Hi Reader

Most HIPAA guidance for small practices falls into one of two buckets: too vague to act on, or so dense you give up halfway through.

The reality is that 80% of the risk for a solo or small-group practice comes from a handful of things, all of which are fixable in an afternoon. The remaining 20% is what consultants like me get paid to handle.

Today is about the 80%. Five things you can do this week that move you from "probably exposed" to "actually defensible."

1. Make every BAA findable in under 60 seconds.

Create one folder. Cloud or local, doesn't matter. Drop every executed BAA from every vendor that touches PHI into it — video, EHR, scheduling, email, transcription, cloud storage. If a vendor can't produce a BAA, that's the signal to switch. If you can't produce yours in 60 seconds, OCR will assume you don't have it. (And if Zoom is your gap, that's the most common one I see. We can fix that in a day.)

2. Turn on disk encryption on every device that touches PHI.

FileVault on Mac. BitLocker on Windows. Both are free, built in, and take five minutes. A stolen laptop without encryption is a reportable breach. A stolen laptop with encryption is just a stolen laptop. Most clinicians I audit have it switched off and don't know.

3. Password manager + app-based 2FA on everything.

1Password or Bitwarden — either is fine. Then turn on two-factor authentication (Authy or Google Authenticator, not SMS) for your email, EHR, password manager, and cloud storage. Reused passwords cause more healthcare breaches than any other single thing. One afternoon of work closes that door for good.

4. Write a one-page incident response plan.

OCR doesn't expect a leather-bound binder. They expect proof you thought about it before something happened. Who do you call in the first hour? What do you stop doing? How do you notify? Write it on one page. Save it dated. Update it once a year. That's the whole exercise.

5. Do — and document — an annual risk assessment.

Required by the Security Rule. Almost no solo practice does it. It doesn't need to be fancy: a written review of your stack, your devices, your access controls, and the gaps you know exist but haven't closed yet. The act of writing it down is most of the value. The act of dating it is the rest.

None of these are exotic. None of them cost more than a few hundred dollars and an afternoon of focused work. What they do is move you from "I hope nothing happens" to "if something happens, I have a paper trail showing I took reasonable steps."

That distinction is the difference between a $137 penalty and a $1.5M one.

If you want a second pair of eyes on where your setup stands against this list, I do free 15-minute audits. No pitch, just an honest read.

​Book a meeting here​

It's worth 5 minutes of your time.

— Dan.

P.S. That Feeling when you know you're compliant​

P.S. Working with me 1-on-1 is $5,000. And all summer it's 20% off!!! Use Promo Code SUMMER This is the fastest way to get you where you want to go whether you are Launching a Telehealth Practice or wanting to Grow and Scale the one you currently have. Here's what we'll do:

1. 6 One on One Personalized Strategy Calls - Implement the changes right away and access to private texts/calls in between to answer questions
2. Full Tech audit - What's working for you, what's not and what can be done better
3. How to incorporate AI safely and securely while saving you time and money
4. HIPAA Compliance, RPM, RCM, and more.
5. How to maximize revenue whether your private pay or insurance based
6. And so much more - Over $9500 in value for $5000 (now 20% off) with a Guarantee that we will help you make more than the cost of the program back in added revenue and more free time or we will continue to work with you until that happens.

​Payments plans now available through Stripe Processing

Also: Want to go back and look at our previous Telehealth Tips? Click Here​