Healthcare IT / HIPAA Compliance
HIPAA-Compliant IT for Los Angeles Medical Practices: What It Actually Requires
Your EHR vendor is HIPAA-compliant — but that doesn't mean your practice is: the most common source of OCR enforcement actions against small medical offices isn't a software flaw, it's the unmanaged IT infrastructure surrounding it. Vitalpoints delivers IT support built specifically for Los Angeles medical practices, which means addressing the full environment — not just the EHR.
Your EHR Is Compliant. Your IT Environment Probably Isn't.
EHR vendor compliance covers the software the vendor controls — its servers, its application layer, its own data handling. It does not cover the workstations, Wi-Fi networks, staff email, or remote-access tools your practice manages. Those are the IT provider's domain, and OCR audits treat them as the practice's responsibility.
In This Article
- Your EHR Is Compliant. Your IT Environment Probably Isn't.
- The Three HIPAA Safeguard Categories — and the IT Work Each One Requires
- Four IT Risks Los Angeles Medical Practices Face That Generic MSPs Underestimate
- What a HIPAA-Ready IT Engagement from Vitalpoints Looks Like
- Frequently Asked Questions
- Not Sure If Your Practice's IT Meets HIPAA's Technical Requirements? Let's Find Out.
What Falls Outside the EHR Vendor's Scope
- Workstations: Unencrypted desktops and laptops that access ePHI are the practice's liability, not the EHR vendor's.
- Wi-Fi networks: Guest and clinical networks on the same VLAN allow unauthorized ePHI access — the EHR vendor has no visibility into this.
- Staff email: Sending patient information over standard email without encryption violates the HIPAA Security Rule regardless of which EHR is in use.
- Remote access: VPN and remote-desktop setups used by staff working offsite must meet HIPAA technical safeguard requirements — configuration is the IT provider's job.
The Three HIPAA Safeguard Categories — and the IT Work Each One Requires
HIPAA's Security Rule organizes its requirements into three safeguard categories: technical, physical, and administrative. Each one maps to specific IT deliverables your provider must configure, enforce, and document — not just acknowledge in a policy document.
| Safeguard Category | What It Covers | IT Deliverables Required |
|---|---|---|
| Technical | Controls that protect ePHI in systems and during transmission | Encryption at rest and in transit on all ePHI-touching systems; MFA (multi-factor authentication) on every access point; audit log retention; endpoint protection software |
| Physical | Controls over physical access to devices and workstations | Workstation use policies enforced by MDM (Mobile Device Management); automatic screen-lock standards; device disposal using NIST 800-88 media sanitization — the federal standard for securely wiping storage media |
| Administrative | Policies, workforce controls, and vendor agreements | Signed Business Associate Agreement (BAA) with the IT provider; documented risk assessment; workforce access-control reviews |
Why the BAA Alone Isn't Enough
A BAA is a legally required contract in which a vendor handling ePHI on behalf of a covered entity acknowledges its HIPAA responsibilities. Most generic MSPs will sign a BAA — that part is easy. What OCR specifically examines is whether the IT provider also performed and documented the underlying risk analysis that the BAA implies. Signing the agreement without completing the risk assessment is the gap that triggers enforcement.
Four IT Risks Los Angeles Medical Practices Face That Generic MSPs Underestimate
Los Angeles medical practices — especially multi-site groups and independent specialty clinics in areas like Beverly Hills, Pasadena, and the South Bay — face threat vectors that standard MSP checklists don't address. These four are the ones Vitalpoints sees most frequently and that go unmitigated the longest.
Unencrypted VLANs Between Multi-Site Locations
Multi-provider group practices sharing ePHI across locations often rely on commercial internet circuits that span LA's fragmented real estate landscape — buildings in different ownership with inconsistently managed network equipment. When ePHI travels over unencrypted VLANs between those sites, it is exposed at the transport layer regardless of how secure each individual location's internal network appears.
DICOM Files on Legacy Workstations
DICOM (Digital Imaging and Communications in Medicine) files — the standard format for medical imaging — are routinely stored on legacy workstations in independent radiology and dental practices. These workstations frequently fall outside the scope of standard endpoint backup configurations, meaning DICOM archives are neither backed up nor encrypted under most generic MSP contracts.
