM enables interoperability across devices and systems, regardless of manufacturer.

DICOM files contain medical imaging data; however, the metadata includes a substantial volume of protected health information, such as full names, dates of birth, and medical record numbers, and sometimes other sensitive data such as Social Security numbers and other patient identifiers. The metadata may also include information such as the referring physician’s name, the reading radiologist, why the test was ordered, diagnosis codes, and procedure information, while the images themselves can reveal sensitive health conditions.

The purpose of the DICOM standard is to allow easy viewing, storage, exchange, and transmission of medical images; however, there are also security features to protect against unauthorized access. The problem is that those security features are not being fully utilized, and in many cases, are not being used at all. Using Shodan.io scanning data, the TrendAI team identified 3,627 DICOM medical imaging servers in more than 100 countries that were directly accessible via the public internet, the largest percentage of which (33%) were in the United States (1,189 servers). While the exposed servers were often PACS or workstations, the TrendAI team points out that they often serve as gateways to medical imaging modalities such as MRI systems, X-Ray equipment, CT and PET-CT scanners, and mammography units. While the analysis did not identify any of those medical devices, it is reasonable to assume that the exposed servers communicate with those devices.

The analysis was conducted using Shodan scanning data from November to December 2025, which revealed that many DICOM servers have minimal or no security controls. TrendAI found that only 0.14% of exposed DICOM servers use TLS encryption, which prevents eavesdropping and man-in-the-middle attacks. DICOM servers should only accept connections from known, trusted sources; however, 99.56% of exposed servers accepted connections without AE Title validation, suggesting AE Title validation was not being enforced. Across the exposed servers, 334 organizations could be identified. They included 231 healthcare organizations such as hospitals, clinics, laboratories, and imaging and radiology centers.

The best practice is to ensure that DICOM servers are on isolated networks with firewalls restricting access; however, the fact that 3,627 servers were exposed to the internet shows that even this basic security control is not being implemented. Further, an analysis of software versions found that many had significant patch deficiencies, including unpatched critical vulnerabilities such as CVE-2019-1010228, CVE-2022-2119, CVE-2022-2120, and CVE-2025-0896. The TrendAI team also found that 44% of servers cluster into groups running identical software, which means that one vulnerability can be exploited on hundreds of targets. The scant protections put patient privacy at risk, potentially allowing extensive data theft, image manipulation, lateral movement, and ransomware attacks.

“Security must be treated as a fundamental requirement rather than an optional enhancement. The tools exist; they simply need to be used,” suggests TrendAI. “Healthcare organizations, cloud providers, and DICOM software vendors all share responsibility for addressing this exposure. Until they do, patient data remains at risk, clinical systems remain vulnerable, and the healthcare sector remains an attractive target for malicious actors.”

The post Healthcare Organizations Exposing Patient Data Via Poorly Secured DICOM Servers appeared first on The HIPAA Journal.

Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches

Posted by Steve Alder

Data breaches have recently been announced by Hematology Oncology Consultants in Michigan, Cunningham Prosthetic Care in Maine, and Southcoast Health System in Massachusetts.

Hematology Oncology Consultants

Hematology Oncology Consultants in Michigan have started notifying individuals affected by a September 20, 2025, security incident. Upon detection, immediate action was taken to secure its network and prevent further unauthorized access, and an investigation was launched to determine the nature and scope of the unauthorized activity. On or around February 12, 2026, Hematology Oncology Consultants confirmed that files containing personal and protected health information were likely exfiltrated from its network.

The review of the affected files was completed on April 7, 2026, and notification letters started to be mailed to the affected individuals on April 24, 2026. Data compromised in the incident includes names, medical records, health insurance information, and Social Security numbers. While not described as a ransomware attack, the Rhysida ransomware group claimed responsibility for the attack. Rhysida threatens to sell or publish the stolen data if the ransom is not paid. The group claims to have sold some of the stolen data and has leaked 40% of the data exfiltrated in the attack. The incident has been reported to regulators, although it is currently unclear how many individuals have been affected.

Cunningham Prosthetic Care

The Saco, Maine-based orthotic and prosthetic service provider Cunningham Prosthetic Care has started notifying patients about a data security incident first identified on October 22, 2025. Suspicious activity was identified within an employee’s email account, and upon investigation, unauthorized access to the account was confirmed as occurring on October 22, 2025. The account was reviewed, and after around 4 months, it was confirmed that the account contained personal and protected health information, including names, health insurance information, diagnostic information, medical treatment information, and medical record numbers. The affected individuals started to be notified by mail on May 1, 2026. The data breach has been reported to the appropriate authorities, but at present, the number of affected individuals has yet to be publicly disclosed.

Southcoast Health

Southcoast Health System, a nonprofit community health system with more than 55 locations in Southeastern Massachusetts and Rhode Island, has identified unauthorized access to a single user account on February 16, 2026. The security incident was identified on the same day, and unauthorized access was immediately blocked. While the incident was detected quickly, it is possible that sensitive data such as names and Social Security numbers were viewed or acquired. As a precaution against data misuse, the affected individuals have been offered complimentary single-bureau credit monitoring and identity theft protection services. At the time of publication, the number of affected individuals had not been publicly disclosed.

The post Hematology Oncology Consultants; Southcoast Health; Cunningham Prosthetic Care Announce Data Breaches appeared first on The HIPAA Journal.