The practice was growing quickly, but its HIPAA program hadn’t kept pace. The practitioner knew there were gaps — she just didn’t know how many, or which to tackle first. A possible payer review made it feel urgent.
No documented Security Risk Analysis. The single most important foundation of compliance was simply missing.
Consumer email in daily use. PHI was moving through tools that had no business associate agreement.
Calendar invites leaking names. Appointment invites paired patient names with the practice’s identity.
A scheduling vendor with no BAA. Patient data was sitting with an unvetted third-party tool.
No written policies or training records. Expectations lived in her head, not on paper.
Our Approach
A clear, prioritized path
We started by measuring the real risk, then worked the highest-impact fixes first — so she always knew what mattered most, and why.
Completed a full, documented SRA and turned the findings into a prioritized remediation roadmap.
Migrated email to a BAA-covered Microsoft 365 plan with encryption, and closed the calendar-invite leak.
Replaced the non-compliant scheduler and collected BAAs from every vendor handling PHI.
Authored plain-language policies and documented training on what to do day to day.
The Results
From overwhelmed to compliant
Days to audit-ready
0
Staff trained
0%
Risk gaps closed
0
Vendor BAAs in place
0
A documented SRA and roadmap. The missing foundation is now firmly in place and repeatable.
Encrypted email and a vetted scheduler. PHI now flows only through tools under a signed BAA.
Clear policies and documented training. No guesswork — she knows exactly what to do.
A program that maintains itself. Incident reporting and annual reviews keep compliance current.
A1plusAI turned HIPAA compliance from overwhelming to manageable. Their guidance, tools, and training gave me real clarity — and genuine peace of mind.