For years, a lot of the HIPAA Security Rule read like a suggestion. Safeguards were “addressable,” which many clinics quietly interpreted as optional. That era is over. The updated Security Rule now in effect spells out specific, mandatory controls, and the Office for Civil Rights is already citing them in enforcement actions.
If you run a clinic or practice, the gap between “we’re probably compliant” and “we can prove it” just got a lot more expensive. Here is what the rule actually requires, and how to close each gap.
Universal multi-factor authentication
MFA is no longer something you turn on for the IT admin and forget about everyone else. The rule expects it across systems that touch electronic protected health information (ePHI), which in most practices means your EHR, email, remote access, and cloud apps. A stolen password alone should not be enough to reach patient records.
This is usually the fastest win, and it’s where BIS Rampart Defend starts. We deploy and enforce MFA across your environment so every login to ePHI is verified, without grinding your front desk to a halt.
Encryption at rest and in transit
ePHI now has to be encrypted both when it is stored and when it moves. That covers laptops and servers, the databases behind your EHR, and any file or message carrying patient data between systems. An encrypted laptop left in a car is an inconvenience. An unencrypted one is a reportable breach.
BIS Rampart Secure handles encryption across endpoints, email, and storage so protected data stays unreadable to anyone who shouldn’t have it, whether the device is sitting in your office or lost in a parking lot.
Annual penetration testing
The rule calls for a yearly penetration test, a controlled, real-world attempt to break into your systems the way an actual attacker would. A vulnerability scanner tells you which doors might be unlocked. A pen test tells you which ones a person can actually walk through.
BIS Rampart Risk Management runs annual penetration testing and turns the results into a prioritized fix list, so you are remediating the findings that matter rather than drowning in a raw report.
Vulnerability scans every six months
On top of the annual pen test, you are now expected to run vulnerability scans at least twice a year. Software changes, patches lag, and new weaknesses appear constantly. A point-in-time check from last year tells you almost nothing about today.
Through BIS Managed Care, we run these scans on schedule and patch what they surface, so your six-month checkpoints are documented and your systems stay current between them.
A complete asset inventory
You cannot protect what you don’t know you have. The rule requires a current inventory of the systems and devices that create, receive, store, or transmit ePHI, along with a map of how that data flows. For most clinics this is the missing foundation that makes every other requirement harder than it should be.
BIS Technology Assessment builds and maintains that inventory, giving you a living record of your assets and data flows that supports both your security work and your audit documentation.
The real point: be able to prove it
The thread running through all of this is documentation. Under the updated rule, having the controls is not enough. You need evidence that they are in place, tested, and maintained. When OCR comes asking, “we think we’re fine” is not an answer.
That is where it helps to have a partner who lives in this every day. BIS works with healthcare practices across the Gulf Coast to map each HIPAA requirement to a specific safeguard, put the controls in place, and keep the records that prove it.
If you are not certain your clinic could pass an audit tomorrow, start with a HIPAA risk assessment from BIS. It is the cleanest way to find your gaps before a regulator, or an attacker, finds them for you.
