Question 1

What's the OCR audit process, and how do you help us prepare?

Accepted Answer

An HHS Office for Civil Rights audit typically starts with a document request covering your Security Risk Analysis, policies and procedures, training records, BAAs, and technical evidence of controls. Techvera maintains this documentation continuously inside our compliance program, so an audit request is a gather-and-send exercise rather than a four-week scramble. We also sit in the response process with you and respond to technical interrogatories directly.

Question 2

How do you handle a ransomware event at a clinical site?

Accepted Answer

We treat ransomware at a covered entity as a presumed breach under HHS 2024 guidance unless the four-factor risk assessment proves otherwise. Our runbook: immediate isolation of affected endpoints, preservation of forensic evidence, restoration from immutable offsite backups in parallel, legal and cyber insurance engagement, and a documented breach risk assessment to support or rebut the reporting decision. Clinical continuity workarounds (paper downtime procedures, minimum-viable EHR access) run simultaneously.

Question 3

Does 24x7 EHR support cover weekends and holidays?

Accepted Answer

Yes. Our SOC and service desk operate 24/7/365, including weekends, holidays, and overnight. After-hours EHR incidents get the same triage SLA as weekday incidents. Urgent-care clinics, ASCs operating Saturday blocks, and behavioral health crisis lines all get the same response standard.

Question 4

How do you support multi-tenant EHR environments?

Accepted Answer

Many specialty and ASC groups operate under one legal entity but multiple tax IDs, locations, or practice identities inside a single EHR tenant. We design the identity, role, and network layer so PHI segregation inside the tenant is enforceable — tenant admins cannot see other tenants, audit logs are tenant-scoped, and a breach at one site does not blast-radius the rest.

Question 5

What's your breach notification SLA?

Accepted Answer

HHS allows up to 60 days from discovery to notify affected individuals for breaches affecting 500+ individuals, with contemporaneous HHS and media notification. Several states (including TX HB300) require faster notification. Our internal SLA is a documented breach risk assessment within 72 hours of incident confirmation and a drafted notification package within 10 business days so you never use the full statutory window under time pressure.

Question 6

Do you sign a BAA?

Accepted Answer

Yes. Techvera signs a Business Associate Agreement with every covered entity client before any engagement that creates PHI access. Our BAA is reviewed annually and addresses HITECH direct liability, breach notification, subcontractor flow-down, and return/destruction of PHI at termination.

Question 7

Can you support a Mac-heavy clinical environment?

Accepted Answer

Yes. Techvera is an Apple-authorized partner with MDM depth in Jamf Pro and ABM. Clinical practices running iPads for intake, MacBooks for providers, and mixed iOS/macOS device fleets are inside our core competency. We also handle hybrid Windows + Apple environments without forcing a platform choice.

Question 8

How do you handle controlled substance prescribing (EPCS) infrastructure?

Accepted Answer

EPCS requires two-factor authentication meeting DEA identity-proofing standards, plus audit logging of prescriber activity. We deploy and maintain DEA-compliant MFA (hardware tokens or vetted biometric factors), monitor prescribing audit trails, and handle the identity lifecycle when prescribers join or leave.

Question 9

What happens if we acquire another practice mid-contract?

Accepted Answer

Practice acquisition triggers a defined onboarding playbook: due-diligence review of the acquired entity's IT and PHI posture, BAA assignment or replacement, EHR consolidation or federation planning, and a documented risk acceptance for any legacy systems we inherit. We price this as a project layered on top of the managed services contract so the acquiring entity has cost visibility before close.

Question 10

Do you have experience with accrediting bodies (Joint Commission, AAAHC, AAAASF)?

Accepted Answer

Yes, particularly for ASCs. Our documentation and control evidence are structured to support Joint Commission, AAAHC, and AAAASF IT-adjacent surveys (information management chapters, PHI handling, downtime procedures). We have sat in survey response cycles with ASC administrators and can produce evidence artifacts on request.

Question 11

Do you support EPCS and I-STOP/PMP integration?

