What makes healthcare IT different from other industries?

Healthcare IT operates under HIPAA's technical, physical, and administrative safeguard requirements for protected health information, requires Business Associate Agreements with every vendor touching ePHI, must integrate with clinical systems (EHR, PACS, medical devices) that have strict change management requirements, and faces higher ransomware targeting than most other sectors due to the critical nature of patient care systems. Triton manages healthcare IT environments with all of these constraints factored into every decision.

What is a HIPAA Security Risk Analysis and how often is it required?

HIPAA requires covered entities to conduct a thorough and accurate assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. It must be performed at initial implementation and periodically thereafter — and whenever significant changes occur (new systems, new locations, acquisitions, staff changes). HHS OCR considers a missing or outdated risk analysis as one of the most common and serious HIPAA violations. Triton conducts and documents HIPAA Security Risk Analyses as a standard component of healthcare IT services.

How does Triton handle medical device security?

Medical devices — infusion pumps, imaging equipment, patient monitoring systems — often run embedded operating systems that cannot be patched through standard patch management processes. Triton addresses medical device security through network segmentation (isolating device VLANs from general clinical networks), communication monitoring for anomalous device traffic, vendor coordination for available firmware updates, and compensating controls where direct patching is not possible. Device inventories are maintained as part of the asset management program.

What EHR systems does Triton support?

Triton supports infrastructure and network management for practices using Epic, Cerner, athenahealth, eClinicalWorks, Kareo, DrChrono, and other major EHR platforms. Triton does not provide EHR application support — that remains with your EHR vendor — but manages the underlying infrastructure (servers, network, endpoints, backup) that the EHR depends on, and coordinates with EHR vendors during infrastructure changes.

Does Triton sign Business Associate Agreements?

Yes. Triton executes a Business Associate Agreement with every healthcare client as a standard part of onboarding. As a business associate with access to systems containing ePHI, Triton is legally required to sign a BAA and operates under its obligations continuously. The BAA defines permissible uses of ePHI, the safeguards Triton maintains, and breach notification obligations. Operating without a BAA with your IT provider is itself a HIPAA violation regardless of whether a breach occurs.

OCR ENFORCEMENT NOW PENALIZES "WE FILED THE SRA" — THE STANDARD MOVED IN 2026

Healthcare IT: Pass the OCR Audit Without Filing for Bankruptcy.

OCR’s Risk-Analysis-PLUS-Risk-Management enforcement pivot (April 2026) penalizes practices whose answer to “what did you do after the SRA?” is “we filed it.” We translate the new standard — and the evidence your compliance officer needs on file — in a 30-minute call. If your current IT can already produce the risk-management artifacts, you don’t need us.

Updated May 3, 2026

What changed in HIPAA enforcement during 2024-2026?

The OCR enforcement pivot announced April 2026 is the most consequential change since the 2013 Omnibus Rule. OCR now penalizes practices whose Security Risk Analysis (SRA) was completed but never followed by documented risk management — the gap between “we filed the SRA” and “we acted on the SRA” is now an enforcement priority. Resolution agreements published in 2025-2026 cite this gap explicitly.

The 2024 Security Rule update layered prescriptive technical requirements that the 2003 baseline lacked. Mandatory multi-factor authentication on all access to electronic protected health information, encryption at rest and in transit on all systems handling ePHI, and documented asset inventory covering every device with ePHI access. The “addressable specifications” latitude tightened.

The consumer-Zoom telehealth discretion ended. During the COVID-era public health emergency, OCR exercised enforcement discretion allowing consumer-grade video conferencing for telehealth. That discretion sunset; consumer Zoom (without a BAA and HIPAA features) is no longer compliant. Practices still using it for telehealth visits face direct OCR enforcement exposure.

State-level overlays add complexity. Connecticut’s CTDPA has a HIPAA exemption that is narrower than most practices assume — non-PHI data (employee data, marketing data) remains in CTDPA scope. MA 201 CMR 17, NY SHIELD Act, and RI privacy laws apply to the same non-PHI data. Healthcare practices in CT/NY/RI/MA operate under overlapping regimes; HIPAA alone is not the compliance story.

