...
Facet Technologies Logo

(309) 689-3900

Call our office!

3024 W. Lake Ave., Suite 1

Peoria, IL 61615

8:00AM - 5:00PM

Monday – Friday

HIPAA Compliance

HIPAA Compliance Support for Businesses Handling Protected Health Information

Facet Technologies supports Central Illinois businesses working toward HIPAA compliance — whether that means a medical practice protecting patient records, a billing company processing claims, or a software vendor storing PHI in the cloud. We help maintain the technical safeguards HIPAA requires through a managed IT approach that treats compliance as an ongoing posture, not an annual audit sprint.

What Is HIPAA and Who Does It Apply To?

HIPAA is the Health Insurance Portability and Accountability Act, a federal law enacted in 1996 that sets national standards for protecting the privacy and security of health information. Most people associate HIPAA with medical practices, but the law reaches much further — it applies to any organization that creates, receives, maintains, or transmits protected health information, whether or not they treat patients directly.

Protected health information, or PHI, is any individually identifiable health data — including names tied to diagnoses, dates of service, billing records, prescription information, and electronic health records. When PHI is stored or transmitted electronically, it becomes electronic PHI (ePHI), which is subject to HIPAA's Security Rule.

Two categories of organizations fall under HIPAA:

Covered Entities

Healthcare providers (hospitals, clinics, dental practices, physical therapy, mental health), health plans (insurance companies, HMOs), and healthcare clearinghouses that process claims.

Business Associates

Any business that handles PHI on behalf of a covered entity. Includes billing companies, IT providers, cloud hosting vendors, medical transcription services, claims processors, and legal firms handling medical records.

Subcontractors

Vendors hired by business associates who also handle PHI. A cloud storage provider used by a billing company is a subcontractor and is also bound by HIPAA requirements.

A common misconception is that only doctors' offices need to worry about HIPAA. In practice, any business in the supply chain that touches PHI — including managed IT providers — operates under HIPAA's requirements.

What Does HIPAA Actually Require?

HIPAA is structured around three primary rules that each businesses handling PHI must follow:

The Privacy Rule

Sets national standards for how PHI can be used and disclosed. Covers patient rights — including the right to access records, request corrections, and receive an accounting of disclosures. Applies to PHI in any form: paper, electronic, or verbal.

The Security Rule

Applies specifically to electronic PHI. Requires three categories of safeguards — administrative, physical, and technical — to protect ePHI from unauthorized access, alteration, loss, or destruction. This is the rule most relevant to IT and cybersecurity providers.

The Breach Notification Rule

Requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services, and sometimes the media when unsecured PHI is breached. Timeframes and thresholds depend on the size and scope of the breach.

The HHS Office for Civil Rights enforces HIPAA and has authority to issue penalties ranging from $141 per violation up to $2.1 million per category per year for willful neglect, based on 2024 adjusted amounts.

How Does Facet's Stack Map to HIPAA Technical Safeguards?

The HIPAA Security Rule's Technical Safeguards section (45 CFR § 164.312) defines the technology controls required to protect ePHI. These are the categories Facet Technologies addresses through our managed services stack:

Access Control
§ 164.312(a)
Entra ID, Okta, and Intune for identity management; Keeper for password management; multi-factor authentication enforced across all users; role-based access permissions; automatic logoff policies.
Audit Controls
§ 164.312(b)
SentinelOne endpoint logging, Syncro ticketing and change management, Blackpoint Cyber SOC monitoring — creating the activity records HIPAA requires organizations to review.
Integrity Controls
§ 164.312(c)
Veeam backup verification for on-premises and hybrid environments; Dropsuite for Microsoft 365 backup with immutable copies; change detection through endpoint monitoring.
Authentication
§ 164.312(d)
MFA required for all accounts accessing ePHI; hardware-backed authentication options via YubiKey or Entra ID; conditional access policies based on device and location.
Transmission Security
§ 164.312(e)
Proofpoint email encryption; Fortinet ZTNA for zero-trust network access; TLS enforcement on all cloud services; VPN for remote access to internal systems handling ePHI.

This mapping is why "built into daily operations" matters more than "prepared for audit." A business associate agreement, or BAA, is the contract a covered entity signs with vendors who handle PHI — but signing the BAA is only the beginning. The technical controls have to actually operate every day, and that's what a managed IT stack delivers.

Where HIPAA Overlaps With Other Frameworks

The good news for businesses facing multiple compliance requirements: HIPAA's Technical Safeguards share significant overlap with cyber insurance requirements, ISO 27001 controls, and NIST Cybersecurity Framework categories. Multi-factor authentication satisfies HIPAA's authentication requirement, cyber insurance carrier checklists, and ISO 27001's access control controls — simultaneously.

If your business handles PHI and also needs cyber insurance coverage or works with enterprise clients requiring ISO certification, our multi-framework approach avoids duplicate work by building controls that satisfy several frameworks at once.

