Managed IT + HIPAA Security for Ohio Medical Practices — Audit-Ready Evidence and EHR Stability
- • You cannot produce your current Security Risk Analysis within 24 hours
- • Your cyber insurance renewal required new technical attestations
- • You are unsure which vendors require a Business Associate Agreement
- • You have never tested restoring your EHR from backup
- • Your last “HIPAA review” was checklist-based, not evidence-based
Capstone maintains the documentation medical practices are expected to produce: Security Risk Analysis, access controls, training records, backup testing, vendor/BAA tracking, and incident-ready timelines—kept current throughout the year, not assembled at the deadline.
Designed for independent and multi-physician practices (2–50 workforce members) that do not employ a full-time compliance officer or internal IT security team.
Managed IT + HIPAA Security for Ohio Medical Practices — Audit-Ready Evidence and EHR Stability
- • You cannot produce your current Security Risk Analysis within 24 hours
- • Your cyber insurance renewal required new technical attestations
- • You are unsure which vendors require a Business Associate Agreement
- • You have never tested restoring your EHR from backup
- • Your last “HIPAA review” was checklist-based, not evidence-based
Capstone maintains the documentation medical practices are expected to produce: Security Risk Analysis, access controls, training records, backup testing, vendor/BAA tracking, and incident-ready timelines—kept current throughout the year, not assembled at the deadline.
Designed for independent and multi-physician practices (2–50 workforce members) that do not employ a full-time compliance officer or internal IT security team.
HIPAA readiness is not a binder; it is evidence that safeguards were implemented and operating before the incident, audit, or renewal. Capstone maintains that evidence continuously—so documentation is current when MIPS attestation, OCR requests, or underwriting questionnaires arrive.
The HIPAA Requirements You’re Actually Accountable For
Investigators and underwriters do not ask what products were purchased. They ask for documentation: risk analysis, policies, workforce training records, access controls, encryption coverage, audit logs, vendor/BAA status, backup testing, and incident response timelines. This page summarizes the obligations and the evidence packages we maintain for medical practices.
HIPAA Security Rule
Requires administrative, physical, and technical safeguards to protect ePHI. Annual Security Risk Analysis is mandatory. Workforce training, access controls, encryption, and audit logs are required safeguards. OCR enforcement is active.
HIPAA Privacy Rule
Controls who can access patient information. Requires documented policies, workforce training on permitted uses and disclosures, and business associate agreements with all vendors handling PHI.
HIPAA Breach Notification Rule
HHS rules require notice without unreasonable delay and no later than 60 days (depending on the party and circumstances). HHS posts breaches affecting 500+ individuals on its public breach portal. Safe Harbor: encrypted data meeting HHS guidance is generally not considered unsecured PHI for breach notification purposes.
Ohio Breach Notification Law
Ohio has a separate state breach-notice regime for certain personal information incidents, with an outer deadline of 45 days after discovery in many cases. This can run parallel to federal healthcare obligations and is handled as a separate notification track when applicable.
Cyber Insurance Requirements
Insurers commonly require MFA, EDR, encrypted backups, email filtering, and workforce training prior to underwriting policies. Claims review commonly involves verification that these controls were active when the breach occurred.
Your Quarterly Evidence Package
✓ Privileged access documentation
✓ Password manager status
✓ SOC monitoring summaries
✓ Patch & vulnerability summary
✓ Vulnerability scan results
✓ Secure remote access config
✓ Backup test results
✓ Business continuity & disaster recovery plan
✓ Encrypted email configuration
✓ Retention/hold settings
✓ Phishing simulation results
✓ Policy acknowledgment records
Updated quarterly. Ready for OCR requests, MIPS attestation, insurance renewals, and underwriting questionnaires.
What Happens When Safeguards Aren’t Documented
HIPAA compliance isn’t a binder. It’s documented safeguards plus evidence that those safeguards were active before the incident, not added afterward.
OCR Investigation
OCR reviews documentation quality during investigations. Notification to affected individuals must be made without unreasonable delay and no later than 60 days. Documentation quality materially affects regulatory posture and potential corrective action outcomes.
