CASE STUDY — HEALTHCARE How a Multi-Site Physical Therapy Group Cut IT Costs 38% While Achieving HIPAA Compliance for the First Time
6/18/20263 min read
Small and mid-sized healthcare practices occupy a difficult position in the technology landscape: they handle some of the most sensitive data categories that exist — protected health information — under one of the most prescriptive regulatory frameworks, HIPAA, while operating with IT budgets and IT staff levels that would be modest even for a non-regulated business of equivalent size. The result is a compliance gap that most practice operators know exists and few have the internal resources to close.
The client in this case study is a physical therapy group operating nine clinics across a metropolitan area, with approximately 180 employees. They came to us following a HIPAA audit by their malpractice insurance carrier that flagged multiple compliance deficiencies — including inadequate encryption of patient data at rest, absence of formal Business Associate Agreements with all technology vendors, and no documented security risk assessment. The carrier indicated that coverage could be affected if the deficiencies were not addressed within six months.
Healthcare practices of this size are among the most HIPAA-exposed organizations in the mid-market. They handle PHI at significant volume, they rely on a complex web of technology vendors who all require Business Associate Agreements, and they almost universally lack the internal compliance infrastructure to manage those requirements without outside help.
The assessment findings
We conducted a full technology and compliance assessment across all nine clinic locations. The findings were consistent with what we typically see in healthcare practices of this size and growth stage:
• PHI encryption: patient records in the EHR system were adequately encrypted at rest and in transit. However, patient intake forms were still being completed on paper and scanned to a shared network drive with no encryption, access controls, or retention policy. Additionally, two clinics were using personal email accounts to communicate patient scheduling information — a direct HIPAA violation
• Business Associate Agreements: the practice had BAAs in place with their EHR vendor and billing service. They did not have BAAs with their IT managed service provider, their cloud backup vendor, their communication platform vendor, or the transcription service used for documentation. All four vendors had potential access to PHI and all four required BAAs under HIPAA
• Security risk assessment: no formal security risk assessment had ever been conducted — a foundational HIPAA Security Rule requirement. The practice had been operating for eleven years without this document
• Access controls: the EHR system had appropriate role-based access controls. The shared network drives where scanned documents and administrative files were stored had no access controls — all staff at all locations could access all files
• Device management: staff were using personal mobile devices to access the scheduling system remotely, with no mobile device management enrollment, no encryption requirement, and no remote wipe capability if a device was lost or stolen
• IT infrastructure costs: the practice was paying $14,200 per month to their MSP under a contract signed in 2021. The per-device rate was 31 percent above current market for comparable scope. The contract had auto-renewed once without renegotiation
The remediation plan
The remediation was designed to address the compliance requirements within the six-month carrier deadline while simultaneously rationalizing the technology cost structure. The work proceeded on two parallel tracks:
Compliance track, completed in 14 weeks: all paper-based patient intake migrated to a HIPAA-compliant digital intake platform with encryption and access controls; personal email eliminated for all patient communications, replaced by the EHR's secure messaging function; BAAs executed with all four identified vendors; formal security risk assessment conducted and documented; shared drive access controls implemented with role-based permissions; mobile device management deployed across all staff mobile devices accessing practice systems.
Cost optimization track, completed concurrently: MSP contract renegotiated using competitive bids from three alternative providers — monthly cost reduced from $14,200 to $9,800; cloud backup vendor consolidated from two providers to one, eliminating $1,100 per month in redundant costs; VoIP phone system across all nine locations renegotiated at current market rates, saving $1,800 per month; EHR add-on modules that were licensed but unused identified and removed, saving $940 per month.
The outcome
HIPAA compliance deficiencies: all carrier-identified deficiencies remediated within the six-month window. Insurance carrier confirmed coverage maintained with no additional conditions. Total monthly IT spend reduction: from $23,400 to $14,520 — a 38 percent reduction. Annual savings: $106,560. Remediation timeline: 14 weeks for compliance items, 18 weeks for full cost optimization. Sigma Tech's engagement fee: covered within the first month's savings.
The practice administrator's comment at project close: "We thought we had to choose between getting compliant and staying within budget. We ended up doing both for less than we were spending before."
What healthcare practices need to understand
The pattern above is representative of healthcare practices that have grown without a dedicated compliance or IT function. The compliance gaps are real, the exposure is significant, and the cost of addressing them is almost always lower than the cost of the regulatory or insurance consequences of not addressing them. Simultaneously, the IT cost structures of practices at this stage are almost always above current market — creating the opportunity to fund compliance remediation through cost optimization.
Sigma Technology Consulting has specific expertise in HIPAA compliance assessment and remediation for healthcare practices. Contact us at sigmatechconsult.com to discuss a compliance and technology assessment for your practice.
Sigma Technology Consulting, Inc.
25 Years of Experience, Vetting & Procuring Technology Vendors
Contact Us
Support
© 2026. All rights reserved.