Are You a Medical Practice?

If your business is a healthcare provider — a clinic, dental practice, physical therapy office, mental health practice, or similar — Facet Technologies offers a dedicated Healthcare IT services page focused on the specific operational realities of medical practices: EHR system support (Epic, Cerner, AllScripts, eClinicalWorks, NextGen), practice management software, patient data workflows, and 24/7/365 emergency response for clinical environments.

The page you are currently reading covers HIPAA as a regulatory framework. If you are a business associate, billing company, software vendor, or other non-medical entity that handles PHI, stay here. If you operate a medical practice and want care-centered IT support, the Healthcare page will serve you better.

What Does Facet Do For HIPAA Compliance?

Facet Technologies provides the managed IT services that help your business implement and maintain HIPAA's Technical Safeguards. Specifically, we:

  • Deploy and manage the security stack that supports HIPAA Technical Safeguards — endpoint protection, access controls, email security, backups, and 24/7 SOC monitoring.
  • Sign a business associate agreement (BAA) with clients when we handle PHI as part of our services, as HIPAA requires.
  • Maintain audit logs, change records, and security event documentation that support evidence gathering during assessments.
  • Coordinate with auditors on technical questions during HIPAA risk assessments and Office for Civil Rights inquiries.
  • Provide phishing simulations and security awareness training resources through our blog — HIPAA requires workforce training, and trained employees are measurably less likely to cause breaches.
  • Help identify gaps between your current IT posture and HIPAA's technical requirements, so your team can address them before an audit or incident surfaces them.

What we do not do: perform HIPAA risk assessments as a certified auditor, issue HIPAA compliance certifications (HIPAA does not have a government certification program), or assume legal responsibility for your organization's compliance posture. These are boundaries every legitimate HIPAA IT partner should be explicit about.

Frequently Asked Questions

Does HIPAA apply to my business if I am not a medical practice?

HIPAA applies to any business that handles protected health information on behalf of a covered entity. This includes billing companies, IT providers, cloud vendors, transcription services, claims processors, and legal firms handling medical records. If your business touches PHI, you are likely a business associate and HIPAA applies.

What is a business associate agreement (BAA)?

A business associate agreement, or BAA, is a written contract between a covered entity and a business associate that specifies how PHI will be protected. HIPAA requires a BAA whenever PHI is shared with a vendor. Facet Technologies signs BAAs with clients whose services involve handling PHI.

Is HIPAA certification a real thing?

HIPAA does not have an official government certification program. Private organizations offer HIPAA training certifications for individuals and third-party audit attestations for businesses, but there is no federal HIPAA certification equivalent to FedRAMP authorization or CMMC certification. Claims of "HIPAA certified" software or services should be read carefully.

How much are HIPAA violations?

HIPAA penalties are tiered by culpability. As of 2024 adjusted amounts, violations due to lack of knowledge start at $141 per violation; willful neglect violations can reach $71,162 per violation, capped at $2.1 million per category per year. Criminal penalties also apply in cases of knowing misuse of PHI.

What happens during a HIPAA audit?

The HHS Office for Civil Rights conducts periodic audits and investigations triggered by complaints or breach reports. Auditors review policies, access logs, risk assessments, BAAs, and evidence of workforce training. Facet Technologies provides documentation support and auditor coordination for clients during HIPAA assessments.

Does Facet Technologies sign BAAs?

Yes. When Facet's services involve handling PHI — which applies to most managed IT engagements with healthcare providers and business associates — we sign a business associate agreement that specifies our obligations under HIPAA. This is standard practice for any HIPAA-aware MSP.

How long does HIPAA readiness take?

Most businesses with modern IT infrastructure can reach HIPAA Technical Safeguards readiness within 60 to 90 days. Businesses starting from older systems, unmanaged devices, or no centralized security may need longer. We provide a specific timeline after an initial assessment of your environment.

Ready to Strengthen Your HIPAA Posture?

Whether you are a business associate preparing for your first BAA, a medical practice strengthening your Security Rule controls, or a software vendor handling PHI, the right time to address HIPAA is before an auditor or incident does it for you. Facet Technologies can assess your current posture and help build a roadmap.

Call (309) 689-3900 Get In Touch Below

Let's Talk About Your HIPAA Needs

Send us a message or book a consultation directly — whichever works better for you.

Send Us a Message

Fill out the form and our team will get back to you within one business day.

    Book a Consultation

    Pick a time that works for you — no back-and-forth required.

    HIPAA compliance is the legal responsibility of your business. Facet Technologies provides managed IT and cybersecurity services that support your HIPAA program, including signing a business associate agreement when services involve protected health information, but does not certify, warrant, or assume responsibility for your regulatory compliance status. For legal interpretation of HIPAA requirements, consult a qualified compliance consultant or attorney.