Medical • Dental • Therapy • Law • Chiro • Pharmacy

HIPAA Compliance
for Your Practice

Every practice type has its own HIPAA landscape — different systems, different vendors, different risks. We build the compliance program around how your practice actually works, not around a generic template that treats every clinic like the same one.

Former HHS Asst. IG Solo to 120-location All 50 states

Book a Free Practice Assessment

15 minutes with Jay. Tell him your practice type and he'll tell you exactly where you stand — no obligation, no pitch.

Not sure if HIPAA applies to your practice? We'll tell you in the first 5 minutes.

40+

Years HIPAA & federal enforcement

200+

Organizations served

2013

Founded — nationwide practice

50

States served nationwide

Your practice type matters. We build around it.

A dental office has different vendors, different workflows, and different HIPAA risks than a law firm handling medical records in litigation. A therapy practice has different platform obligations than a pharmacy. We've built compliance programs for each of these — and here's what's specific to yours.

Medical Office Dental Therapy & Psychology Law Firms Chiropractors Pharmacies

Practice type

Medical offices & physician practices

Medical offices are the default HIPAA covered entity — and the one the HHS Office for Civil Rights (OCR), the federal agency that enforces HIPAA, audits most. The complexity lives in the vendor chain: EHR platforms, billing services, clearinghouses, lab partners, imaging, telehealth, transcription, referral networks. Every one of them is a Business Associate that requires a signed Business Associate Agreement (BAA) and a documented relationship.

EHR vendor BAAs that get signed at onboarding and never reviewed again — even as you add integrations, switch modules, or add telehealth features.

Workforce training gaps — contractors, locum tenens, and new hires who started after the annual training and were never caught up.

Patient portal access controls not mapped to HIPAA's minimum-necessary standard, particularly when portal admin is spread across front-desk staff.

Incident response plans that exist on paper but staff have never been walked through — so when something happens, nobody knows step one.

Multi-location coordination — policies and procedures written once for headquarters but never adapted for each site's unique workflows.

For medical offices, compliance isn't one big project — it's a program that touches every vendor relationship and every staff member. We build it to be maintainable year over year.

Book a Medical Practice Assessment

Practice type

Dental practices

Dental practices often operate with tighter margins and smaller staff than medical offices — but HIPAA's requirements don't scale down with practice size. Every practice management system, every imaging platform, and every communication tool is part of your HIPAA scope.

Appointment reminder services (text, email, automated calls) often send Protected Health Information (PHI) without a signed Business Associate Agreement — a compliance gap most practices don't realize exists.

Practice management software (Dentrix, Eaglesoft, Open Dental, Curve) configured without minimum-necessary access controls between front desk, hygienists, assistants, and providers.

Intraoral imaging and X-ray storage — not always mapped to HIPAA's physical and technical safeguard requirements for PHI at rest and in transit.

Workforce training for hygienists, dental assistants, and front-desk staff — typically overdue or never documented in a format OCR would accept.

Insurance communications sent via unencrypted email to carriers, billing services, or patients — a common exposure path.

Dental is a perfect example of the "too small to worry" misconception. OCR has settled cases involving solo dental practices. Size isn't a shield.

Book a Dental HIPAA Assessment

Practice type

Therapy & psychology practices

Mental health practices carry extra sensitivity under HIPAA. Psychotherapy notes receive heightened protection — they generally can't be disclosed even to the patient without explicit authorization. Telehealth platforms need to be HIPAA-compliant with signed BAAs. Most standard consumer video tools aren't.

Telehealth platform compliance — standard Zoom, FaceTime, and Google Meet are not HIPAA-compliant by default. HIPAA-compliant versions require a specific plan and a signed BAA. Many practices never executed the upgrade.

Session notes on personal devices — a common gap in solo practices. HIPAA requires device-level safeguards, encryption, and access controls.

Group practice EHR sharing without proper access controls between providers — one provider's notes shouldn't be automatically visible to another provider who isn't part of that client's care team.

Client communications via email or text that aren't encrypted and don't use a BAA-covered secure messaging channel.

Minor client records — parental access rights versus confidentiality obligations are a judgment call that needs to be documented per your state's rules, not just HIPAA's.

For therapy and psychology practices, HIPAA compliance is as much about the platforms you use as the policies you write.

Book a Therapy Practice Assessment

Practice type

Law firms handling medical records

Law firms handling medical records — personal injury, medical malpractice, workers' compensation, SSDI, disability — are Business Associates of their covered-entity clients. That means you're directly subject to HIPAA, not just contractually bound. Since the HITECH Act (2009), your firm has direct liability for HIPAA violations.

BAAs with client covered entities missing, outdated, or never executed — the client assumed the firm would handle it and vice versa.

E-discovery vendors, court reporters, and expert witnesses treated as general contractors rather than subcontractor Business Associates. They're BAs — they need their own BAAs with your firm.

Medical records from discovery stored on shared drives or document management systems without access controls that match HIPAA's minimum-necessary standard.

Remote work and BYOD policies that don't account for PHI handling on personal devices, home networks, and shared household computers.

