Cybersecurity for Health Care Practices in Chicagoland
Health care practices in Chicago and across Chicagoland face some of the strictest cybersecurity obligations of any industry, and those obligations are about to get stricter. HHS's proposed update to the HIPAA Security Rule would remove the long-standing distinction between 'required' and 'addressable' safeguards, meaning practices can no longer treat controls like encryption and multi-factor authentication as optional. This guide covers what's required today, what's coming, and how CelereTech helps Chicagoland practices stay compliant without a full-time IT security staff. See also our broader managed IT for health care overview.
Frequently Asked Questions
What is the HIPAA Security Rule and who does it apply to?
The HIPAA Security Rule requires covered entities (health care providers, health plans, health care clearinghouses) and their business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI). It applies to every practice that creates, receives, maintains, or transmits ePHI, regardless of size — a two-provider practice has the same underlying obligations as a large hospital system, just scaled to its risk and resources.
What changed with the HIPAA Security Rule update proposed in December 2024?
HHS's Office for Civil Rights published the first proposed update to the Security Rule since 2013. The proposal removes the 'addressable' category entirely — every implementation specification becomes required, with only narrow, documented exceptions. It also proposes mandatory encryption of ePHI at rest and in transit, mandatory multi-factor authentication, an annually updated technology asset inventory and network map, and network segmentation. The rule is expected to be finalized with a compliance window measured in months after finalization, not years.
Is a HIPAA risk analysis actually required, or is it a best practice?
It's required, and it's the single most commonly cited violation in HHS enforcement actions — more than half of recent enforcement actions involved an inadequate or missing risk analysis. A proper risk analysis identifies where ePHI lives across your systems, what could go wrong, how likely each threat is, and what safeguards address the gap. It has to be a real, documented process tied to your actual technology inventory, not a generic checklist filled out once and forgotten.
How quickly must a health care practice report a security incident?
Under current HIPAA rules, breaches affecting 500 or more individuals must be reported to HHS OCR, affected individuals, and in most cases the media, without unreasonable delay and no later than 60 days after discovery. The proposed Security Rule update would tighten incident response even further, requiring practices to restore certain systems within 72 hours and requiring business associates to notify covered entities within 24 hours of activating a contingency plan — a much faster clock than practices are used to today.
What is a Business Associate Agreement and why does my IT provider need one?
A Business Associate Agreement (BAA) is a contract required whenever a vendor creates, receives, maintains, or transmits ePHI on your behalf — including your managed IT provider, cloud backup vendor, and email hosting provider. The BAA obligates the vendor to the same safeguard and breach-notification standards you're held to. Any IT provider unwilling to sign a BAA should not be handling any system that touches patient data, full stop.
Does a small practice really need multi-factor authentication?
Yes, and it's about to stop being optional. MFA is one of the technical controls explicitly named in the proposed Security Rule update, and it's already considered a baseline expectation by HHS OCR when evaluating whether a practice's safeguards were reasonable. A stolen or guessed password without MFA is often all that stands between an attacker and your entire patient database.
What encryption is required for patient data?
Encryption of ePHI both at rest (stored on servers, laptops, and backups) and in transit (sent over networks, including email) is being made an explicit, non-negotiable requirement under the proposed rule, closing the loophole that previously let some practices treat encryption as addressable. In practice, this means encrypted hard drives, encrypted backups, and a secure, encrypted method for any electronic communication containing patient information — a standard consumer email account does not meet this bar.
How does a managed IT provider help with HIPAA compliance?
A managed IT provider handles the technical half of HIPAA compliance: conducting and documenting the risk analysis, deploying encryption and MFA across every device and system, maintaining the technology asset inventory the proposed rule will require, monitoring for and responding to security incidents within the tightening notification windows, and signing a BAA that puts contractual weight behind those obligations. CelereTech works alongside your practice's own HIPAA privacy policies to cover the technical safeguards specifically.
What happens if a health care practice is found non-compliant with HIPAA?
Penalties are tiered based on the level of culpability, ranging from a few hundred dollars per violation for unknowing violations to over $2 million per violation category per year for willful neglect that isn't corrected. Beyond financial penalties, practices found non-compliant after a breach face corrective action plans, mandatory audits, and reputational damage that can be more costly than the fine itself — patients switch providers over data breaches.
Can a small practice handle HIPAA compliance without a dedicated IT security team?
Yes — this is exactly the gap managed IT services close. A two- or five-provider practice doesn't need to hire a full-time security engineer to meet HIPAA's technical safeguard requirements; it needs a partner who already runs this playbook for other practices and can implement, document, and monitor the required controls as an ongoing managed service rather than a one-time project.
How does network segmentation help with HIPAA compliance?
Network segmentation — dividing your network into isolated zones so that a compromise in one area (like a guest Wi-Fi network) can't reach systems holding ePHI — is named explicitly in the proposed Security Rule update. For a practice, this typically means separating clinical systems and patient records from general office and guest network traffic, so a single infected device doesn't become a practice-wide breach.
Should a health care practice have cyber insurance in addition to HIPAA compliance?
Yes — HIPAA compliance and cyber insurance address different risks and increasingly reinforce each other. Cyber insurers now specifically underwrite healthcare practices based on HIPAA-aligned controls (MFA, EDR, encrypted backups), and healthcare practices typically pay more for coverage — often $3,000 to $7,500 annually — specifically because of HIPAA's stricter requirements and the sensitivity of patient data. See our cyber insurance requirements guide for what underwriters expect.
Related Guides
Ready to Get Expert Help with Cybersecurity?
Get a free assessment and see exactly how CelereTech can support your business.