Accepted Answer

Yes. We deploy DEA-compliant MFA for controlled-substance prescribing, support the clinical systems that report into I-STOP/PMP under Article 33, and operate the identity lifecycle for prescribers joining or leaving the practice.

Question 12

How do you handle SHIELD alongside HIPAA for breach notification?

Accepted Answer

Our incident response runbook tracks both SHIELD and HHS obligations from a single incident timeline. Where the two regimes differ — scope of triggering data, notification recipients, timing — we default to the stricter standard so you are compliant with both from one coordinated response.

New York City regulatory landscape

HIPAA Security Rule

HIPAA Privacy Rule

HITECH Act

HHS Breach Notification Rule

State Healthcare Privacy Laws

NY SHIELD Act

NYS Public Health Law Article 33 (Controlled Substances)

NYS Department of Health (DOH) Regulations

Serving New York, NY

Areas we serve

Recent healthcare it & hipaa compliance engagements in New York City

Identity and endpoint consolidation across an FQHC network

24/7 SOC and EPCS enablement for an urgent-care chain

SHIELD-aligned risk assessment for a multi-specialty group

New York City regulatory landscape

HIPAA Security Rule

HIPAA Privacy Rule

HITECH Act

HHS Breach Notification Rule

State Healthcare Privacy Laws

NY SHIELD Act

NYS Public Health Law Article 33 (Controlled Substances)

NYS Department of Health (DOH) Regulations

Serving New York, NY

Areas we serve

Recent healthcare it & hipaa compliance engagements in New York City

Identity and endpoint consolidation across an FQHC network

24/7 SOC and EPCS enablement for an urgent-care chain

SHIELD-aligned risk assessment for a multi-specialty group

Healthcare insights — serving New York City

NY SHIELD Act for Healthcare: Medical PHI Reporting vs. HIPAA

HIPAA Security Rule Breakdown: The 18 Technical Safeguards Every Practice Must Implement

Breach Notification Timelines: 60 vs 72 Hour Clocks and Everything Between

EHR Downtime Procedures: What the OIG Expects and How to Build Them

Multi-Site Physician Groups: Network Segmentation for Clinic Chains

Ambulatory Surgery Center IT: From Scheduling to Anesthesia Logs

HealthcareIT&HIPAAComplianceinNewYorkCity

New York City regulatory landscape

HIPAA Security Rule

HIPAA Privacy Rule

HITECH Act

HHS Breach Notification Rule

State Healthcare Privacy Laws

NY SHIELD Act

NYS Public Health Law Article 33 (Controlled Substances)

NYS Department of Health (DOH) Regulations

Serving New York, NY

Areas we serve

Recent healthcare it & hipaa compliance engagements in New York City

Identity and endpoint consolidation across an FQHC network

24/7 SOC and EPCS enablement for an urgent-care chain

SHIELD-aligned risk assessment for a multi-specialty group

ReadytotalkHealthcareITinNewYorkCity?

HealthcareIT&HIPAAComplianceinNewYorkCity

New York City regulatory landscape

HIPAA Security Rule

HIPAA Privacy Rule

HITECH Act

HHS Breach Notification Rule

State Healthcare Privacy Laws

NY SHIELD Act

NYS Public Health Law Article 33 (Controlled Substances)

NYS Department of Health (DOH) Regulations

Serving New York, NY

Areas we serve

Recent healthcare it & hipaa compliance engagements in New York City

Identity and endpoint consolidation across an FQHC network

24/7 SOC and EPCS enablement for an urgent-care chain

SHIELD-aligned risk assessment for a multi-specialty group

ReadytotalkHealthcareITinNewYorkCity?

Healthcare insights — serving New York City

NY SHIELD Act for Healthcare: Medical PHI Reporting vs. HIPAA

HIPAA Security Rule Breakdown: The 18 Technical Safeguards Every Practice Must Implement

Breach Notification Timelines: 60 vs 72 Hour Clocks and Everything Between

EHR Downtime Procedures: What the OIG Expects and How to Build Them

Multi-Site Physician Groups: Network Segmentation for Clinic Chains

Ambulatory Surgery Center IT: From Scheduling to Anesthesia Logs