HIPAA Compliance
At NTech, we support healthcare providers and Business Associates that rely on us to help safeguard Protected Health Information (PHI). As a HIPAA Business Associate, we maintain a comprehensive security and compliance program aligned with the HIPAA Security Rule, Privacy Rule, and Breach Notification Rule.
Business Associate Responsibilities
We operate as a HIPAA Business Associate when providing services that may involve the creation,
transmission, or storage of PHI for our clients.
​
Our commitments include:
• Executing a Business Associate Agreement (BAA) with every applicable client
​
• Following all relevant HIPAA Security Rule safeguards
​
• Supporting clients’ compliance without claiming to “make them HIPAA compliant”
​
• Maintaining documented policies, procedures, and audit trails
Administrative Safeguards
We maintain a full set of administrative controls to ensure (PHI) is managed appropriately:
​
Security Governance
• Appointed Security Officer and Privacy Officer
• Quarterly security governance meetings
• Annual HIPAA Security Risk Assessment (SRA)
​
Policies & Procedures
• Written policies covering HIPAA, security, privacy, and breach response
• Annual review and version control
​
Training
• Annual HIPAA workforce training for all MSP staff
• Role‑based training for engineers with elevated access
​
Technical Safeguards
We deploy technical protections across all systems we manage, consistent with HIPAA Security Rule requirements:
​
Access Controls
• Multi-factor authentication (MFA)
• Role-based access
• Password and account management policy
​
Data Protection
• Encryption in transit (TLS 1.2+)
• Encryption at rest where PHI may be stored
• Secure remote access (VPN/WireGuard/Zero Trust)
​
Monitoring & Logging
• Centralized logging and event correlation
• 24/7 security monitoring
• Automated alerting for unauthorized access attempts
​
Network Security
• Managed firewalls with least-privilege rule sets
• Network segmentation
• Secure WiFi policies
• Continuous vulnerability scanning
Physical Safeguards
We ensure physical protections for devices and equipment under our control:
​
• Secured office network and controlled facility access
​
• Device tracking and secure inventory management
​
• Encryption of mobile devices and laptops
​
• Secure disposal of retired equipment
Data Backup & Business Continuity
We help healthcare clients maintain availability and recoverability of ePHI:
​
• Encrypted off‑site and immutable backups
​
• Quarterly backup recovery testing
​
• 72‑hour recovery objective options
​
• Documented Disaster Recovery (DR) plans
Incident Response & Breach Preparedness
We maintain policies and procedures for:
​
• Security incident identification
​
• Containment and mitigation
​
• Documentation and audit trails
​
• Breach reporting support under the HIPAA Breach Notification Rule
​
• Coordination with client compliance officers
Vendor & Supply Chain Management
We verify HIPAA-related security controls for third-party tools we use:
​
• Annual verification of vendor security posture
​
• Evaluation of PHI exposure risk
​
• Ongoing monitoring of service providers