Attorney-client privilege intersecting with HIPAA — privilege sometimes conflicts with HIPAA disclosure obligations. It's a judgment call, not a default, and it needs to be documented.

Law firm HIPAA compliance is its own specialty. We help litigation teams stand up the programs that OCR and client general counsels expect.

Book a Law Firm BA Assessment

Practice type

Chiropractic practices

Chiropractic practices have most of the same HIPAA obligations as medical offices — often without the same infrastructure or compliance resources to manage them. Practice management software, insurance billing, imaging storage, patient intake forms, and staff training all fall squarely within HIPAA's scope.

Practice management software BAAs never collected — most chiropractic PM vendors will provide one on request, but the practice has to ask.

Patient intake forms shared via unsecured email or consumer messaging apps — an easy exposure path that also tends to be high-volume.

X-ray and imaging storage without documented access controls or a clear record of who can view, download, or share imaging files.

Workforce training that's never happened, is years out of date, or isn't documented in a format OCR would accept during an audit.

Insurance billing communications over unencrypted channels — particularly common in practices that bill out-of-network and do a lot of manual correspondence with payers.

A well-scoped chiropractic compliance program typically pays for itself in reduced administrative burden, not just risk reduction.

Book a Chiropractic Assessment

Practice type

Pharmacies

Pharmacies handle prescription records — some of the most heavily regulated PHI under federal and state law. Your HIPAA scope includes everything from POS systems and prescription databases to insurance clearinghouses, PBMs, and specialty pharmacy subcontractors.

PBM and payer transaction records not mapped to HIPAA's transaction and code set requirements, or stored without adequate access controls.

Counter privacy — pickup conversations, visible prescription labels, shoulder-surfing risk at POS. These are physical safeguard issues most HIPAA templates don't address.

Compounding, mail-order, and specialty pharmacy subcontractors that handle PHI on behalf of the main pharmacy — they're Business Associates and need signed BAAs.

Drug utilization review (DUR) records — storage, access, and retention rules that intersect HIPAA with state pharmacy board requirements.

Workforce training for pharmacists, technicians, and cashiers — all of whom handle PHI on a daily basis and need documented training per role.

Pharmacies have unique physical safeguard concerns that most HIPAA templates don't address — and OCR knows it.

Book a Pharmacy Assessment

The investigator is now on your side.

Jay Hodes

Jay Hodes

President — Colington Consulting

Former Asst. Inspector General, HHS

Jay served as Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services — the agency that enforces HIPAA. He's worked with practices of every size and type, from solo clinics to 120-location enterprises with 12,000 employees.

He knows what regulators look for because he was one.

With 40+ years of combined experience in risk assessments, regulatory compliance, and federal law enforcement management, Jay has personally conducted thousands of assessments across every practice type listed above — and he's seen the specific gaps each one tends to have.

He's not going to sell you something you don't need. He recently told a company they didn't need HIPAA compliance at all — they weren't a covered entity or business associate. If your practice doesn't need us, he'll say so.

Fmr. Asst. Inspector General, HHS
Expert witness in HIPAA litigation
80+ published articles on HIPAA
Top 10 HIPAA Consulting Firm (2020, 2024, 2025)

"Every practice type has its own specific compliance pattern. I'll tell you what yours looks like in 15 minutes."

Practice-type questions we hear often.

Probably yes. We've worked with hospice, home health, behavioral health, podiatry, optometry, physical therapy, acupuncture, dermatology, urgent care, specialty clinics, ambulatory surgical centers, and more. The six practice types above are the ones we see most often in inquiries, but the process of building a HIPAA program is similar across any covered entity or business associate. Book a free call and we'll confirm whether your practice qualifies and what a scoped engagement would look like.

Engagements are scoped to the size and complexity of the practice, so a solo provider pays for a solo provider's program — not an enterprise program. The free 15-minute call covers what scope makes sense for your practice and what it would cost before any commitment. We've built compliance programs for one-person clinics and we've built them for 120-location enterprises. The process scales; the math does too.

IT security is just the technical safeguards piece of HIPAA — about a third of the requirements. Most of HIPAA is administrative (policies, workforce training, risk assessment, incident response, documentation) and organizational (BAAs, subcontractor management). Your IT company typically doesn't write those, maintain them, or defend them in an OCR audit. That's the gap we fill — working alongside your existing IT relationship, not replacing it.

Most practices are audit-ready within a few weeks to a couple of months. A solo dental or therapy practice typically moves faster than a multi-location medical office or a law firm handling active litigation with discovered PHI. Timeline depends on your scope, your existing documentation, and how quickly we can get the risk assessment sessions on the calendar. If there's urgency — like a breach situation or a compliance deadline — we can expedite.

Find out where your practice stands.

15 minutes with Jay. Tell him your practice type and he'll give you an honest read on where you stand — what you have, what's missing, and what it would take to close the gaps. If you don't need us, he'll say so.

What happens next: You'll pick a time on the next page. Jay calls you for a 15-minute assessment of where your practice stands.

Prefer to call? 844.740.7100

Book My Free Assessment