Personal iPhones and Macs Without MDM Enrollment
LA specialty clinics — dermatology, aesthetics, boutique primary care — commonly operate in mixed Apple/Windows environments where staff use personal iPhones and Macs to access practice systems. Without MDM enrollment, those devices can store or transmit ePHI outside any policy control. Vitalpoints' cybersecurity services include MDM deployment that covers both platforms, enforcing encryption and remote-wipe capability on enrolled devices.
Third-Party Billing Companies With Poorly Scoped Remote Access
Third-party medical billing companies frequently access practice networks via remote-desktop or VPN credentials that were provisioned without access scoping — meaning the billing company can reach far more of the network than patient billing data requires. This is simultaneously a BAA issue (does a signed agreement exist?) and a technical safeguard failure (is access limited to the minimum necessary data?).
What a HIPAA-Ready IT Engagement from Vitalpoints Looks Like
Vitalpoints structures HIPAA-compliant IT support for Los Angeles medical practices around four service components that map directly to the Security Rule's safeguard categories — each one producing the documentation OCR looks for, not just the underlying technical work.
IT Compliance Services: Risk Assessment and BAA
Vitalpoints conducts a documented HIPAA security risk assessment that inventories ePHI flows, identifies vulnerabilities, and produces the written analysis OCR requires. The engagement includes a signed BAA that is backed by the actual risk analysis — not issued as a standalone document. This is delivered through IT compliance services for Los Angeles medical practices.
Cybersecurity Services: Endpoint Protection, MFA, and Encrypted Email
Endpoint protection is deployed on every device that touches ePHI, MFA is enforced on all practice systems and remote-access points, and email encryption is configured to prevent unencrypted patient data from leaving the practice. These controls satisfy the HIPAA Security Rule's technical safeguard requirements.
Data Backup and Recovery: HIPAA-Grade Encrypted Backup
Vitalpoints deploys HIPAA-grade encrypted backup with tested restore SLAs — meaning backup integrity is verified on a schedule, not assumed. DICOM workstations and specialty imaging archives are explicitly scoped into the backup plan, closing the gap most generic MSPs leave open.
macOS IT Services and the Co-Managed Option
Mixed Mac/Windows environments are handled through Vitalpoints' macOS IT services, which bring Apple devices under the same MDM and security policy framework as Windows endpoints. For practices that already have an internal IT person, the co-managed IT option layers HIPAA compliance oversight on top of existing internal support — a model larger MSPs rarely offer because it requires sharing the engagement rather than owning it entirely.
Frequently Asked Questions
What does a HIPAA-compliant IT provider actually do differently from a regular MSP?
A HIPAA-compliant IT provider signs a Business Associate Agreement, performs and documents a formal security risk assessment, enforces technical safeguards like MFA and encryption on all ePHI-touching systems, and maintains audit logs. A generic MSP may configure similar tools but rarely produces the documentation OCR requires during an audit.
What are the technical safeguards required under the HIPAA Security Rule?
The HIPAA Security Rule's technical safeguards require access controls limiting ePHI access to authorized users, audit controls that record system activity, integrity controls preventing unauthorized ePHI alteration, and transmission security — meaning encryption — for ePHI sent over any network. MFA is a required implementation specification under access controls.
Does HIPAA apply to dental practices and medical spas in Los Angeles?
Yes. Any healthcare provider that transmits health information electronically in connection with a covered transaction — including billing — is a covered entity under HIPAA. Dental practices, medical spas, and aesthetic clinics in Los Angeles are all subject to the Security Rule's technical, physical, and administrative safeguard requirements.
Not Sure If Your Practice's IT Meets HIPAA's Technical Requirements? Let's Find Out.
Request a no-obligation HIPAA IT gap assessment from Vitalpoints — we'll review your current setup against the Security Rule's technical, physical, and administrative safeguards and tell you exactly where you stand.
Schedule Your HIPAA IT Gap Assessment