Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
Why specialized healthcare IT matters (and what it actually means)
Behavioral health and medical practices need specialized managed IT because generic providers do not configure for HIPAA, do not handle 42 CFR Part 2, and do not sign Business Associate Agreements that cover PHI workflows. The numbers force the issue. In 2024, 725 large healthcare data breaches were reported to the HHS Office for Civil Rights (OCR), and more than 275 million people had their data exposed, stolen, or impermissibly disclosed. That same year, OCR closed 22 investigations with financial penalties, collecting $12,841,796.
Medical and behavioral health providers handle diagnoses, prescriptions, mental health records, and substance use information. A misconfigured server, an unencrypted email, or a successful phishing attack can trigger a reportable breach. Front desk staff who cannot reach the schedule, providers who drop a telehealth session, billers locked out of the practice management system: every one of those events hits patient care and revenue at the same time.
A managed service provider that primarily supports retail shops or law firms does not understand clinical workflow pressure or the compliance footprint a behavioral health operator carries every day. That gap shows up in audits, whether the surveyor is from the Joint Commission, CARF, or a state licensure body like Florida AHCA. Shook, Hardy & Bacon’s review of 2024 OCR actions found that 15 of 20 enforcement matters involved the Security Rule, and inadequate risk analysis appeared in 13 of them.
What HIPAA-compliant IT actually looks like in a clinical environment
The phrase “HIPAA-compliant” gets used loosely. The HHS Office for Civil Rights writes the Security Rule, and it is specific. A defensible environment includes encrypted communications at every layer, role-based access controls with audit trails, documented risk analysis, tested backups, and a current Business Associate Agreement for every vendor that touches PHI.
Risk analysis is not optional and it is where most operators get caught. OCR has stated that risk analysis failures are by far the most commonly identified HIPAA violations in its enforcement actions. Recent settlements show how that translates into dollars: in December 2024, OCR imposed a $1.19 million penalty against Gulf Coast Pain Consultants for HIPAA Security Rule violations, and a $548,265 penalty against Children’s Hospital Colorado. Earlier in 2024, OCR settled a ransomware investigation for $950,000.
Per-violation exposure is not theoretical either. As codified for 2024 under 45 CFR 102.3, HIPAA per-violation amounts range from $141 to $71,162 in Tiers 1 through 3, and up to $2,134,831 in Tier 4. We tell operators in Florida, Tennessee, and Utah the same thing: documented controls beat clever explanations every time, whether the auditor showed up from OCR, the DEA, or a state Medicaid SIU.
Microsoft 365 is not HIPAA-compliant out of the box. It has to be configured.
Microsoft 365 can absolutely run a HIPAA-eligible environment. It does not arrive that way. Microsoft enters into Business Associate Agreements with its covered entity and business associate customers, and the BAA is available through the Microsoft Online Services Data Protection Addendum by default. That contract does not configure your tenant. You do.
Microsoft itself is direct about this shared model: “Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations.” When my team builds a Microsoft 365 environment for a behavioral health client in Florida or Arizona, we configure Exchange Online with Data Loss Prevention policies that detect PHI in outbound mail, deploy Intune to enforce encryption and remote wipe across the device fleet, segment SharePoint and OneDrive by role, and turn on Defender for real-time threat monitoring. Coverage extends only to Online Services Microsoft designates as HIPAA-eligible in the Product Terms, which typically includes Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.
Teams becomes the secure communication backbone (with the right controls, it supports HIPAA-eligible telehealth video). SharePoint becomes the policy and clinical-document library with version control and access logging, the kind a Joint Commission or CARF surveyor will actually want to see during an EOC tour. None of that happens by clicking through a setup wizard.
Behavioral health adds a second compliance regime: 42 CFR Part 2
Substance use treatment providers are not just HIPAA-regulated. They are also bound by 42 CFR Part 2, the federal confidentiality rule for SUD records, enforced jointly by SAMHSA and OCR. On February 8, 2024, HHS announced a final rule modifying the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2. The rule went into effect on April 16, 2024, with enforcement of the updated Part 2 rules starting on February 16, 2026.