Public Breach Portal
HHS posts breaches affecting 500+ individuals on its public breach portal. This disclosure becomes a permanent part of practice reputation and referral risk. Encryption meeting HHS guidance may qualify for Safe Harbor, which can change notification requirements.
Insurance Claim Denial
Insurers commonly expect evidence that controls were operating at the time of the incident. Claims may be reviewed against the controls stated on the application. Weak evidence can slow claims and weaken outcomes.
“I began working with Brian and Capstone Technologies in 2013. Brian is very personable and professional while in the office working and interacts well with all of our staff, including our physicians. He is always readily available to help out and answer questions.”
“Capstone has assisted our practice with the transition to electronic health records, not once but twice; first with Greenway and most recently with EPIC. Brian works well with outside vendors, including IT personnel, phone, cable and internet providers, as well as contractors. He has also assisted our practice with HIPAA security and monitoring. Capstone Technologies provides comprehensive and friendly service at a very reasonable price.”
HIPAA Security Controls Implemented and Documented
Security controls matter only if they are measurable and defensible. Capstone implements core safeguards, monitors them, and produces audit-usable evidence: coverage lists, configuration exports, test records, and dated training/completion logs—organized for MIPS, OCR response, and insurance workflows.
What we implement: MFA on all systems (email, EHR, remote access), role-based access limiting who sees patient data, automatic session timeouts, audit logs of every login attempt and patient record access.
What you receive: MFA coverage list, configuration exports or screenshots, and an access control summary suitable for audits and renewals.
Satisfies: HIPAA Security Rule § 164.312(a)(2)(i) Access Control, § 164.308(a)(4) Workforce Authentication, Cyber Insurance MFA Requirements
What is in place: Full-disk encryption on endpoints; encrypted backups; encrypted transport for sensitive workflows where supported.
What gets documented: Device encryption coverage list, recovery key management record, backup encryption settings, and validation screenshots/exports.
Operational result: Encrypted data meeting HHS guidance is generally not considered unsecured PHI for breach notification purposes. Lost/stolen encrypted devices are materially different from unencrypted incidents because exposure and notification outcomes can change substantially based on whether the data was properly encrypted.
Satisfies: HIPAA Security Rule § 164.312(a)(2)(iv) Encryption and Decryption, HIPAA Breach Notification Safe Harbor, HHS Encryption Guidance, Cyber Insurance Requirements
What we implement: Centralized security logging for key systems; alerting for suspicious login patterns; EHR audit trail validation where supported by the platform.
What you receive: Quarterly evidence summaries and incident timelines; retention approach aligned to compliance needs and risk analysis.
Operational result: Faster containment, better defensibility in investigations, and cleaner insurance claims support.
Satisfies: HIPAA Security Rule § 164.312(b) Audit Controls, § 164.308(a)(1)(ii)(D) Information System Activity Review, OCR Audit Protocol
What we deliver: Annual documented analysis identifying threats to ePHI, implemented safeguards, likelihood and impact assessment, risk management decisions, and prioritized action items. Updated annually with your practice’s current environment, not generic templates.
MIPS requirement: The Security Risk Analysis attestation is a required element within Promoting Interoperability. MIPS payment adjustments can reach a -9% maximum in the applicable payment year.
Satisfies: HIPAA Security Rule § 164.308(a)(1)(ii)(A) Risk Analysis, MIPS Security Attestation Requirements, OCR Audit Protocol, Meaningful Use Security Objectives
What is in place: Continuous monitoring for unauthorized access attempts, unusual login patterns, and security events; automated alerting; documented incident response procedures aligned to HIPAA breach notification timelines.
What gets documented: Security event logs with timestamps, detected threats and response actions taken, incident timelines showing when events were identified and contained, quarterly summaries of monitoring activity suitable for OCR requests and insurance verification.
What the practice manager receives: Weekly status emails showing system health, threats blocked, and any items requiring attention. Takes 30 seconds to read—you stay informed without monitoring technical dashboards.
Operational result: When OCR asks “How did you detect this breach?” or “What was your response timeline?” you have documented evidence showing detection date, containment actions, and notification timing. This documentation is critical for regulatory defense and insurance claim outcomes.
