HIPAA, treated like the program it actually is.
The Security Rule has 54 implementation specifications. Most generalist MSPs have never read one. Our entire delivery model is built around them — so when an auditor calls, your file already exists.
HIPAA isn't an IT add-on. It's an obligation that ends in your name.
OCR investigates breaches, complaints, and random compliance reviews. When they do, the practice is on the hook — not the IT vendor, not the EHR. Documented program + tested controls is what defends you.
- Documented > "we do that." Auditors want to see policies, dates, signatures, and logs — not a verbal assurance.
- Annual cadence. The Security Risk Analysis is required — not once, not when convenient — annually, and on changes.
- People are most of it. Training, sanctions, access reviews — the human side carries as much weight as the firewall.
- Vendors count too. Every BA touching PHI needs a signed BAA on file. Most practices have gaps; we close them.
“Every practice I sit down with thinks they're more compliant than they are. The Security Rule isn't impossible — it's just specific. We do the specific part so you can do the medicine part.”— Dustin DeBard, Founder, BITS
Six pillars. One file. Always current.
Each pillar maps to specific Security Rule citations. Each produces written artifacts an auditor can read.
1 · Security Risk Analysis
Annual written SRA covering administrative, physical, and technical safeguards. Findings tracked with remediation owners and dates.
§164.308(a)(1)(ii)(A)2 · Policies & Procedures
Written policy library tailored to your practice — not boilerplate. Annually reviewed, version-controlled, and signed.
§164.3163 · Workforce Training
Role-specific micro-courses with documented completion logs. Quarterly phishing simulations and a remediation playbook.
§164.308(a)(5)4 · BAA Library
Every business associate touching PHI — cloud, EHR, billing, IT — tracked with signed agreements and renewal dates.
§164.3145 · Audit Logs & Access Reviews
Logging in place where required, quarterly access reviews documented, and unusual-activity reports retained.
§164.308(a)(1)(ii)(D)6 · Incident Response
Written incident response plan, breach notification workflow, and an after-action template — ready before, not after.
§164.308(a)(6)Honest, written, no sales pitch.
Available to any independent Northern Nevada practice — including ones we'll never sign as ongoing clients.
Intro call
20 minutes. You tell us about your practice, your EHR, the IT vendors you already use. We tell you whether an assessment is even useful for you.
On-site walk & doc review
We look at your environment — servers, network, endpoints — and review whatever HIPAA documentation already exists. Usually a single half-day.
Written gap report
A short, specific document: what's compliant, what isn't, and what we'd fix first. Yours to keep, share, and act on.
Your call from here
Fix it in-house, with your current vendor, or with us — up to you. If we're at capacity for new managed clients, we'll say so clearly.
Find out where you stand — before an auditor does.
No obligation, no upsell, no sales sequence. A written, specific gap report you can act on however you choose.