The HIPAA Program You Thought You Had
DirectLine-IT, your Wayfinder Technology Partner
Most healthcare practices believe they're HIPAA compliant.
Most of them aren't — at least not in the way the rule actually requires.
The privacy notice on the website hasn't been updated since before the Omnibus Rule. The risk assessment was a checklist someone filled out years ago. Policies live in a binder nobody opens. BAAs are either missing or outdated. Workforce training is an annual video that takes 12 minutes and gets clicked through during lunch. The Privacy Officer designation went to whoever was in the office the day the form needed a name.
None of that is unusual. It's how most small and mid-sized healthcare practices in the Pacific Northwest operate today. It worked, in a sense, because nobody asked too hard.
That's changing.
The 2026 Security Rule Is Coming
HHS has proposed significant amendments to the HIPAA Security Rule. Should the rule drop as written, safeguards that have been "addressable" for years become required. The burden of proof shifts from "we have a policy" to "we can demonstrate ownership, implementation, and effectiveness." Documentation gets scrutinized differently. Evidence becomes the standard.
For practices running on documentation that hasn't been touched in a decade, the gap between where they are and where they'll need to be is significant. The practices that wait until the rule is final will be scrambling. The ones that start now will be ready.
This is the conversation we're having with healthcare leaders across the Gorge and the broader Pacific Northwest. Some are ready to hear it. Some aren't yet. The ones who are usually share a common realization: the IT provider managing their network isn't managing their compliance program. Those are two different jobs, and most firms only do one of them.
Security Is Not Compliance. Compliance Is Not Security.
A practice can be technically secure — strong firewall, current patches, MFA enforced, endpoint protection humming — and still be out of compliance, because compliance requires documentation, policies, training, BAA management, breach procedures, and a program maturity that goes beyond technology.
A practice can also be paper-compliant — policies filed, annual training completed, a checklist risk assessment on the shelf — and still be insecure, because the controls behind the paper aren't actually operating.
Real compliance is a living, breathing program you wrestle with daily. It isn't a binder. It isn't a portal subscription. It isn't an annual video. It's documentation that reflects operational reality, policies that get reviewed and updated, training that staff actually retain, BAAs that get tracked and renewed, breach procedures that have been rehearsed, and a risk assessment methodology that finds the gaps before an auditor does.
That's the work. Most IT providers don't do it because it isn't IT work — it's program work.
What a Wayfinder Engagement Looks Like
We don't lead with technology. We lead with where you stand against the rule, and we walk you to where you need to be.
The first 90 days are onboarding, learning, and investigation. We sit with you. We ingest how your practice actually operates — your workflows, your data flows, your staff, your locations, your existing documentation. We see the program you have, not the program you're supposed to have.
From there, we deliver across the full compliance scope:
The technical safeguards your IT provider should already be handling — encryption, access controls, monitoring, endpoint security, network segmentation, backup and recovery.
The administrative safeguards most IT providers don't touch — risk assessments, written policies for every aspect of HIPAA (privacy, security, breach response), BAA inventory and management, designated Privacy and Security Officer support, documentation rhythms.
The workforce piece — microtraining delivered regularly to your staff, with completion tracking, scoring, and documented evidence that satisfies the training requirement.
The incident response piece — documented breach procedures, notification timelines, and the playbook you'll need if something happens.
Everything tracked, documented, and evidence-ready in a single platform built for HIPAA continuity. Not because we want a fancy dashboard, but because when an auditor walks in or a complaint gets filed, you need to be able to show your work.
We Eat Our Own Tacos
The hardest sell in this industry is an MSP that markets HIPAA compliance without operating as a HIPAA-compliant firm. We don't do that.
DirectLine-IT has been Compliancy Group certified HIPAA compliant since 2019. We maintain a SOC 2-aligned control program through the same framework. We carry OSHA compliance for our own operations. We audit ourselves regularly, on schedule, with the same discipline we bring to your program.
Everything we recommend, we already do. That's the standard
Who We're Built For
Small and mid-sized healthcare practices in the Pacific Northwest who want a real compliance program, not a checkbox version of one.
Practices that have outgrown their generalist IT provider. Practices preparing for the 2026 changes. Practices that have had a near-miss, a complaint, or a quiet realization that what they have isn't enough.
We're probably not the right fit for practices looking for a $400-a-year compliance portal with an annual training video, or for IT support that doesn't touch the compliance side. That's a different product, sold by different firms, and there are plenty of those.
We're the right fit for practices that have decided to take this seriously and want someone in the room who's already taken it seriously for 14 years.
The Next Step
If you're a healthcare practice in the Pacific Northwest considering a serious compliance engagement, we offer a complimentary HIPAA posture review.
It's a working session. We sit with you, review your current documentation and policies, look at where you stand against current requirements and the proposed 2026 changes, and give you an honest picture of where you are and what the path forward looks like.
No pitch. No pressure. A clear, documented read on your compliance posture, delivered by someone who's been doing this work since 2018.
If we're the right fit after that, we'll talk about what an engagement looks like. If we're not, you'll still leave with a better understanding of where you stand. Either way, it's worth the hour.