One breach notification letter. Every patient you have.
A medical practice runs on two things staying up and staying private: the EHR and the PHI inside it. Lose either one and you're not filling out an IT ticket — you're filing a breach report with HHS or telling patients their day is canceled.
What a breach or outage actually costs a medical practice
A HIPAA breach isn’t a private embarrassment you quietly fix. Once electronic PHI is exposed, the Security Rule triggers mandatory notification to every affected patient, a report to HHS, and — at 500 or more records — a public listing on the OCR’s breach portal and notice to local media. That is on top of any Office for Civil Rights investigation and fine. An EHR outage is a different kind of damage: no chart access, no e-prescribing, no check-in, and a waiting room full of patients who can’t be seen. Neither failure mode is optional to prevent once you understand what triggers it.
Where practices actually get breached
The access-control gaps we find auditing medical practices are rarely exotic. We’ve found PHI-adjacent credentials sitting in plain spreadsheets during routine security audits — see our password file audit report. We’ve provisioned emergency local admin access after a practice was locked out of a clinical workstation with no other path in, documented in our local admin provisioning report. And we’ve remotely wiped a stolen laptop before it left the airport, detailed in our MDM remote wipe report. Each of those is a mundane operational moment that, without the right controls already in place, turns into a reportable PHI exposure.
What the HIPAA Security Rule actually requires
The Security Rule breaks down into administrative, physical, and technical safeguards for electronic PHI. In practice that means: a documented security risk assessment, access controls tied to actual job roles, audit logs that show who touched what and when, encryption for data at rest and in transit, workforce training, and a breach notification procedure that’s written down before you need it — not improvised during an incident. We build every one of those into a practice’s environment and keep the documentation an auditor or OCR investigator would actually ask for.
Encryption as the front line
Device-level encryption is one of the most direct controls against a lost-laptop breach becoming a reportable one — an encrypted device that’s lost or stolen is generally not a reportable breach under the Security Rule’s safe harbor. We roll BitLocker out at scale (full-fleet encryption in 72 hours) and keep recovery keys retrievable when a Windows update breaks boot instead of locking a provider out of their own workstation (our recovery key lookup report).
EHR uptime as a clinical safety issue
We treat your EHR’s uptime as clinical infrastructure, not a back-office system. That means monitoring built around fast detection and our standard <15 minute response commitment on anything critical, backups that let us restore rather than rebuild, and documented failover steps so a provider isn’t improvising a paper chart process mid-appointment.
How Limehawk builds the HIPAA program
Every medical practice we work with gets the same baseline, then we layer on what the practice’s EHR and patient volume require:
- HIPAA security risk assessment — the documented starting point every other control maps back to.
- EHR infrastructure security — the network, servers, and devices around your EHR, hosted or on-premises.
- Encryption for PHI — device encryption and encrypted email for anything containing patient data.
- Access controls and audit logs — role-based access with a record of who touched what PHI, when.
- Business Associate Agreements — signed with us, and tracked across your other vendors.
- Workforce HIPAA training — the security awareness piece the Security Rule requires for staff.
- Breach notification procedures — written down before an incident, not drafted during one.
This runs on top of our standard managed IT and security baseline — $150 per user per month, 24/7 monitoring, endpoint detection and response, and patch management included, with a <15 minute response commitment on anything critical. No multi-year contract; month-to-month, published pricing.
Fifteen minutes with Corey Watson — the person who wrote every report above and who will map your Security Rule safeguards.
Book a call →or call +1-865-500-4055
Book fifteen minutes with Corey Watson to review your HIPAA Security Rule safeguards and EHR resilience before an auditor or an attacker finds the gap.
Medical practice IT, plainly explained
Pricing included — because “call for pricing” is how IT companies hide the number.
See full pricing →What does a HIPAA breach actually cost a medical practice?
Beyond the HHS Office for Civil Rights fine, a reportable breach means mandatory notification to every affected patient, a possible notice to local media if 500+ records are involved, and a listing on the OCR's public breach portal. Add the incident response cost, the patient trust you don't get back, and the malpractice-adjacent scrutiny that follows. Prevention — encryption, access controls, MFA — costs a fraction of any of that.
What happens to a practice when the EHR goes down?
Patients can't be checked in, charts can't be pulled, and providers can't document care or prescribe electronically. Depending on your EHR's hosting, an outage can mean canceled appointments for the day. We treat EHR uptime as a clinical safety issue, not just an IT ticket, with monitoring and response times that reflect that.
What's actually required under the HIPAA Security Rule?
The Security Rule requires administrative, physical, and technical safeguards for electronic PHI: a documented risk assessment, access controls and audit logs, encryption of data at rest and in transit, workforce training, and breach notification procedures. It's not a single product — it's a set of controls and the documentation proving they're in place.
Do we need Business Associate Agreements with Limehawk?
Yes. As a managed IT provider with access to systems that store or transmit PHI, Limehawk operates as a Business Associate under HIPAA, and we sign a BAA with every medical practice client. We also help you track and manage BAAs with your other vendors — EHR host, billing service, cloud backup — since a chain of untracked BAAs is a common audit finding.
Can you work with our existing EHR system?
Yes. We don't replace your EHR — we secure the infrastructure around it: the network it runs on, the devices that access it, encryption and access controls, and the backup and monitoring that keep it available. That applies whether it's cloud-hosted or running on a server in your building.
What does this cost?
Base managed IT and security is $150 per user per month, minimum 3 users, month-to-month with no contract. That includes 24/7 monitoring, endpoint detection and response, patch management, and the core security suite. Security awareness training for HIPAA workforce requirements is $3/user/month on top. Full pricing is published at /pricing.