Why I'm writing this for Idaho Falls

The Idaho Falls area is home to a substantial number of small independent healthcare practices. Family medicine, dental, optometry, mental health, chiropractic, physical therapy, specialty clinics. Most of them are not part of large hospital systems. They run lean. They rely heavily on outside IT vendors. And almost none of them have ever had a real, independent look at where their HIPAA compliance actually stands.

I do that work. Complyn is based in the area, and serves practices in Idaho Falls, Ammon, Rigby, Iona, and the surrounding communities. The work is independent compliance assessment. I don't sell software. I don't take vendor kickbacks. I write a defensible report, give you a roadmap, and stay available for advisory after the engagement ends.

This piece is for the practice owner or office manager in the Idaho Falls area who already knows HIPAA compliance is something they need to take more seriously, and wants to understand what working with a local assessor actually looks like.

If you're earlier in your thinking and want the broader education first, I wrote a full guide to HIPAA compliance for small healthcare practices. Start there if you need the foundations.

What I see in Idaho Falls area assessments

A few patterns that come up consistently in the assessments I've done here.

The risk analysis problem. The Security Rule requires an ongoing risk analysis. In Idaho Falls area practices, I usually find one of three situations: no risk analysis has ever been conducted, a risk analysis exists but it's outdated by years, or what the practice thinks is a risk analysis is actually a vulnerability scan their IT vendor ran once. The Security Rule treats these differently. A scan is not a risk analysis. If OCR ever asks, that distinction matters.

The IT vendor scope misunderstanding. Almost every practice I assess has an IT vendor they consider responsible for "the technical side of HIPAA." When I read their actual contract with the vendor, the scope is typically narrower than the practice realizes. Endpoint management, network maintenance, helpdesk support. Sometimes endpoint security through a third-party MDR vendor. What's frequently missing from scope: access log review, backup testing, incident response planning, vendor risk management, BAA management, documented policy maintenance. None of these are exotic. All of these are required. And in the seams between what the IT vendor does and what the practice assumes is happening, important things go unaddressed.

The BAA gaps. Small practices in the area typically have BAAs with the obvious vendors. The EHR. The IT provider. Sometimes the cloud backup vendor. What's almost always missing: BAAs with the voicemail system, the texting platform for appointment reminders, the e-fax service, the copier vendor (modern copiers store every document scanned), and the various small SaaS tools the practice has accumulated over the years that nobody tracks. A missing BAA is one of the easiest problems OCR can spot during an investigation.

Shared logins and weak access controls. This is the most common technical finding. Front desk staff sharing a login. Clinical staff accessing the EHR through a single credential. Administrative accounts with access far beyond what the role requires. No multi-factor authentication. No audit log review. The risk this creates is operational as much as compliance: one person can cause records to be lost, changed, or stolen with nobody else able to detect or recover.

What an OCR investigation would look like for a small Idaho Falls practice

Most practice owners imagine OCR investigations as raids. They aren't. An investigation almost always starts with a letter requesting documentation. Your current risk analysis. Your written policies. Your training records with signed acknowledgments. Your incident documentation. Your BAAs. Your access reviews.

The practices that get into trouble are the ones who can't produce these things. OCR's general standard is whether reasonable safeguards existed and whether the practice was negligent. A practice that took reasonable steps, documented them, and responded appropriately to incidents tends to come out of an investigation without major penalty. A practice that has nothing to produce, or produces a risk analysis from 2019 that hasn't been touched since, looks like a practice that wasn't taking HIPAA seriously.

The triggering events for OCR investigations in small healthcare practices are usually not the things people think of first. They're ransomware incidents, stolen unencrypted laptops, terminated employees who file complaints, patient complaints about denied record access, and improper disclosures. Any of these can start an investigation. Most small practices in the Idaho Falls area are more vulnerable to these triggers than they realize.

Why local matters (and where it doesn't)

I want to be honest about this. Compliance assessment work is mostly remote. The documents are digital. The interviews happen over video. The screen-sharing review of configurations works the same way whether the assessor is across town or across the country. A skilled assessor doesn't have to be local to do good work.

What local does buy you, in practical terms:

Familiarity with the area's healthcare context. I know how Idaho Falls practices are structured because I've worked with them. I know which MSPs in the region tend to serve healthcare clients. I know which EHRs are common locally. That context shapes how I read assessment findings.

Faster, lighter-weight communication. Working with someone in your timezone, who can occasionally meet in person if needed, who responds to questions on Mountain Time, removes a small amount of friction that compounds over the course of an engagement.

A community relationship. I live here. The practices I serve are not anonymous to me. There's a level of accountability built into working with someone whose name and reputation are tied to the same community you operate in.

What local doesn't buy you: better assessment quality, automatically. The quality of an assessment depends on the assessor's actual expertise. A local assessor who's just checking boxes is worse than a remote assessor who's genuinely qualified. Make sure you're hiring someone whose credentials and approach you'd trust regardless of geography, and treat local as a bonus rather than the deciding factor.

What an engagement looks like

Practical detail, since this is the question people most want answered.

The process starts with a thirty-minute discovery call. No charge, no obligation. I learn about the practice, the current state of compliance, what's prompting the engagement, and any specific concerns you want covered. You learn whether I'm a fit for what you actually need.

If we move forward, I send a written scope and a fixed price. Most engagements complete in two to four weeks from kickoff to delivered report. You decide whether to proceed. No pressure, no follow-up if you decide not to.

When the engagement starts, I send an intake form covering your operations, your IT setup, your vendor relationships, and your existing compliance documentation. Based on the intake, I send a document request listing the specific evidence I need to see. You send the documents. I review them carefully and prepare for our assessment call.

The assessment call is virtual, typically two to three hours. We go through findings, and I have you share your screen so I can verify certain configurations directly. After the call, I write the report. The report includes findings rated by severity, the supporting evidence, and a risk-prioritized remediation roadmap that tells you what to fix first, what can wait, and what each fix realistically involves.

We meet again to deliver the report. Thirty to sixty minutes, virtual. We go through the findings and the roadmap together so you actually understand what's in the document and what to do with it.

After the engagement closes, I'm available for thirty days of advisory at no additional charge. Questions about the report, help interpreting findings, clarifications about remediation steps. After that window, ongoing advisory is available at standard rates. Your full report stays available through a secure client portal for three years.

Who I work with

The practices I serve well share a few characteristics:

If you're a hospital, a large multi-specialty group, or a practice with an internal compliance team and a full security operations program, I'm probably not the right fit. There are firms built for that work. I'm built for the small practice that needs an honest, independent perspective and a clear path forward.

Get in touch

If you're ready to have a real conversation about your practice's HIPAA posture, schedule a discovery call. Thirty minutes, free, no obligation. You'll learn whether I'm a fit. If we move forward, you get a written scope with a fixed price before any work begins.

If you'd rather email first, reach me at [email protected].

Healthcare practices in this area deserve providers who take patient trust seriously. That includes taking HIPAA and cybersecurity seriously, not as paperwork, but as part of the duty of care. If that's the kind of practice you're trying to run, I'd like to help.

For the broader picture on HIPAA compliance for small healthcare practices, including detailed coverage of the Security Rule, Privacy Rule, Breach Notification Rule, BAA gaps, and what an OCR investigation actually looks like, read the complete guide.