What does the OCR investigator actually request after a complaint or breach?

OCR investigators request five artifacts in the initial document request: the most recent Security Risk Analysis (SRA), the documented risk management plan addressing identified risks, the policies and procedures covering all Security Rule requirements, the Business Associate Agreements with all vendors handling ePHI, and the breach response evidence covering any incident under investigation.

The risk management gap is the new enforcement priority. An SRA on file showing 14 identified risks with no documented remediation evidence reads to the OCR investigator as material noncompliance — not just an open work item. The 2025-2026 resolution agreements cite this pattern repeatedly: practices that conducted the analysis, filed it, and never acted.

BAA scope is the second-most-checked element. Every vendor with access to ePHI must have a HIPAA-compliant Business Associate Agreement. EHR vendor, billing service, cloud backup provider, IT support firm, document destruction service, transcription service — all in scope. Practices commonly discover BAA gaps during investigation when they pull contracts and find expired or never-signed agreements.

Compliance is a snapshot, not a destination. An SRA from three years ago does not protect you today — your systems, your vendors, your data flows, and the threat landscape all moved while you focused on patient care. The OCR investigator looks for current artifacts mapped to current state, not historical compliance.

What happens if your practice fails an OCR investigation?

OCR resolution agreements run from $25,000 for small practices with cooperative defendants to multi-million-dollar settlements for larger practices or repeat violators. The published 2024-2025 settlements include corrective action plans with three-to-five-year monitoring obligations — operational overhead substantially exceeding the financial penalty for most practices.

The path is mechanical. Patient or whistleblower complaint reaches OCR, or the practice self-reports a breach affecting 500+ patients. OCR opens an investigation with document request. Practice produces (or fails to produce) the SRA, risk management evidence, BAAs, and policies. Inadequate response triggers resolution agreement negotiation or formal civil action.

For Connecticut, New York, Rhode Island, and Massachusetts practices, parallel state enforcement compounds the exposure. CT AG, MA AG, NY AG, and RI AG all maintain health-data-specific enforcement authority that runs alongside HIPAA. A breach affecting state residents triggers both federal and state inquiry; settlements at one level often parallel at the other.

The hardest consequence is patient trust. OCR resolution agreements are public; the practice name, the violations, and the corrective actions appear in the HHS press release. For private-pay practices and elective specialties (dental, plastic surgery, behavioral health), the patient-acquisition impact often exceeds the direct financial penalty.

How does Triton get your practice OCR-audit ready?

We deploy Sophos Endpoint XDR on all workstations and EHR-host systems, Microsoft Defender for Endpoint with HIPAA-compliant Conditional Access policies, AWS-backed immutable backup with documented restoration evidence, and Sophos Email gateway with phishing protection. Then we author the SRA, the risk management plan addressing identified risks, the BAA framework, and the breach response procedures with OCR-aligned 60-day notification timing.

The stack matters because each component produces evidence the OCR investigator expects. Sophos XDR generates the endpoint coverage report mapping to Security Rule §164.312 (technical safeguards). Microsoft Defender provides the access-control attestation for §164.308 (administrative safeguards). AWS-backed immutable backup produces the data backup and disaster recovery evidence. Each policy section maps to an artifact.

We deploy on AWS because downtime is not an option. When an EHR system goes down mid-clinic, AWS support responds with enterprise urgency. For practices using Epic, eClinicalWorks, athenahealth, or Allscripts on cloud-hosted infrastructure, AWS-native deployment satisfies both technical safeguards and operational continuity requirements.

Our typical healthcare engagement delivers the SRA, risk management plan, BAA framework, and technical stack with documented evidence inside 60-90 days. We coordinate with outside HIPAA counsel for breach-response retainer relationships and the consumer-notification template work — counsel handles the legal architecture; we deliver the technical evidence and operational workflow.

What evidence does OCR actually want on file?

Six artifacts the OCR investigator will request, each mapping to specific Security Rule sections. The artifact file is the investigation — the policy binder is the cover.

Why start now? Because OCR investigations don't wait for you to assemble evidence.

