HIPAA-compliant IT that keeps your practice running.
NSN Management is the Tulsa IT and compliance partner for medical, dental, and specialty practices. We deliver HIPAA Risk Analysis, EHR/PMS operations, BAA management, and workforce security training — built for practices that need their technology to disappear into the background so they can see patients.
Three pressures unique to healthcare practices.
Generic MSPs don't understand the difference between your EHR being slow and your day being cancelled. Or what an OCR audit actually looks like.
Your EHR is the practice
If Epic, Dentrix, Eaglesoft, or eClinicalWorks is down, you cannot see patients. Generic MSPs treat your EHR like another app. We treat it like the heart of your business.
HIPAA enforcement is real
The Office for Civil Rights levied $11.4M in HIPAA enforcement actions in 2023 alone. Small practices are not exempt — they are increasingly the target of audits triggered by patient complaints and breach reports.
Legacy medical devices
A digital X-ray panel running Windows 7. An ultrasound on an unpatched build. The FDA does not require the vendor to certify newer operating systems — but HIPAA still expects you to manage the risk.
Specifics for medical and dental practices.
Capabilities written for the systems and obligations of a real practice — not a generic 'managed IT' brochure.
HIPAA Risk Analysis
Annual NIST 800-66 Rev. 2 aligned assessment. Asset inventory, threat modeling, control gaps, risk register. Documentation OCR auditors expect.
EHR / PMS operations
Epic, Athena, eClinicalWorks, Allscripts, Dentrix, Eaglesoft, Open Dental, ModMed. Uptime monitoring, vendor escalation, upgrade planning.
Business Associate Agreements
We execute BAAs with you and manage downstream BAAs with every vendor that touches your PHI. Annual review built in.
Legacy device isolation
Segmented network for end-of-life medical devices. Compensating controls. Risk acceptance documentation auditors accept.
Workforce security training
Phishing simulations, annual HIPAA training, role-based curricula. Records exportable for your Privacy Officer.
Breach response readiness
60-day breach reporting plan. Tabletop exercises annually. Coordination with breach counsel and your cyber insurance carrier.
HIPAA done the way auditors expect.
The HIPAA Security Rule (45 CFR §164.308) is specific about what every covered entity must do. We deliver each requirement — and the documentation your auditor will look for.
We deliver the technical, administrative, and physical controls.
- Annual HIPAA Risk Analysis (§164.308(a)(1))
- Risk Management Plan & remediation tracking
- Workforce security training (§164.308(a)(5))
- Access controls & unique user IDs (§164.312(a))
- Audit logging & log review (§164.312(b))
- Encryption in transit and at rest (§164.312(e))
- Contingency planning & backup (§164.308(a)(7))
- Incident response procedures (§164.308(a)(6))
- BAA management with all PHI-touching vendors
A real document. Not a checklist.
We align our HIPAA Risk Analysis with the NIST SP 800-66 Rev. 2 methodology — the framework HHS recommends and OCR examiners are trained on. The output is a multi-page document with a complete asset inventory, threat scenarios, vulnerability findings, likelihood × impact scoring, control recommendations, and a tracked risk register.
Answers for practice administrators.
Is NSN a HIPAA Business Associate?
Yes. NSN executes a Business Associate Agreement (BAA) with every healthcare client before any access to PHI. We maintain our own HIPAA Security Rule compliance program, including annual risk analysis, workforce training, access logging, and incident response procedures — all reviewable by your Privacy Officer on request.
What is a HIPAA Risk Analysis and how often do I need one?
HIPAA Security Rule §164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of ePHI. Best practice — and the Office for Civil Rights expectation — is annually, plus after any material change (new EHR, new location, merger). NSN delivers a full HIPAA Risk Analysis aligned with the NIST 800-66 Rev. 2 methodology.
Do you support our specific EHR or practice management system?
Yes. We support the major systems used by Tulsa-area practices — Epic, Athenahealth, eClinicalWorks, NextGen, Allscripts, and Greenway for medical; Dentrix, Eaglesoft, Open Dental, and Curve for dental; Modernizing Medicine, Nextech, and AdvancedMD for specialty. We handle vendor escalations, upgrade coordination, and uptime monitoring on each.
What happens if we have a HIPAA breach?
NSN's incident response procedure activates immediately. We help contain, document, and assess the scope of the breach within the 60-day HIPAA breach reporting window — including HHS Office for Civil Rights notification if more than 500 individuals are affected, state attorney general notification where required, and individual notice support. We coordinate with your breach counsel and cyber insurance carrier.
How do you handle old Windows machines on medical devices?
We see this constantly. A dental panoramic, a digital X-ray, an ultrasound — running Windows 7 or Windows 10 IoT because the vendor never certified a newer OS. We don't unplug them. We isolate them on a segmented network, apply compensating controls (no internet, no email, MFA on local access, logging), and document the risk acceptance for your HIPAA Risk Analysis. Many auditors specifically look for this treatment.
Keep your practice running.
A 15-minute discovery call to walk through your EHR, your HIPAA posture, and whether we're the right fit.