Satisfies: HIPAA Security Rule § 164.308(a)(1)(ii)(D) Information System Activity Review, § 164.308(a)(6) Incident Response, Breach Notification Rule 60-day requirement, Cyber Insurance Monitoring Requirements
What we implement: Daily encrypted backups stored offline (immutable from ransomware), monthly recovery testing documented with timestamps and results, EHR-specific backup verification, defined recovery time objectives aligned to practice continuity needs.
Why it matters: Documentation of containment and recovery materially affects notification analysis and regulatory posture. EHR downtime stops patient care. Untested backups don’t count.
Satisfies: HIPAA Security Rule § 164.308(a)(7) Contingency Plan, § 164.310(d)(2)(iv) Data Backup and Storage, Cyber Insurance Backup Requirements, EHR Vendor Requirements
What we implement: Year-round security education program including annual comprehensive HIPAA training, weekly micro-trainings (3–5 minutes), monthly phishing simulations with click tracking, immediate remedial training for staff who click simulated phishing links, and password manager deployment.
What you receive: Training completion certificates with dates for every workforce member, phishing simulation results showing click rate trends with measurable improvement, topic coverage reports proving all required subjects were trained.
Satisfies: HIPAA Security Rule § 164.308(a)(5) Security Awareness and Training, § 164.530(b) Training Requirements, OCR Audit Protocol, Cyber Insurance Training Verification
What we implement: Complete BAA tracking with all business associates, annual review of vendor security controls, documented due diligence on vendor HIPAA compliance, termination procedures for non-compliant vendors.
Why it matters: You’re liable for breaches caused by your vendors (EHR companies, billing services, cloud providers). HIPAA requires signed BAAs with all vendors handling ePHI. OCR routinely reviews BAA documentation during investigations.
Satisfies: HIPAA Privacy Rule § 164.502(e) Business Associate Contracts, § 164.504(e) Contract Requirements, OCR BAA Audit Protocol, Vendor Risk Management
Built for Practices Without IT Staff
Most practices we work with don’t have a compliance officer or internal IT team. The practice manager ends up fielding insurance questionnaires, handling vendor calls, and troubleshooting the printer—on top of running the office. That’s where Capstone fits.
Continuous oversight, not annual panic projects: Most practices scramble before MIPS deadlines or OCR audits. We monitor continuously and document quarterly. When your MIPS attestation is due or OCR investigation notice arrives, documentation is already current.
Designed for practices without IT expertise: We don’t hand you a HIPAA checklist and walk away. We implement safeguards, monitor them 24/7, test them monthly, and document everything. You get weekly summaries and quarterly compliance reports. If something needs attention, we tell you what we found and what we’re doing about it.
Hands-on technical capability when needed: Our managed services include technical work beyond remote monitoring—from network infrastructure troubleshooting to equipment coordination to vendor management. This expertise supports practice stability, but our primary focus is maintaining the compliance evidence you need for audits, renewals, and investigations.
Not enterprise IT complexity: We don’t deploy systems requiring full-time IT staff to maintain. We implement core safeguards that actually get monitored. Your clinical staff focuses on patient care—we handle HIPAA compliance and EHR stability.
Healthcare Cyber Insurance Evidence, Ready to Attach
Underwriters ask control questions. We provide documented proof of specific safeguards so your answers are backed by evidence, not guesswork.
MFA Coverage Proof
Coverage inventory plus evidence exports for email, remote access, and patient-data systems.
EDR + Monitoring Evidence
Endpoint coverage reports, alerting summaries, and response documentation when events occur.
Backups + Restore Testing
Encrypted backups plus documented recovery testing cadence suitable for renewals.
Training + Acknowledgments
Workforce completion logs, phishing program records, and policy acknowledgments.
Incident Response Package
Event timeline, containment actions, and documentation for broker/claims workflows.
Vendor + BAA Tracking
Vendor inventory, BAA status tracking, and practical oversight documentation.
