IT Compliance · Compliance Matrices
A HIPAA compliance matrix for healthcare practices in Irvine, CA. Maps Security Rule, Privacy Rule, HITECH, and California CMIA requirements so clinics, dental offices, and medical groups can find gaps and prioritize remediation.
Irvine's healthcare sector spans large medical groups near Hoag and UCI Health, specialty clinics around the Irvine Spectrum, dental practices, behavioral health providers, and the growing digital health firms clustered in Irvine's office parks. Every one of these organizations handles protected health information (PHI) and must satisfy the HIPAA Security Rule and Privacy Rule, the HITECH breach-notification mandates, and California's stricter Confidentiality of Medical Information Act (CMIA). This matrix maps the IT and security controls that matter most against those four frameworks, so an Irvine practice can see at a glance which safeguards are required, which apply only under certain conditions, and where each framework adds obligations the others do not. Use it to scope a risk analysis, prepare for an audit, or evaluate whether your current IT support is keeping you compliant.
| Requirement | Category | HIPAA Security Rule | HIPAA Privacy Rule | HITECH | California CMIA |
|---|---|---|---|---|---|
Security Risk Analysis Conduct and document an accurate, organization-wide assessment of risks and vulnerabilities to all electronic PHI. This is the foundational HIPAA control and the most common finding in OCR enforcement actions. It must be reviewed and updated when systems or threats change. | Administrative Safeguards | Required | Conditional | Required | Conditional |
Unique User Identification and MFA Assign a unique name or number to track each user accessing PHI, and enforce multi-factor authentication on EHR systems, email, and remote access. Shared logins at the front desk or in clinical workstations are a frequent gap in smaller Irvine practices. | Access Control | Required | Conditional | Required | Required |
Role-Based Access to PHI (Minimum Necessary) Limit each workforce member's access to the minimum PHI needed for their job. Front-desk staff, billing, and clinical roles should see different data sets. Access rights must be reviewed when staff change roles or leave the practice. | Access Control | Required | Required | Conditional | Required |
Encryption of PHI at Rest Encrypt PHI stored on servers, workstations, laptops, mobile devices, and backups using AES-256 or equivalent. HIPAA treats encryption as addressable, but unencrypted data that is lost or stolen triggers breach notification, so most Irvine practices treat it as mandatory. | Technical Safeguards | Required | Conditional | Required | Required |
Encryption of PHI in Transit Protect PHI moving across networks with TLS 1.2 or higher. This covers patient portal traffic, referrals, lab interfaces, and any email containing PHI. Secure messaging is required for communications between providers and with patients. | Technical Safeguards | Required | Conditional | Required | Required |
Audit Controls and Access Logging Record and examine activity in systems that contain PHI, including who accessed which records and when. Logs support investigation of suspected snooping into patient records, which CMIA penalizes directly, and must be retained per the HIPAA six-year documentation rule. | Technical Safeguards | Required | Conditional | Required | Required |
Automatic Logoff and Workstation Security Terminate sessions after a defined period of inactivity and position workstations so unauthorized people cannot view PHI. This matters in open clinical areas and shared exam rooms common in Irvine's multi-provider practices. | Technical Safeguards | Required | Conditional | Conditional | Required |
Business Associate Agreements (BAAs) Execute a signed BAA with every vendor that creates, receives, maintains, or transmits PHI, including cloud EHR hosts, billing companies, managed IT providers, and email platforms. Missing BAAs are a frequent cause of HIPAA penalties for small healthcare organizations. | Vendor Management | Required | Required | Required | Conditional |
Breach Notification Procedures Maintain documented procedures to notify affected individuals, the HHS Office for Civil Rights, and, where applicable, media after a breach of unsecured PHI. HITECH sets the 60-day federal clock, and California adds its own notification duties for medical information breaches. | Incident Management | Conditional | Required | Required | Required |
Incident Response Plan Establish a documented plan covering detection, containment, eradication, recovery, and post-incident review for security incidents affecting PHI. Test the plan at least annually so staff know their roles during a ransomware event or data exposure. | Incident Management | Required | Conditional | Required | Conditional |
Data Backup and Disaster Recovery Maintain retrievable, tested backups of PHI and a disaster recovery plan with defined recovery time and recovery point objectives. HIPAA requires a data backup plan, a disaster recovery plan, and an emergency-mode operation plan as separate, documented controls. | Contingency Planning | Required | Conditional | Conditional | Conditional |
Workforce Security Awareness Training Train all workforce members on PHI handling, phishing, password practices, and incident reporting at hire and periodically thereafter. Document attendance, since OCR and California regulators expect evidence that training actually occurred. | Administrative Safeguards | Required | Required | Conditional | Required |
Sanction Policy for Workforce Violations Apply and document consequences for workforce members who violate security or privacy policies, including improper access to patient records. CMIA penalizes unauthorized viewing of medical information, so a consistently enforced sanction policy is a practical safeguard. | Administrative Safeguards | Required | Required | Conditional | Required |
Patient Right of Access and Accounting of Disclosures Provide patients timely access to their records, the ability to request amendments, and an accounting of certain disclosures. The Privacy Rule sets the federal baseline, and California grants patients additional access rights under state law. | Privacy Operations | N/A | Required | Conditional | Required |
Notice of Privacy Practices Distribute and post a clear Notice of Privacy Practices describing how PHI is used and disclosed and how patients can exercise their rights. The notice must be acknowledged by patients and kept current with any practice changes. | Privacy Operations | N/A | Required | Conditional | Conditional |
Secure Disposal of PHI and Media Sanitize or destroy electronic media and shred paper records so PHI cannot be reconstructed before devices are reused, returned, or discarded. This applies to old workstations, copiers with hard drives, and imaging equipment when a practice upgrades. | Physical Safeguards | Required | Required | Conditional | Required |
Vulnerability Scanning and Patch Management Scan systems regularly for vulnerabilities and apply security patches to operating systems, EHR software, and medical devices within defined timeframes. Unpatched systems remain a common entry point for ransomware in healthcare environments. | Risk Management | Required | Conditional | Conditional | Conditional |
Answers
Checklists
36-Point IT Compliance Checklist for Defense Contractors Businesses in Orange County (2026)
Checklists
31-Point IT Compliance Checklist for Healthcare Businesses in Orange County (2026)
Cost Guides
Compliance Services Cost in Irvine: 2026 Pricing Guide for HIPAA, SOC 2, CMMC and PCI
Compliance Matrices
CIS Controls Compliance Matrix for Orange County Businesses
Compliance Matrices
Managed IT Services Compliance Matrix for Anaheim, CA Businesses
Learn more about our IT Compliance for Orange County businesses.
BRITECITY helps Irvine healthcare organizations close HIPAA and CMIA gaps and keep PHI protected. We start with a risk analysis and a clear remediation plan.
Get a HIPAA Assessment