Skip to main content

Becoming HIPAA Compliant

A practical, plain-English guide to becoming HIPAA compliant — the safeguards that matter, plus straight answers on backups, automatic logoff, dentist HIPAA forms, and Google Workspace.

Get Compliance Help See Compliant Hosting

On this page

The path to becoming HIPAA compliant

Becoming HIPAA compliant isn't a certificate you buy — it's a program you build and maintain. HIPAA's Security Rule organizes the work into three kinds of safeguards: administrative, physical, and technical. The Privacy Rule layers on rules about how PHI may be used and disclosed. Here's the practical sequence most organizations follow:

  1. Run a security risk analysis. Inventory where PHI lives, how it moves, and where it's exposed. This is the foundation — and the first thing auditors ask for.
  2. Appoint a Privacy Officer and Security Officer. Even a one-person role satisfies the requirement; someone must own compliance.
  3. Write policies and procedures covering access, breach response, sanctions, and data handling — then actually follow them.
  4. Train your workforce and document that training.
  5. Sign Business Associate Agreements (BAAs) with every vendor that creates, receives, stores, or transmits PHI — your host, email provider, form tool, and more.
  6. Implement technical safeguards: encryption, unique logins, multi-factor authentication, automatic logoff, audit logging, and backups.
  7. Reassess regularly. Compliance is maintained through periodic risk assessments, not finished once.

Several of these steps live in your infrastructure. Running on HIPAA compliant hosting with a signed BAA covers encryption, backups, audit logging, and access controls for your website — a large slice of the technical safeguards in one move.

Data backup and recovery under HIPAA

HIPAA's contingency plan standard (45 CFR 164.308(a)(7)) is where data backup and recovery live. It requires three connected plans:

  • Data backup plan — keep retrievable, exact copies of all ePHI.
  • Disaster recovery plan — a documented process to restore lost data and systems.
  • Emergency mode operation plan — keep protecting PHI while operating in crisis mode.

Good backups aren't just "we have copies somewhere." For HIPAA, backups should be encrypted, stored so a single ransomware event or hardware failure can't destroy both the primary data and the backup, and tested regularly — an untested backup that won't restore is a recovery plan in name only. This is one of the strongest reasons to choose hosting that includes encrypted, monitored, regularly tested backups as part of the platform.

Automatic logoff times under HIPAA

Automatic logoff (45 CFR 164.312(a)(2)(iii)) is a technical safeguard that ends an electronic session after a period of inactivity, so an unattended workstation can't expose PHI. A common surprise: HIPAA does not specify a required number of minutes.

Automatic logoff is an "addressable" specification, which means you set the timeout based on your own risk analysis and environment, then document the decision. Practical ranges most organizations land on:

  • 10–15 minutes for workstations in semi-private clinical or back-office areas.
  • 2–5 minutes for high-exposure devices — front desks, shared kiosks, or tablets in public areas.
  • Session timeouts on web applications and portals that handle ePHI, not just desktop logins.

The standard isn't a magic number — it's choosing a reasonable timeout, applying it consistently, and writing down why.

Do dentists have to have patients sign a HIPAA form?

Yes — but it's worth understanding what patients are signing, because the "HIPAA form" at the front desk is widely misunderstood. Dental practices, like all covered entities, must give patients a Notice of Privacy Practices (NPP) that explains how the practice uses and protects their information, and make a good-faith effort to get a written acknowledgment that the patient received it.

Key points dentists (and patients) often get wrong:

  • The signature is an acknowledgment of receiving the notice — not consent to treatment and not authorization to share data.
  • If a patient refuses to sign, the practice can still treat them — it just documents the good-faith effort to obtain the acknowledgment.
  • A separate, specific written authorization is only required for uses of PHI beyond treatment, payment, and healthcare operations (for example, marketing or selling data).

So the front-desk form is real and required, but it's an NPP acknowledgment — keep the documentation, and don't confuse it with treatment consent.

