HIPAA-Aligned Cybersecurity for Medical & Dental Practices
A documented risk analysis HHS OCR would accept. MFA on your EHR. Encryption on every device that touches ePHI. A BAA inventory you can actually find. And a security programme that survives the ransomware attack hitting practices like yours every week — built by people who understand a busy clinic, not just an IT lab.
Why Now
Small practices are the new front line. Most HIPAA programmes haven't kept up.
For most of the past decade, healthcare cybersecurity headlines focused on the big systems — Anthem, UnitedHealth's Change Healthcare attack, hospital networks. The reality on the ground is different. Small practices have become a primary target for ransomware operators specifically becausethey can't tolerate downtime and rarely have a documented incident response plan.
HHS OCR closed more than 900 HIPAA investigations in 2023 alone. A growing share involve practices with under 50 employees. The deficiencies that keep showing up are not exotic: missing or inadequate risk analysis (the #1 citation, year after year), no MFA on the EHR, unencrypted portable devices, no BAA on file for a major vendor, and no documented incident response plan.
Meanwhile, cyber insurance carriers have tightened questionnaires year over year. Renewal rates for practices without basic controls have doubled. Some carriers now require an annual risk analysis as a condition of coverage. State AGs increasingly pursue practices that fail to notify in the required window — often 60 days from discovery of a breach affecting 500+ individuals.
The practices doing this well aren't the biggest ones. They're the ones who treat HIPAA as a living programme — with a current risk analysis, a real BAA inventory, and workforce training people actually completed — rather than a three-year-old PDF in a binder.
The Security Rule, Operationalised
Nine control families HHS OCR expects every practice to operate.
The HIPAA Security Rule has dozens of standards and implementation specifications. They distil into nine control families a small practice can actually run. We deliver each one as a managed service.
Documented Risk Analysis
An accurate, thorough, ongoing risk analysis covering every system that creates, receives, maintains, or transmits ePHI. The #1 OCR-cited HIPAA deficiency.
Designated Security Official
A named individual responsible for the security programme. We act as your virtual Security Official or work alongside your appointed staff member.
Workforce Access Controls
Role-based access, unique user IDs, automatic logoff, emergency access procedures. Departing-staff offboarding documented and executed within hours, not weeks.
ePHI Encryption
Encryption of ePHI in transit and at rest — laptops, desktops, removable media, backups, email when sending PHI, and any cloud storage.
Audit Logging & Review
Activity logs on every system handling ePHI, with documented periodic review. When OCR asks how you detect unauthorised access, this is the answer.
Incident Response & Breach Reporting
Written, tested incident response plan and breach-notification procedures aligned to HHS, state AG, and (where applicable) media notification timelines.
BAA Inventory & Vendor Diligence
Up-to-date inventory of every business associate with a signed BAA on file. Vendor diligence on EHR, billing, lab partners, cloud, and any third party touching ePHI.
Backup & Disaster Recovery
Encrypted, off-site, immutable backups of EHR and document store. Tested restoration. A documented contingency plan that survives ransomware encrypting your primary systems.
Workforce Training
Annual HIPAA training plus ongoing reinforcement (phishing simulations, role-specific updates). Documentation HHS OCR can review.
Threats Built for Healthcare
Not generic SMB threats. The exact attacks hitting medical and dental practices.
Ransomware Mid-Patient-Day
Encrypt an EHR at 9am Monday and the practice grinds to a halt. Attackers know healthcare can't tolerate downtime — and that ransom pressure is highest when the waiting room is full.
Insurer & Lab Impersonation BEC
Fake emails from BCBS, Aetna, UnitedHealthcare, or your reference lab requesting updated banking details, EOB "corrections", or claim re-submission to a new payee. Practices that pay without verification lose tens of thousands per incident.
ePHI Exfiltration & Resale
Medical records sell for 10× the dark-web price of credit cards. A breach of even a small practice produces resellable data — and triggers HHS OCR investigation, state AG action, and patient notification within strict timelines.
Stolen / Lost Devices
Unencrypted laptops, tablets, and phones containing ePHI are still the most common HIPAA breach category in the OCR breach portal. Full-disk encryption + documented loss procedures eliminate this entire class.
Insider & Curiosity Snooping
Staff looking up neighbours, family, or VIP patients in the EHR is a HIPAA breach and a fireable offence. Without audit logging and periodic review, you can't detect it — and you can't prove you tried.
EHR Account Takeover
Compromised provider credentials let attackers log into eClinicalWorks, Athena, NextGen, Dentrix, or your EHR of choice and pull patient records at scale. MFA on the EHR is non-negotiable — and still rare in small practices.
We Speak Clinical
No translation needed. We know your EHR and your day.
We won't schedule a major rollout during a busy patient morning. We won't ask your front-desk lead to learn conditional access vocabulary. We've mapped controls onto the EHRs, practice management systems, and clearinghouses your practice actually runs — so the HIPAA programme fits your workflow, not someone's textbook.
Whether you're a solo provider, a multi-doctor specialty group, or a dental practice with two locations, the controls scale. Multi-location identity, clearinghouse and lab integration security, BAA management, and patient-portal hardening — built in.
