Healthcare is the most-targeted small-business sector in the country and one of the most regulated. An EHR outage in the middle of a clinic day costs revenue and trust. A lost laptop without verified encryption is a sixty-day breach-notification clock. A vendor with PHI access and no Business Associate Agreement on file is an audit finding waiting to happen. Ghosxt runs HIPAA-aligned IT and cybersecurity for medical practices, dental groups, behavioral health, physical therapy, optometry, and the supporting clinical services across the Central Coast and the South Bay. DoD-cleared engineering, signed BAAs, transparent pricing.
Rated 5.0 across 24 Google reviews — trusted by 30+ businesses from Silicon Valley to the Salinas Valley and beyond.
Transparent managed IT pricing is published upfront, so you know the range before booking.
Healthcare IT runs against a clock. The EHR has to be up during clinic hours, the schedule has to be visible at the front desk, and the regulatory floor sits underneath every device that touches PHI. Below is the work, written for practice owners and office managers, not for procurement decks.
24/7 monitoring, helpdesk, patching, and a real engineer who answers the phone when the front desk cannot check a patient in at 8am. Coverage matched to your clinic hours, not nine-to-five tickets.
Learn moreSecurity Risk Analysis, encryption on every endpoint, MFA on every account that touches PHI, audit logging, access management aligned to roles, and the written policies and procedures the Security Rule actually requires.
Learn moreAthenahealth, eClinicalWorks, NextGen, Greenway, Eaglesoft, Dentrix, Open Dental, Practice Fusion, and the long list of specialty platforms. We do not resell the EHR. We run the infrastructure around it: the network, the workstations, the backups, the integrations.
Learn moreRole-based access, joiner-mover-leaver lifecycle, audit trails that survive an OCR investigation, and the documented evidence that lets you answer "who looked at this patient's chart" in under five minutes instead of five days.
Learn moreImmutable backups that survive an attempt to encrypt them, tested restore procedures, a documented recovery time and recovery point that match what the practice can actually tolerate, and a written incident response plan that holds up under the sixty-day breach clock.
Learn moreEndpoint hygiene on whatever devices providers use, MFA on the telehealth platform, a BAA with the platform vendor, encrypted session handling, and a documented patient consent flow. The HIPAA enforcement discretion that covered the public health emergency is over; the standard rules apply.
Learn moreHIPAA is the floor for healthcare IT, but it is not the only rule in the room. A small practice can be inside three or four overlapping frameworks at once, and the federal landscape has been adding new ones every year. Five we work inside every week.
The Security Rule sets the controls (administrative, physical, technical safeguards). The Privacy Rule sets the disclosure and minimum-necessary standards. The Breach Notification Rule sets the clock: sixty days to notify affected individuals after discovery of an unsecured PHI breach, plus HHS and (for breaches of 500 or more) prominent media. The IT side is the artifact set: SRA, policies, training records, access logs, and the evidence that proves you actually do the controls.
Stricter than HIPAA for a defined class of records held by federally-assisted SUD programs. Disclosure consent rules are tighter, segregation requirements are real, and the penalties stack on top of HIPAA. If you run a behavioral health practice that touches SUD treatment, we segregate the data path, lock down the audit trail, and structure consent intake so the records can be produced or withheld correctly when asked.
California's Confidentiality of Medical Information Act predates HIPAA, applies a stricter consent floor in several places, and grants a private right of action that HIPAA does not. The California Consumer Privacy Act layers a separate set of requirements over non-PHI personal information your practice collects. The IT controls are largely the same; the documentation and disclosure expectations differ, and we structure your stack to meet both at once.
Every vendor that creates, receives, maintains, or transmits PHI on your behalf needs a signed BAA. That includes your MSP, your EHR, your billing service, your secure messaging app, your cloud backup, and your shred vendor (yes, really). We maintain the BAA inventory, drive new vendors through the qualification process, and refuse to plug a vendor in until the paper is on file. When OCR asks for your vendor list, you produce it the same day.
Health apps and personal health record vendors not covered by HIPAA fall under the FTC's Health Breach Notification Rule, which the agency has been actively enforcing. The 2023 and 2024 updates also bring online tracking pixels and analytics into scope when they expose health information. If your practice runs marketing pixels on a page that touches scheduling or symptom checkers, that is now an audit surface. We map the trackers, fix the ones that leak, and document the policy that proves you reviewed them.
A DoD-cleared engineering background brings the documentation and audit discipline HIPAA actually requires. The same controls that pass a federal contracting audit pass an OCR investigation, a state attorney general inquiry under CMIA, and a cyber-insurance underwriter looking at healthcare exposure, with the paper trail intact.
Four anonymized examples from real client work at Central Coast and South Bay practices. Names, locations, and clinical specifics are removed; the patterns are what we run into.
A primary care practice lost its connection to its hosted EHR right before the lunch block. The "redundant" internet connection was a cellular modem nobody had tested in eight months. Patients were stacking up at the front desk with no schedule, no chart, and no way to bill. We failed the practice over to the cellular path in fifteen minutes once we were on the line, then rebuilt the failover with a real LTE/5G appliance, monthly automated failover tests, and a dashboard that shows whether both paths are actually healthy at any given moment.
A dental practice had a single workstation hit with a ransomware loader after a phishing click. The endpoint detection product we had deployed flagged the behavior and isolated the workstation within seconds, before the encryption could spread to the file server or the imaging system. The post-incident work confirmed the practice had a clean backup of every imaging study from the prior night, fully immutable. We rebuilt the affected workstation from scratch, audited the practice's full PHI footprint to confirm no exfiltration, and ran the documentation through a written incident response so the file is ready if a future event ever crosses a breach threshold.
A specialist's laptop was stolen from a parked car after a hospital visit. The laptop had a clinical viewer with cached chart data and a synced copy of the practice's shared drive. The first question was whether the device was encrypted at the moment of loss. It was, with a recognized standard, and we had the verification report on file. Under HIPAA, encrypted PHI on a lost device is treated as unreadable; no breach notification was triggered. The forensic file documenting all of that took two hours to assemble because we had built the system for that question in advance.
A practice was notified by a third-party patient-communication vendor that the vendor had been breached and the practice's patient list was affected. The first question OCR asks in that situation is whether a Business Associate Agreement was in place. The practice could not find one. We rebuilt the BAA inventory across all vendors, retroactively signed where signing was still possible, and walked the practice through the affected-individual notification process under both HIPAA and the California CMIA. The remediation also produced a vendor-onboarding control that prevents new vendors from being plugged in without a signed BAA on file.
"Ghosxt has been the steady hand on our IT through a stretch where everything in healthcare felt like it was changing at once. Ulises is responsive, he documents everything, and the cybersecurity work he did genuinely improved how the practice operates. We sleep better knowing the back-end is being looked after by someone who treats it like it matters."
Healthcare client, multi-year Ghosxt partner
If you have run a practice for any length of time, none of these are new. If you are the office manager who just inherited HIPAA, this is the short version.
Our home base is Salinas. We work with healthcare practices across the Central Coast and the South Bay. On-site response is fast across the corridor; most clinical IT issues are resolved remotely within the same clinic block.
Healthcare practices often run alongside or inside other operations. Related pages worth a read.
30 minutes with a DoD-cleared engineer. Walk away with a clear picture of where your IT, HIPAA posture, and breach-readiness stand, plus a written punch list of what to fix first. No sales script, no obligation.
Book your free assessment