First off, you need to have IT providers that are HIPAA compliant, meaning that they have internal policies to prevent any leakage of PHI that they may encounter. To protect yourself, you need to have the provider sign a BAA (business associate agreement). This basically is a contract that says the provider is HIPAA compliant – it essentially “passes the buck” downstream, so that if there were a breach due to your provider, some of the penalties pass downstream. In turn, your provider will procure BAAs from their providers, such as hosted email services like Microsoft Office 365, cloud backup solutions, etc.
Second, you need to observe practices and guidelines that your provider goes over with you. These are things such as restricting access to PHI on a “need to know” basis, avoiding storing PHI in any non-personnel accessible locations, and even making sure physical access is restricted to PHI.
Some of the practices that can help achieve this include: