HIPAA-Compliant IT for Medical & Dental Practices in Monterey County and the Central Coast

Medical and dental practices on the Central Coast and South Bay run on technology that touches patient data every day. Every appointment is logged in an EHR. Every X-ray is stored on a network share. Every phone call to confirm an insurance benefit might reference a patient by name. Every email between front desk and a specialist references appointments. All of it is electronic Protected Health Information (ePHI), and all of it is subject to HIPAA's Security Rule.

This article is the version of the conversation I have with practice owners and office managers who are trying to figure out whether their current IT setup actually meets the standard. The honest answer for many small practices is: probably not, and the specific gaps are predictable. Below is what HIPAA actually requires in IT terms, where the typical compliance gaps are, what a compliant setup looks like in practice for a 5-to-15-person office, and what it costs.

Important note up front: I am an IT engineer who runs HIPAA-aligned environments for healthcare clients on the Central Coast and South Bay. I am not your compliance officer and this article is not legal advice. Any practice should pair this with a written risk analysis from a qualified privacy professional and, where stakes warrant, an attorney familiar with health-care regulation. With that disclaimer in place, this is the operational reality.

Does HIPAA actually apply to a small practice?

Yes. HIPAA applies to any covered entity that handles PHI, regardless of size. The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services enforces it. Solo practitioners, two-dentist offices, three-MD primary care groups, five-provider specialty practices, mental health solo practices, physical therapy clinics, optometrists, chiropractors, podiatrists, audiologists — all covered entities. If the practice creates, receives, maintains, or transmits PHI, HIPAA applies.

OCR routinely settles cases against small practices. Published examples include dental practices fined $50,000-plus for unsecured ePHI, single-physician practices fined for not encrypting laptops, and small physical therapy clinics fined for posting patient testimonials without authorization. The frequent pattern is that the practice did not realize the specific control was required until a complaint or a breach surfaced the issue.

The relevant rules:

• Privacy Rule (2003) — governs how PHI can be used and disclosed.
• Security Rule (2005) — governs the technical safeguards for electronic PHI. This is the rule that drives most IT-specific requirements.
• Breach Notification Rule (2009) — requires notifying patients, OCR, and in some cases the media when ePHI is breached. 60-day notice window. Reports of breaches affecting 500+ individuals are posted publicly on the OCR breach portal.
• HITECH Act (2009) — increased enforcement and penalty tiers; clarified that business associates (including IT vendors) are directly liable.

The OCR enforcement website lists published settlements at hhs.gov/hipaa/for-professionals/compliance-enforcement. Reading a few of them is the fastest way to understand how OCR actually enforces and what the typical gaps look like.

What HIPAA's Security Rule actually requires of IT

The Security Rule breaks safeguards into three categories: administrative, physical, and technical. For a small practice's IT scope, the requirements that matter most:

Administrative safeguards

• Security Risk Analysis. Required. Documented. Annual is the practical standard. The risk assessment identifies where ePHI lives, how it could be accessed inappropriately, and what controls mitigate the risk. This is the single most-cited gap in OCR settlements: practices that did not have a current written risk assessment.
• Workforce training on PHI handling. Documented per employee, annual.
• Sanctions policy for staff who violate HIPAA policies.
• Incident response and breach notification procedures in writing.
• Business Associate Agreements with every vendor that touches ePHI (more on these below).

Physical safeguards

• Facility access controls. Keys, locks, alarm systems for areas where ePHI is stored or processed.
• Workstation security. Screens that lock when staff steps away. Workstations positioned so patients in the lobby cannot read them.
• Device and media disposal. Secure destruction of hard drives, laptops, USB drives, paper records when retired. Documented.
• Inventory of ePHI-touching devices. You know what you have and where it is.

Technical safeguards (where IT lives)

• Access controls. Unique user ID per staff member. MFA on accounts that touch ePHI. Automatic logoff after inactivity. Role-based access to the EHR. No shared logins.
• Audit controls. Logs of who accessed what ePHI and when. Retained for at least 6 years.
• Integrity controls. Mechanisms to ensure ePHI is not improperly altered or destroyed. Usually means write-protected audit logs and backups.
• Transmission security. ePHI encrypted in transit (TLS for email, HTTPS for web apps, encrypted file sharing).
• Encryption of ePHI at rest. Technically "addressable" rather than "required" in the rule's language, which practically means "you have to either do it or document why you're not, and the only acceptable reasons are vanishingly rare." Full-disk encryption on every laptop and server that touches ePHI is the working standard.

Most of these read like a checklist of things any well-run IT environment does anyway. The HIPAA-specific overlay is the documentation requirement: you must be able to prove every control is in place, with written policies, configuration evidence, and audit trails. The IT environment that "is secure" is not the same as the IT environment that "can demonstrate compliance to an auditor." For a small practice, that documentation overhead is what the right managed IT provider takes off your hands.

The four IT pillars in practice

Pillar 1: Identity

Every person who can see ePHI has a unique account. Every account has MFA. Workstations lock automatically after inactivity. The EHR enforces role-based access (the front desk does not see the same fields a clinician does). Microsoft 365 or Google Workspace tenant is configured per the identity hardening playbook we use for every client, with phishing-resistant MFA on admin accounts.

The most common gap: shared logins. Three front-desk staff using the same "frontdesk" account on the same workstation throughout the day. From a HIPAA perspective, this is non-compliant: there is no audit trail that distinguishes which person accessed which patient record. The fix is unique accounts plus fast-user-switching workflows. Modern EHRs handle this with badge tap-in or PIN-based login that takes seconds, not minutes.

Pillar 2: Encryption

Full-disk encryption (BitLocker on Windows, FileVault on macOS) on every device that touches ePHI. Encrypted backups. TLS on every email path. HTTPS on every web app. The single most-cited cause of small-practice HIPAA breaches in the OCR portal is "lost or stolen unencrypted laptop." The fix is a one-time configuration plus ongoing enforcement.

The trick is that "BitLocker is on" is not the same as "BitLocker recovery keys are escrowed and the policy is enforced through Intune or Entra." Most practices that "have encryption" cannot produce a current report showing which devices are encrypted, who has access to the recovery keys, and what happens if a laptop is lost. The managed IT provider's job is to maintain that report and make it audit-ready.

Pillar 3: Audit logs

Logs of who accessed what ePHI, when, from where. Retained for at least 6 years. This is mostly an EHR responsibility — modern EHRs generate access logs natively — but the underlying systems (Microsoft 365, file shares, network access) also need logging. The configuration is straightforward; the discipline is making sure the logs are actually retained and reviewed periodically for unusual patterns.

"Unusual patterns" includes things like: a front-desk account accessing 200 patient records in an hour, a clinician account logging in at 2am from a city the staff member does not live in, repeated failed logins on an admin account. A managed IT provider that includes a managed SIEM or security operations tier handles this monitoring; a provider that does not, leaves it to you.

Pillar 4: Backup and disaster recovery

Daily backups of every system that stores ePHI. Encrypted backups. Stored separately from the source (a backup in the same building is not a backup for a fire or theft). Tested restore at least quarterly with documented results. Written DR plan that specifies recovery time objective (RTO) and recovery point objective (RPO).

For a small practice, this typically means a cloud-replicated backup product (Datto, Veeam to cloud, Acronis Cyber Cloud, or the EHR vendor's own cloud-replicated backup) plus quarterly restore testing. We covered the broader scope on the backup and disaster recovery page and the operational testing playbook in the PSPS continuity post.

Business Associate Agreements (BAAs): the contract piece

A BAA is a written contract between your practice (the covered entity) and any vendor (the business associate) that creates, receives, maintains, or transmits ePHI on your behalf. The BAA establishes that the vendor will protect the ePHI to HIPAA standards. Without a signed BAA, you cannot legally use the vendor for ePHI work, full stop.

For a typical small practice, the BAAs you need:

• EHR vendor. Athenahealth, eClinicalWorks, Epic, Cerner/Oracle Health, Practice Fusion, NextGen, Kareo, DrChrono, etc. for medical. Dentrix, Eaglesoft, Open Dental, Curve Dental, Dentrix Ascend, Carestream, etc. for dental.
• IT services provider (us, or whoever). Required because the IT provider has administrative access to systems containing ePHI.
• Cloud platform (Microsoft 365 or Google Workspace). Microsoft will sign a BAA at Business Premium / E3 / E5 tiers. Google signs one for Google Workspace business tiers. Critically, the BAA only covers specific products within the tenant; using a non-BAA product (e.g., Microsoft Forms in some configurations, certain free add-ons) for ePHI breaks compliance.
• Backup vendor. Datto, Veeam, Acronis, etc.
• Email vendor if email is used for ePHI. Most secure-email vendors (Paubox, Virtru, Identillect) sign BAAs.
• Document management / e-signature. DocuSign signs a BAA at the appropriate tier; many cheaper alternatives do not.
• Telehealth platform if you use one. Doxy.me, SimplePractice, others.
• Transcription, billing, claims processing vendors. Anyone seeing patient data on your behalf.

The BAA audit is one of the highest-leverage one-day projects a small practice can do. Pull the vendor list. Confirm each one has a signed BAA on file. For any that do not, either get the BAA signed or replace the vendor with one that will. Most reputable healthcare-focused vendors have a standard BAA they will sign within hours; the ones that refuse are vendors you cannot use for ePHI work.

The common compliance gaps in small practice IT

Five gaps come up almost universally in the practices I have helped onboard:

1. No BAA with the IT provider

The practice has an IT provider (break-fix freelancer or older MSP). The IT provider has admin access to the EHR and the network. There is no signed BAA. This is a HIPAA violation on day one and an OCR settlement risk. The fix is a one-page conversation: ask for the BAA, get it signed, or replace the provider.

2. Unencrypted laptops or USB drives

A clinician takes the laptop home to chart, leaves it in the car, the car gets broken into, the laptop is gone. If the laptop was not encrypted, that is a reportable breach. If it was encrypted, OCR considers the data "secure" and no breach notification is required. Encryption is the single highest-ROI HIPAA control. Cost: free (BitLocker / FileVault are included with the OS). Time: 5 minutes per device plus configuration management.

3. Shared logins on workstations

Front desk staff sharing a "reception" login or clinicians sharing a "exam-room-3" login. Common, fast, and non-compliant. The fix is unique accounts plus fast-user-switching (badge tap, fingerprint, PIN). Modern EHRs are built for this; the workstation OS needs to be configured to support it.

4. No documented risk assessment in the last 12 months

OCR settlements routinely cite missing or outdated risk analyses as a primary violation. The risk analysis does not have to be a 200-page document; it has to be current, thorough, and produce action items the practice actually addresses. A managed IT provider with healthcare expertise typically includes the annual risk assessment as part of the contract.

5. Backups stored in the same building as the originals

The "backup" is a USB drive in the office that gets swapped weekly. A fire, a theft, or ransomware takes both. Cloud-replicated backup solves this. So does a properly-configured off-site backup rotation, though cloud has largely replaced rotating tapes for small practices.

What a HIPAA-compliant IT stack looks like for a 10-person practice

A realistic 2026 reference design for a 10-person Monterey County or Salinas-area medical or dental practice:

Endpoints

• Windows 11 Pro on every workstation. BitLocker enabled, recovery keys escrowed in Microsoft Entra. Automatic screen lock after 5 minutes.
• EDR (CrowdStrike Falcon Go, SentinelOne Vigilance, Microsoft Defender for Business, or Huntress) on every endpoint.
• Patch management on a documented cadence: critical patches inside 14 days, all others inside 30 days, with reporting.
• Unique user account per staff member; no local administrator rights for users.
• Intune or equivalent endpoint management for policy enforcement and inventory.

Identity

• Microsoft 365 Business Premium or higher tier (Business Premium signs a BAA; Business Basic and Business Standard do not for all components).
• MFA enforced on every account. Phishing-resistant MFA (FIDO2 hardware keys or Windows Hello for Business) on admin accounts.
• Separated admin accounts (per the identity hardening post).
• Conditional Access policies: block legacy authentication, require compliant device, geo-restrict, optional sign-in risk policies.
• No shared accounts.

EHR and clinical applications

• Cloud-hosted EHR (Athenahealth, eClinicalWorks Cloud, Practice Fusion, etc.) or on-prem EHR with hardened access controls.
• BAA on file with the EHR vendor.
• Role-based access configured: front desk, billing, clinical, admin each have appropriate scope.
• Audit logs enabled and reviewed quarterly.
• For dental: imaging server (CBCT, panoramic) on a segmented network with full backup. Imaging viewer software (Dexis, Sirona Sidexis, CS Imaging) updated quarterly.

Network

• Business-grade firewall (Sophos, Fortinet, Meraki, Ubiquiti UDM Pro) with intrusion detection enabled.
• Segmented network: guest Wi-Fi separate from staff network. Imaging devices on their own VLAN. IoT (cameras, smart thermostats) on their own VLAN.
• No legacy authentication protocols accessible from outside.
• Cellular failover on the firewall (covered in the PSPS continuity post).

Backup and DR

• Cloud-replicated daily backups of the EHR (if on-prem), file server, and Microsoft 365 tenant.
• Quarterly tested restore with documented evidence.
• Written DR plan with RTO of 24 hours and RPO of 24 hours, more aggressive if patient care requires.
• Encrypted backups in transit and at rest. Backup vendor BAA on file.

Email

• Microsoft 365 or Google Workspace mailboxes (both can be HIPAA-compliant with BAA).
• Encrypted email option for PHI sent externally: Paubox, Virtru, Microsoft Purview Message Encryption, or Google's confidential mode with BAA.
• Anti-phishing and advanced threat protection enabled.
• Audit logs retained per Microsoft / Google's tier defaults plus an external retention solution if needed.

Documentation and policy

• Written HIPAA policies covering each Security Rule requirement.
• Workforce training records, annual.
• Annual Security Risk Analysis (SRA) with documented findings and remediation.
• Incident response plan and breach notification procedures.
• Inventory of ePHI-touching assets, kept current.
• BAA register: list of every BAA on file with effective date and renewal status.

What it costs for a small Monterey County practice

Rough numbers for a 10-person medical or dental practice in 2026:

• Managed IT (HIPAA-aligned): $175 to $300 per user per month. For 10 users, $1,750 to $3,000/month or $21,000 to $36,000/year.
• Microsoft 365 Business Premium: approximately $22/user/month. For 10 users, $2,640/year (BAA-eligible tier).
• EDR / endpoint security: usually bundled in the managed IT contract above. Standalone $5-$15/user/month.
• Cloud backup with BAA: usually bundled. Standalone $500-$1,500/month for a typical small practice.
• Encrypted email (if separate): $5-$15/user/month for Paubox or equivalent.
• One-time setup / remediation to bring an existing practice into compliance: $2,500 to $8,000 depending on starting state. Includes risk analysis, policy authoring, encryption rollout, BAA roundup.
• Annual Security Risk Analysis: sometimes included in the managed IT contract; sometimes a separate $1,500 to $5,000 engagement.
• Workforce training: $5-$15/user/year for a HIPAA training platform (HIPAA Secure Now, Compliancy Group, etc.) or included in managed IT.

All-in for a 10-person practice in year one: roughly $28,000 to $50,000. For year two onward (no big one-time remediation): roughly $25,000 to $42,000.

For comparison: OCR settlements against small practices routinely run $50,000 to $250,000 plus the breach-notification costs (mailing letters to every affected patient, credit monitoring services, legal counsel, possible state-level penalties). A single avoided breach pays for several years of compliance work.

What Ghosxt does for healthcare practices

For medical and dental practice clients in Monterey, Salinas, Santa Cruz, Watsonville, Hollister, Gilroy, San Jose, and the surrounding service areas, Ghosxt's healthcare IT program is structured around the four pillars above plus the documentation discipline that turns "we are secure" into "we can prove it to an auditor."

In practice, that includes: signed BAA on day one; an environment audit in the first 30 days that produces a written HIPAA gap list; encryption rollout, MFA enforcement, and audit-log configuration in the next 30 days; an annual Security Risk Analysis included in the contract; quarterly business reviews that include a HIPAA-status check; and active monitoring of the security stack with the same operations rigor we run for non-healthcare clients, plus the documentation overhead that healthcare specifically requires.

If you are a practice owner reading this and recognizing some of these gaps, the conversation to have is whether your current IT provider is treating you as a healthcare client or as a small business that happens to be a clinic. Those are different operating models.

FAQs about HIPAA-compliant IT for Monterey County medical and dental practices

Does HIPAA actually apply to a small medical or dental practice?

Yes. HIPAA applies to any covered entity that handles PHI, regardless of size. A solo practitioner with one front-desk employee is just as much a covered entity as a hospital system. The Office for Civil Rights (OCR) at HHS enforces HIPAA against practices of all sizes; settlements against small practices are common and routinely run from $50,000 to several hundred thousand dollars for documented violations.

What does HIPAA actually require for IT?

The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic Protected Health Information (ePHI). For IT specifically: a documented risk assessment, unique user IDs and access controls, automatic logoff, encryption of ePHI at rest and in transit, audit logs of access to ePHI, integrity controls, and a data backup with disaster recovery plan. It also requires a written Business Associate Agreement (BAA) with every vendor that touches ePHI on your behalf, including your IT provider.

What's a Business Associate Agreement (BAA) and do I need one with my IT company?

A BAA is a written contract between your practice (the covered entity) and any vendor (the business associate) that creates, receives, maintains, or transmits ePHI on your behalf. It establishes that the vendor will protect the information to HIPAA standards. You need one with: your EHR vendor, your IT services provider, your cloud storage provider (Microsoft, Google), your backup vendor, your email vendor if you use it for ePHI, and any other vendor that has incidental access. Most reputable vendors have a standard BAA they will sign. If a vendor refuses to sign one, you cannot use them for anything that touches ePHI.

What are the most common HIPAA IT compliance gaps in small practices?

Five come up almost universally: no BAA with the IT provider or the cloud vendor, unencrypted laptops or USB drives leaving the office, shared logins on workstations (multiple staff using the same account), no formal documented risk assessment in the last 12 months, and backup tapes or drives stored in the same building as the originals. Each of these has been the cause of an OCR settlement in published cases. Each is fixable in a week.

How much does HIPAA-compliant IT cost for a small practice?

For a 5 to 15 person medical or dental practice on the Central Coast, expect $175 to $300 per user per month for HIPAA-compliant managed IT, depending on how much security tooling is in scope. That covers EDR, MFA enforcement, encryption management, audit logging, backup with documented retention, BAA-signed cloud services, an annual risk assessment, and ongoing policy maintenance. For a 10-person practice, that is roughly $1,750 to $3,000 per month or $21,000 to $36,000 per year. Compared to a typical OCR settlement after a breach ($50,000 to $250,000+ plus the breach-notification costs), the math is straightforward.

Is Microsoft 365 HIPAA-compliant?

Microsoft 365 can be configured to be HIPAA-aligned, but it is not automatically compliant. Required steps: use a Business Premium tier or higher (BAA covers fewer components on lower tiers), sign the Microsoft BAA in the Service Trust Portal, configure the tenant for compliance (MFA enforced, audit logs retained, DLP policies for PHI in some configurations), and document the configuration. Most practices that "use Microsoft 365" have not done the configuration; the tenant is technically eligible but operationally non-compliant. This is the same pattern with Google Workspace.

What about Apple devices and Macs in a practice?

Fine, with the same controls applied: FileVault encryption, MDM enrollment via Intune or Jamf, automatic screen lock, unique user accounts, EDR enrolled. The clinical software you can run is sometimes Windows-only (especially older dental imaging systems), so the practical answer is often a mixed-OS environment with both Windows and Macs. The compliance posture is the same either way; only the tools differ.

Do I need to encrypt every laptop or just the ones with PHI?

In practice, encrypt every laptop. The administrative overhead of tracking which ones "have PHI" and which ones do not is higher than the cost of encrypting all of them, and the consequences of being wrong (an unencrypted laptop that turns out to have a cached email with PHI) are severe. BitLocker on Windows and FileVault on macOS are free, fast to deploy, and transparent to users once configured. Encrypt them all.

What happens if there's a breach despite all this?

The Breach Notification Rule applies. You have 60 days from discovery to notify affected individuals. Breaches affecting 500+ individuals require notice to OCR and to "prominent media outlets" in the state. Breaches affecting fewer than 500 require an annual summary submission to OCR. Encryption is the safe harbor: properly-encrypted ePHI that is lost or stolen is generally not considered a reportable breach, because the data is not "accessed or acquired" in a usable form. This is the practical reason encryption is the highest-ROI control.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501. Based in Salinas, serving Monterey, San Benito, Santa Cruz, and Santa Clara counties (including San Jose, Gilroy, and Morgan Hill). This article is operational guidance, not legal advice; pair it with a qualified privacy professional for your practice's specific situation.