That alignment with HIPAA is not a relaxation. The 2024 Final Rule applies the HIPAA Breach Notification Rule requirements to Part 2 programs and provides for both civil and criminal penalties. Practically, that means IT systems holding SUD records in Tennessee or Florida have to support patient-consent tracking, redisclosure notices, and breach reporting in ways most general MSPs have never built before. The DEA also sits in the background here for any program prescribing buprenorphine, and DOJ has been active on Part 2 disclosure questions tied to federal investigations.
Telehealth platforms (SimplePractice, TherapyNotes, Doxy.me, Zoom for Healthcare) each have distinct technical and BAA requirements. Network segmentation between guest Wi-Fi, waiting room devices, and clinical networks limits the blast radius if anything goes wrong. Staff security awareness training is not a checkbox. As of September 2025, phishing represents the most common access vector for healthcare data breaches, accounting for 16% of breaches.
How to evaluate a managed IT partner before you sign
If you are evaluating providers, do not lead with price or response time. Lead with healthcare experience. Ask directly: how many of your current clients are medical or behavioral health practices? Will you sign a Business Associate Agreement, and can you walk me through your last HIPAA risk analysis for a similar client? Can you produce documentation that would hold up in front of an OCR investigator, a Joint Commission surveyor, or a CMS auditor?
A useful filter: healthcare breaches cost an average of $7.42 million per incident, the costliest of any industry. If a prospective MSP hesitates on a BAA, treats risk analysis as a one-time exercise, or cannot name the in-scope services under Microsoft’s HIPAA BAA, you have your answer. Look for proactive monitoring (patches, alerts, log review) rather than break-fix response, Microsoft credentialing tied to actual healthcare deployments, and flat-rate pricing with clear terms about what triggers add-ons.
I work with operators across Florida, Tennessee, Arizona, and Utah. The ones who sleep at night have the same things in common: a current Microsoft BAA they can produce on demand, a documented annual risk analysis, MFA enforced on every account, encrypted and tested backups, and an MSP who picks up the phone when a surveyor from CARF, the Joint Commission, or Florida AHCA walks in.
Frequently asked questions
Is Microsoft 365 HIPAA-compliant out of the box?
No. Microsoft offers a Business Associate Agreement covering in-scope services like Exchange Online, SharePoint Online, OneDrive for Business, and Teams, and that BAA is available through the Microsoft Online Services Data Protection Addendum by default. However, Microsoft states the customer is wholly responsible for ensuring compliance. You still have to configure DLP, MFA, encryption, access controls, audit logging, and Intune device policies before storing PHI, and you have to be able to produce that documentation for OCR or the Joint Commission.
What is the maximum HIPAA fine my practice could face from OCR?
As codified for 2024, per-violation HIPAA amounts range from $141 to $71,162 in Tiers 1 through 3, and up to $2,134,831 per violation category per year in Tier 4. Real recent examples: OCR imposed a $1.19 million penalty against Gulf Coast Pain Consultants in December 2024 and a $950,000 settlement in a Security Rule case in July 2024. In 2024, OCR collected $12,841,796 across 22 enforcement actions.
Does 42 CFR Part 2 add IT requirements beyond HIPAA for SUD providers?
Yes. The 2024 SAMHSA/OCR Final Rule (effective April 16, 2024, with enforcement of the updated rules starting February 16, 2026) aligned Part 2 with HIPAA but also applied the HIPAA Breach Notification Rule to Part 2 programs and added civil and criminal penalty exposure. Your IT environment has to support consent tracking, redisclosure notices, and breach reporting for SUD records, not just general PHI.
What is the single biggest IT risk facing behavioral health practices right now?
Phishing. As of September 2025, phishing was the most common access vector for healthcare data breaches, accounting for 16% of breaches. Combined with inadequate risk analysis (cited in 13 of 20 OCR enforcement matters from 2024), under-trained staff and untested controls are what move a practice from a near-miss to a reportable incident.
References
- HIPAA Journal, 2024 Healthcare Data Breach Report
- HHS Office for Civil Rights, Resolution Agreements and Civil Money Penalties
- Microsoft Learn, HIPAA & HITECH Act Compliance
- HHS, Fact Sheet: 42 CFR Part 2 Final Rule
- Federal Register, Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule
- Shook, Hardy & Bacon, OCR Enforcement Activity 2024 Analysis
- Accountable HQ, HIPAA Enforcement Fines and Tiers (45 CFR 102.3)
- Cobalt, Healthcare Data Breach Statistics 2025