Is Google Workspace HIPAA compliant? An implementation guide

Google Workspace can be HIPAA compliant — but it isn't automatically, and signing the BAA alone doesn't get you there. Google supports HIPAA compliance and publishes a HIPAA Implementation Guide describing exactly how to configure Workspace; compliance depends on actually following it. The implementation steps:

  1. Sign the BAA from the Google Admin console (Account → Legal & compliance). Without it, no Workspace service may hold PHI.
  2. Restrict PHI to BAA-covered "Core Services" (Gmail, Drive, Calendar, Meet, and others named in the BAA). Turn off or restrict services the BAA does not cover so PHI can't leak into them.
  3. Enforce access controls: unique accounts, multi-factor authentication, and least-privilege admin roles.
  4. Enable encryption and logging — Workspace encrypts data in transit and at rest by default; turn on audit logs and alerting.
  5. Configure sharing and DLP so PHI in Drive and Gmail isn't shared externally by accident; add data-loss-prevention rules where available.
  6. Train staff and document the configuration in your risk analysis.

For email specifically — including adding encrypted delivery on top of Gmail — see our best HIPAA compliant email guide.

Becoming HIPAA compliant — FAQ

What does becoming HIPAA compliant involve?
Becoming HIPAA compliant means implementing the administrative, physical, and technical safeguards in the HIPAA Security Rule and the requirements of the Privacy Rule. The core steps are: complete a security risk analysis, appoint a privacy and security officer, write policies and procedures, train staff, sign Business Associate Agreements with every vendor that touches PHI, encrypt and back up data, control access with unique logins and automatic logoff, and keep audit logs. Compliance is ongoing — it's maintained through regular risk assessments, not achieved once.
What are the HIPAA data backup and recovery requirements?
HIPAA's contingency plan standard (45 CFR 164.308(a)(7)) requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan. You must keep retrievable, exact copies of ePHI, be able to restore lost data, and continue protecting PHI during an emergency. Backups must be encrypted, tested regularly so you know they actually restore, and stored so a single failure or ransomware event can't destroy both the primary data and its backup.
What are the automatic logoff time requirements under HIPAA?
HIPAA requires automatic logoff (45 CFR 164.312(a)(2)(iii)) as an addressable technical safeguard, but it does not specify an exact number of minutes. You set a timeout based on your own risk analysis and environment. Common practice is 10–15 minutes for workstations in semi-public areas and as little as 2–5 minutes for devices in high-exposure spaces like front desks or shared kiosks. The key is to choose a reasonable timeout, apply it consistently, and document the decision.
Do dentists have to have patients sign a HIPAA form?
Dentists must give patients a Notice of Privacy Practices (NPP) and make a good-faith effort to obtain a written acknowledgment that the patient received it — so yes, patients typically sign a HIPAA form, but it is an acknowledgment of the notice, not consent to treatment or to share data. If a patient refuses to sign, the dental practice can still treat them as long as it documents the good-faith effort to obtain the acknowledgment. Separate written authorization is only required for uses of PHI beyond treatment, payment, and healthcare operations.
Is Google Workspace HIPAA compliant?
Google Workspace can be HIPAA compliant, but only if you take the required steps. You must sign Google's BAA from the Admin console, then restrict use to the services the BAA covers, turn off or limit non-covered services, enable encryption and multi-factor authentication, configure access controls and audit logging, and train staff. Google publishes a HIPAA Implementation Guide describing exactly how to configure Workspace. Signing the BAA alone is not enough — compliance depends on configuring the environment to match the guide.

Related: best HIPAA compliant email, HIPAA compliant WordPress forms, and ePHI hosting.

Cover your technical safeguards in one move

Encrypted storage, tested backups, audit logging, access controls, and a signed BAA — our HIPAA compliant hosting handles the infrastructure side of compliance so you can focus on patients.

Get Started Talk to a Specialist