When a complaint reaches OCR or a breach triggers notification, the document request arrives within weeks. The SRA either exists with documented risk management or it doesn’t. The BAAs either cover every vendor or they don’t. Building the evidence file under investigation pressure costs 3-5x what proactive readiness costs.

CT/NY/RI/MA practices we have helped through OCR investigations started before any breach. The practices that started after a breach paid for outside counsel, forensic investigators, and emergency program authoring simultaneously — while 60-day notification timelines and parallel state-AG inquiries compressed every week.

Frequently Asked Questions

Does HIPAA apply to my small dental practice?

Yes. HIPAA covers any healthcare provider that transmits health information electronically — including filing claims with insurance, electronic appointment reminders, or patient portal communications. Solo and small dental practices are covered entities identical to hospitals for the controls. The practice size affects what “reasonable safeguards” looks like, not whether the rule applies.

What is the OCR Risk-Management enforcement pivot?

In April 2026, OCR signaled enforcement priority on practices whose Security Risk Analysis was completed but never followed by documented risk management. An SRA listing 14 identified risks with no remediation evidence reads as material noncompliance, not just an open work item. The pivot is procedural, not regulatory — the same Security Rule language has always required risk management; OCR is now enforcing it.

Is consumer Zoom HIPAA-compliant for telehealth?

No, not since the public health emergency enforcement discretion ended. Consumer Zoom (without a Business Associate Agreement and HIPAA-specific features) does not satisfy the Security Rule. Zoom for Healthcare (paid tier with BAA) is compliant. Doxy.me, Updox, SimplePractice, and other telehealth platforms with BAAs are compliant. The practice must verify BAA coverage before using any telehealth tool.

Do we need a BAA with our IT support firm?

Yes if the IT firm has access to systems holding ePHI — which is almost always. The BAA must be HIPAA-compliant and signed before access begins. Triton signs BAAs as a standard contract term and produces the BAA-required documentation (security policies, breach notification procedures, right-to-audit clause) without negotiation.

How does CTDPA interact with HIPAA for our Connecticut practice?

CTDPA has a HIPAA exemption that covers PHI specifically — but the exemption is narrower than most practices assume. Non-PHI data (employee personal data, marketing email lists, vendor data) remains in CTDPA scope. Most healthcare practices have CTDPA obligations alongside HIPAA. The compliance work mostly overlaps; the documentation is twin-track.

What does HIPAA-aligned IT cost for a 5-person practice?

Total compliance investment for a 5-person practice typically runs $18,000 to $40,000 in the first year, then $12-25K/year ongoing. The split: technical stack with HIPAA-aligned configuration ($8-18K), SRA and risk management plan authoring ($4-10K), BAA framework and policy authoring ($3-7K), training and tabletop exercise ($2-5K). Larger practices scale roughly linearly.

What if our EHR vendor refuses to sign a BAA?

That is a critical compliance gap on its face. Every covered entity is required to have a BAA with every business associate handling ePHI. An EHR vendor that refuses is either not legitimately a healthcare vendor or is misrepresenting their compliance posture. The practice must either obtain the BAA, terminate the vendor relationship, or document an alternative path that does not require ePHI access.

Do we need dark web monitoring as part of HIPAA compliance?

No. Dark web monitoring is a notification service, not a HIPAA Security Rule requirement. The Security Rule requires administrative, physical, and technical safeguards — endpoint protection, MFA, encryption, audit logging, incident response, training. Dark web alerts do not satisfy any safeguard category. We do not bundle dark web monitoring and it does not appear in any HIPAA evidence list.

Founded in 2001

25 Years of IT Expertise

Worcester · Providence · Hartford

Regional Offices

Ranked 84th Percentile Nationally

National Benchmark

Under 10 Minute Response

Third-Party Verified

HIPAA · CMMC · SOC 2 · PCI

Multi-Framework Compliance

Let's Discuss Your IT Needs

Triton Technologies delivers managed IT services, cybersecurity, and IT support for businesses across Connecticut, Massachusetts, New York, Rhode Island, and beyond. Contact our team today to start a conversation about your technology environment.