Industries · Medical Practices

HIPAA compliance
that survives an OCR audit.

Your practice transmits protected health information through email and web forms every day. If that infrastructure isn’t authenticated, encrypted, and auditable, you’re one OCR investigation away from a corrective action plan — or a six-figure penalty.

Book a 20-minute call → Scan your domain →
The challenge

OCR doesn’t care
about your intentions.

PHI Transmission Requires Technical Safeguards

HIPAA’s Security Rule requires covered entities to implement technical safeguards for electronic protected health information — including access controls, audit controls, integrity controls, and transmission security. Email containing PHI must be authenticated at the domain level (SPF, DKIM, DMARC) and encrypted in transit (MTA-STS). Most hosting providers configure neither.

OCR Auditors Look for Specific Controls

The Office for Civil Rights doesn’t audit intentions — they audit implementations. Their audit protocol checks for email authentication alignment, encryption enforcement, access logging, and documented risk assessments. A practice that can’t produce evidence of these controls during an investigation faces corrective action plans, monitoring, and civil monetary penalties up to $2.1 million per violation category per year.

Breach Notification Is Expensive

A HIPAA breach affecting 500+ individuals requires notification to every affected patient, HHS, and prominent media outlets in the state. The average cost of a healthcare data breach exceeds $10 million. Prevention through proper email authentication, encrypted transmission, and access controls costs a fraction of a single breach notification event.

How PrismWeb helps

Technical safeguards that
satisfy the Security Rule.

Our sixteen security checks map directly to HIPAA Security Rule requirements. Here’s how each control category protects your practice.

TRANSMISSION SECURITY · §164.312(e)
MTA-STS + TLS-RPT + Enhanced TLS

Enforces encrypted email transmission between mail servers, preventing PHI interception during transit. TLS-RPT provides auditable reporting of any delivery failures. Enhanced TLS ensures only strong cipher suites and current protocol versions are negotiated.

PERSON AUTHENTICATION · §164.312(d)
SPF + DKIM + DMARC

Authenticates every email sent from your domain. SPF verifies authorized mail servers. DKIM provides cryptographic proof of message integrity. DMARC at enforcement level (p=reject) blocks all unauthorized use of your domain.

ACCESS CONTROLS · §164.312(a)
Isolated Hosting + Security Headers

Each practice runs in complete container isolation. Security headers prevent unauthorized access to patient portals and intake forms. No shared infrastructure means no cross-contamination from other tenants.

AUDIT CONTROLS · §164.312(b)
Continuous Monitoring + Evidence Packets

All sixteen checks run daily with results logged. We maintain auditable records of security configurations, changes, and incidents. Evidence packets formatted for OCR audit protocols are available on demand.

INTEGRITY CONTROLS · §164.312(c)
DNSSEC + Certificate Validation + RPKI

Cryptographic DNS signatures prevent domain spoofing. Certificate validation ensures trust chain integrity. RPKI prevents BGP hijacking that could redirect traffic to malicious servers.

BREACH PREVENTION
IP Abuse + Website Scanning + WordPress Audit

Continuous scanning for malware, compromised infrastructure, and known vulnerabilities. We identify threats before they become breach notification events — because a prevented breach costs nothing compared to a reported one.

Case study

Independent medical practice, 31 staff.
HIPAA mail authentication rebuilt.

THE SITUATION

A multi-physician independent practice discovered during a routine risk assessment that their email domain had no DMARC record, a permissive SPF configuration, and no DKIM signing. Their patient portal ran on shared hosting with five other websites. Their HIPAA security officer couldn’t produce documentation of any technical safeguards for ePHI in transit.

WHAT WE DID

We migrated the practice to isolated hosting within 48 hours and implemented the full email authentication stack: SPF with strict mechanisms, 2048-bit DKIM signing, DMARC at p=reject, MTA-STS for encrypted transmission, and TLS-RPT for delivery monitoring. We deployed DNSSEC, configured comprehensive security headers on the patient portal, and generated HIPAA-formatted documentation mapping each control to specific Security Rule provisions.

THE RESULT

The practice now has demonstrable technical safeguards for every ePHI transmission channel. Their security officer has on-demand access to compliance documentation that maps directly to OCR audit protocols. When their cyber-insurance carrier requested evidence of email security controls at renewal, the practice provided a comprehensive evidence packet within minutes — not weeks.

Compliance frameworks

Regulations that apply
to your practice.

HIPAA
Security & Privacy Rules

Technical safeguards (§164.312), administrative safeguards (§164.308), and physical safeguards (§164.310) for electronic protected health information.

HITECH
Breach Notification

Enhanced enforcement provisions and breach notification requirements. Increased penalties for willful neglect of HIPAA requirements.

State Health Privacy
State-Specific Requirements

State health privacy laws that may impose additional requirements beyond HIPAA, including stricter breach notification timelines and broader definitions of PHI.

Cyber Insurance
Healthcare-Specific Underwriting

Healthcare-specific cyber insurance questionnaires requiring evidence of HIPAA technical safeguards, email authentication, and breach response procedures.

For medical practices

Patient data deserves
HIPAA-grade infrastructure.

Tell us your domain. We’ll run the sixteen checks, map every finding to HIPAA Security Rule provisions, and show you exactly where your practice is exposed.

Get Started → Free Security Check →