Systems We Work With
Not a complete list. If your EHR, PM system, or clearinghouse isn't shown, we've almost certainly worked alongside it.
What Onboarding Looks Like
90 days to a practice that can answer HHS OCR honestly.
Week 1
Free HIPAA-Readiness Assessment
We map your practice against the HIPAA Security Rule and the most-cited OCR deficiencies. A one-page roadmap your insurer, malpractice carrier, and (if asked) an OCR investigator could review.
Weeks 2–4
Stabilise the Critical Gaps
MFA on EHR, email, and admin accounts. EDR on every workstation. Full-disk encryption verified. Backups tested. Shared logins removed. Unique user IDs everywhere.
Month 2
Build the Programme
Documented risk analysis, written policies, BAA inventory completed, workforce training rolled out, incident response plan signed by the Security Official. Tabletop incident-response exercise with the practice manager and providers.
Month 3+
Run It
24/7 monitoring, monthly plain-English reports, quarterly risk-analysis refresh, monthly phishing simulations targeted to healthcare scenarios (insurer impersonation, lab impersonation, fake referral). Your practice's outsourced HIPAA security team.
What It Costs
Indicative pricing for a typical practice.
Solo / Small Practice
$475+/mo
Solo provider or 2–6 staff
- Right-sized HIPAA programme
- Documented risk analysis
- MFA & EDR essentials
- Encrypted backups & email
- Quarterly check-ins & reporting
Multi-Provider Practice
$1,200+/mo
~7–25 staff, single location
- Full HIPAA programme & oversight
- MFA across EHR, PM, banking, email
- EDR on every workstation
- 24/7 monitoring & response
- HIPAA-aligned awareness training
Multi-Location Group
$2,400+/mo
25–50+ staff, multi-location
- Everything in Multi-Provider
- Multi-location identity governance
- Inter-site network segmentation
- Practice-leadership compliance reporting
- Per-location risk-analysis variants
Indicative pricing. Final figures depend on staff headcount, location count, EHR / PM stack, and existing controls. Set out in the written services agreement.
What We Hear From Practices
The five objections — answered honestly.
Doesn't our EHR vendor handle HIPAA?+
They handle the security of their platform and they sign a BAA with you. Everything else — your endpoints, your email, your network, your other vendors, your workforce training, your documented risk analysis, your BAAs, your incident response plan — is the practice's responsibility under HIPAA. HHS OCR holds the covered entity accountable, not the EHR.
We're too small for OCR to care about us.+
OCR investigates small practice breaches every year. Penalty tiers under HIPAA range from $100 to $50,000 per violation, capped at $1.5M per identical-violation category per calendar year. State AGs enforce in parallel under the HITECH Act and state privacy laws. A 500-patient breach at a 4-person practice has been investigated and fined — repeatedly.
We did a HIPAA risk analysis a few years ago.+
OCR's position is explicit: risk analysis must be accurate, thorough, and ongoing. A one-time PDF from three years ago isn't a risk analysis OCR will accept. Risk environments change as you add systems, vendors, and staff — the analysis must change with them. This is the #1 OCR-cited HIPAA deficiency in enforcement actions.
Our cyber insurance covers HIPAA breaches.+
Only to the extent of the controls you attested to. Cyber policies for healthcare now routinely ask about MFA on EHRs, encrypted backups, awareness training, documented risk analysis, and BAA inventory. Misrepresent any of those on the application and the claim gets denied. Most denials we see in healthcare trace back to a missing or stale risk analysis.
We have an IT person who handles all of this.+
Most local IT shops are excellent at workstation support and EHR connectivity but aren't HIPAA security specialists. Ask them: can you produce our current documented risk analysis? Our BAA inventory? Our incident response plan? Evidence of annual training? Audit logging on the EHR? If those answers are no, you have IT support, not HIPAA-aligned security operations.
Dig Deeper
Healthcare-specific reading.
The HIPAA risk analysis HHS OCR actually wants — a plain-English guide
The #1 OCR-cited HIPAA deficiency, what an "accurate and thorough" analysis looks like, and a step-by-step self-audit.
HIPAA cybersecurity requirements — what every small practice needs to know
Administrative, physical, and technical safeguards explained for practices without a compliance team.
Brightwell Dental — minutes from ransomware to 22% premium reduction
A composite scenario showing how a small dental practice closed its most-cited HIPAA gaps in 90 days.
HIPAA risk-analysis worksheet — fillable, OCR-ready
The §164.308(a)(1)(ii)(A) worksheet OCR actually wants — ePHI inventory, threat-vulnerability mapping, likelihood-impact rating, mitigation tracking, and 9-step self-audit.
See where your practice stands.
Free HIPAA-readiness assessment. We map your practice to the nine Security Rule control families and hand you a one-page roadmap. No sales pressure. No IT-jargon report. Whether you engage us or not, you walk away with clarity — and something defensible the next time your insurer, your malpractice carrier, or HHS OCR asks.
Get Free HIPAA-Readiness Assessment