Frequently asked questions

HIPAA (the Health Insurance Portability and Accountability Act) is a federal framework that governs how protected health information is handled. It is not just about privacy — it sets enforceable security standards, breach-notification obligations, and accountability for vendors. For a practice, HIPAA compliance protects patients, reduces legal and financial liability, and is increasingly a condition of doing business with payers and partners.

The Privacy Rule governs how protected health information (PHI) in any form may be used and disclosed. The Security Rule is narrower and more technical: it requires specific administrative, physical, and technical safeguards for electronic PHI (ePHI). In short — Privacy is about who can see information and why; Security is about how you protect it electronically.

PHI is any individually identifiable health information — names, dates, contact details, medical record numbers, diagnoses, and more — when tied to a person's health, care, or payment. When that information is stored or transmitted electronically, it becomes ePHI, which falls under the Security Rule. Even an appointment reminder or a billing record can be PHI.

An SRA is a formal, documented assessment of every place ePHI is created, received, maintained, or transmitted, along with the threats and vulnerabilities to that data and a plan to address them. It is a foundational HIPAA requirement — not optional. While the rule says it must be "periodic," the practical standard is to conduct or meaningfully update an SRA at least annually, and any time you make a significant change (new EHR, new location, major vendor switch).

Yes — but only under the right conditions. Both Google and Microsoft offer HIPAA-eligible plans and will sign a Business Associate Agreement (BAA), but you must be on a qualifying plan, have the BAA executed, and configure the environment correctly (access controls, MFA, sharing restrictions, audit logging). The consumer/free versions are not compliant. Configuration is where most practices slip up.

Standard consumer Gmail or Outlook is not. Compliant email requires a business plan with a signed BAA, encryption in transit (and ideally at rest), access controls, and policies limiting what PHI is sent by email at all. The safest approach is to minimize PHI in email and use a secure messaging or patient-portal channel for clinical information.

At minimum: a properly configured firewall (never disabled), network segmentation that separates clinical systems and guest Wi-Fi, strong unique passwords with MFA, encrypted backups, endpoint detection and response on every device, and current patching. Above all, do not let a vendor talk you into weakening these controls "for convenience."

They can, but only under a written BYOD policy with enforced safeguards — device encryption, screen locks, the ability to remotely wipe practice data, and a clear boundary between personal and practice information. Without those controls, every personal phone or laptop becomes an unmanaged door into your patient data.

A breach is generally an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. There is a presumption that an incident is a breach unless you can demonstrate, through a documented risk assessment, a low probability that PHI was compromised. Breaches must be reported to affected individuals and HHS within required timeframes — and larger breaches may require media notification.

We are a healthcare-focused managed services provider that treats cybersecurity as inseparable from IT — not as an upsell. We act as your advocate, explain everything in plain English, and price transparently. We also believe security is a team effort and invest in training your people, not just installing tools.

Our managed clients see a sub-60-minute average response time, with an emergency hotline for urgent issues. For new inquiries, we typically respond within 12 business hours.

Yes. While we are rooted on the Gulf Coast, we serve practices across both U.S. seaboards and remotely nationwide. Much of modern managed IT is delivered securely from anywhere, with on-site support coordinated as needed.