What Medical Practices Actually Receive
You receive deliverables that stand up to scrutiny: a current Security Risk Analysis, evidence packages for underwriting and renewals, workforce training records, policy acknowledgment logs, backup test records, vendor/BAA tracking, and incident timelines—organized so a practice manager can respond quickly and consistently.
Annual Security Risk Analysis
HIPAA-required annual risk analysis documenting threats to ePHI, implemented safeguards, and risk management decisions. Updated annually with your current environment—not generic templates.
Quarterly Evidence Summary
Controls status, monitoring highlights, exceptions identified, remediation status, and documented changes. Updated quarterly so documentation stays current.
Insurance Evidence Package
Documentation proving MFA, EDR, encrypted backups, email filtering, and workforce training are implemented and active. Pre-formatted for insurance applications and renewals.
Workforce Training + Phishing Records
Annual training completion certificates for every workforce member, phishing simulation results showing click rate trends, and topic coverage reports for OCR and insurers.
Backup + Restore Test Records
Monthly EHR recovery test results with timestamps, restoration time metrics, and backup encryption validation suitable for compliance review and insurance verification.
Vendor/BAA Inventory + Status
Complete vendor inventory showing which vendors handle ePHI, BAA status tracking, annual review records, and documented due diligence for OCR compliance.
EHR/EMR Support and Security That Protects Clinical Workflows
EHR downtime and insecure access both harm patient care. EHR/EMR support must be stability-first, security-first, and vendor-coordinated.
Secure Remote Access for Providers
Remote access aligned to least privilege with strong authentication and defensible audit evidence.
Vendor Coordination
Direct coordination with EHR vendors and third parties to reduce downtime and avoid unsafe workarounds.
Downtime Reduction
Proactive endpoint and network management to reduce appointment disruption and after-hours emergencies.
Frequently Asked Questions: Medical IT + HIPAA Compliance in Ohio
OCR (Office for Civil Rights) conducts random HIPAA compliance audits and investigates breach complaints. OCR inquiries commonly request risk analysis and evidence of safeguards early in the process: annual SRA, HIPAA policies, BAA tracking, workforce training records, incident logs. We maintain this documentation quarterly, so it’s always current. When your OCR audit notice arrives, we package and prioritize documentation for submission. Most practices without ongoing documentation scramble for months trying to recreate records.
HIPAA Breach Notification Rule provides Safe Harbor for properly encrypted data meeting HHS guidance. If a laptop containing ePHI is stolen but the data meets HHS encryption standards, it is generally not considered unsecured PHI—meaning it typically does not trigger patient notification or HHS reporting requirements, and it generally would not appear on the public breach portal. Without proper encryption, that same laptop theft can trigger breach notification requirements. Safe Harbor helps reduce breach notification costs and reputation damage.
Safeguards implementation: 2–4 weeks depending on your current state. Initial annual SRA: delivered within 4 weeks of implementation. Full quarter of documented monitoring: 90 days after implementation. If you’re facing an immediate OCR audit, we can compile existing data and provide current status within 2 weeks, plus a remediation timeline for remaining items.
Yes. We frequently coordinate with insurance brokers and underwriters. We’ll join renewal calls to answer technical questions, provide documentation proving safeguards are implemented, and explain our monitoring approach. Some brokers now request this as part of the renewal process—they want direct confirmation from your IT provider that required controls are actually in place.
Annual comprehensive training: 30–45 minutes once per year. Weekly micro-trainings: 3–5 minutes, delivered via email—staff read them like any other business communication. Monthly phishing simulations: no time required—they’re just emails testing awareness. Total annual time commitment per employee: roughly 2–3 hours spread across the year. We manage the entire program—creating content, tracking completion, analyzing phishing results, generating reports for examiners. Your staff just completes the training; you get the compliance documentation.
Your patients trust you with their most sensitive health information. We handle the ongoing technical management and compliance documentation so you can focus on what you do best—providing excellent patient care.
Schedule a HIPAA Safeguards Review
30-minute call to review your current safeguards, what documentation you have, what’s missing, and what you’d need for OCR requests or MIPS attestation.
Book a 15-minute HIPAA safeguards assessment
Talk to our team directly
Send your insurance application or compliance questions for review
