The Hidden I.T. Risks in Medical Practices
What Your EHR Vendor Isn’t Telling You — A Free Guide for Inland Empire Practices
“Their compliance is not your compliance. After 30 years working with Inland Empire medical practices, we keep finding the same gap — and most Office Managers never see it coming until an auditor does.” — Matt Disher, CISSP, HCISPP · CEO, Southwest Networks
Get Your Free Copy
Instant download — no obligation.
Your EHR Vendor’s Compliance Is Not Your Compliance
When an EHR vendor calls their platform “HIPAA-compliant,” they’re telling you the truth — but only part of it. HIPAA compliance isn’t a product feature. It’s a set of documented, operational, technical, and administrative controls your practice must implement, maintain, and demonstrate.
- ✓ Software-level encryption and data storage
- ✓ Access control features inside the application
- ✓ Audit logging capabilities
- ✓ Their own Business Associate Agreement (BAA)
- ✕ How that software is configured on your network
- ✕ Whether your endpoints and workstations are secured
- ✕ Employee access management and offboarding
- ✕ BAAs with every vendor who touches PHI
- ✕ Written security policies, risk assessments, incident response plans
- ✕ Backup and disaster recovery procedures
- ✕ Training documentation for all staff
Per Violation, Per Year
Source: U.S. Department of Health and Human Services, OCR Enforcement
Unknowing violation
Reasonable cause
Willful neglect (corrected)
Willful neglect (uncorrected)
This Is Happening in the Inland Empire — Right Now
These aren’t cautionary tales from distant cities. They’re documented enforcement actions and breach incidents involving medical practices in Riverside and San Bernardino Counties.
Psychiatric Medical Group — $25,000 OCR Fine
A Riverside psychiatry group failed to fulfill a patient’s record-access request. OCR launched a formal investigation, found a HIPAA Privacy Rule violation, and the case settled with two years of federal monitoring.
Source: U.S. HHS Office for Civil Rights
Eisenhower Health — Patient Data Lawsuit Settlement
Tracking technologies on the hospital website — including Meta Pixel — transmitted sensitive patient data to third parties without authorization. A critical emerging risk for any practice using online scheduling, patient portals, or website analytics.
Source: HIPAA Journal, settled 2025
Community Hospital — $250,000 State Fine
CDPH assessed a $250,000 fine after a single employee accessed medical information for 204 patients without authorization. A separate incident at the same facility added another $75,000. California enforces patient privacy separately from federal HIPAA.
Source: California Department of Public Health
Rancho Family Medical Group — $315,000 Patient Lawsuit
A patient data breach triggered a class action lawsuit under the California Confidentiality of Medical Information Act (CMIA). Exposure doesn’t only come from regulators — patients themselves can sue, and CMIA gives them that right.
Source: Superior Court of California, County of Riverside, settled 2025
5 Things to Look For in a Healthcare IT Provider
The Inland Empire has no shortage of MSPs willing to take your monthly retainer and call themselves HIPAA-compliant. The report breaks down the five criteria that actually separate a healthcare-ready provider from a repair service.
Verifiable Healthcare Credentials
The HCISPP certification is held by fewer than 5,000 IT professionals worldwide. If your provider doesn’t hold it, they may lack the specialized knowledge your practice requires.
Documented Compliance, Not Just Promises
Your IT partner should produce, on demand, a documented risk assessment, gap analysis, and written evidence that controls are implemented. Verbal assurances won’t protect you in an audit.
Proactive vs. Reactive Support
If your IT provider’s primary mode is answering calls when something breaks, they’re a repair service — not a compliance partner. Healthcare IT requires continuous monitoring, patching, and documentation.
Business Associate Agreement Coverage
Every vendor who touches, stores, processes, or transmits PHI must have a signed, current BAA with your practice — including your IT provider. If your current vendor has never offered one, that’s a compliance gap today.
Local Presence and Accountability
National helpdesk services can’t walk your floor, assess your physical environment, or build a real relationship with your practice. Local Inland Empire IT support means a team that shows up, knows your setup, and has a reputation in your community to protect.
“Most Office Managers we meet are convinced their IT team ‘has it handled.’ After we walk them through the actual compliance gaps, they’re stunned. Not because their provider was dishonest — but because nobody ever asked, and nobody ever checked.”
— Matt Disher, CISSP, HCISPP · CEO, Southwest Networks
Matt Disher — CISSP & HCISPP
Matt Disher is the president of Southwest Networks, a Palm Desert–headquartered managed IT provider serving Inland Empire and Coachella Valley businesses since 1996. He holds two of the most rigorous credentials in cybersecurity: the CISSP (Certified Information Systems Security Professional) and the HCISPP — a healthcare-specific information security credential held by fewer than 5,000 professionals worldwide.
Matt is the author of Keys To The Castle, has been featured as a cybersecurity expert on KESQ News, and hosts the monthly Cappuccino Chats series covering practical technology decisions for small businesses.
FAQ
Who is this report for?
Office Managers, Practice Administrators, and Physician-owners of small to mid-size medical practices in the Inland Empire — Riverside County, San Bernardino County, and the Coachella Valley. It is written specifically for the person who has quietly inherited responsibility for HIPAA compliance, EHR uptime, and vendor accountability without the formal training to back it up.
My EHR vendor told us their platform is HIPAA-compliant. Isn’t that enough?
No — and that is the central point of the report. Your EHR vendor’s compliance covers their software. Your practice is responsible for how that software is configured on your network, how your endpoints are secured, your written security policies, your BAAs with every vendor that touches PHI, and your documented training. The report breaks down exactly what the EHR vendor covers vs. what your practice is on the hook for.
What do HIPAA fines actually look like?
HIPAA violations are tiered: unknowing violations run $100 to $50,000 per violation per year, reasonable cause is $1,000 to $50,000, willful neglect (corrected) is $10,000 to $50,000, and willful neglect (uncorrected) is $50,000 to $1.9 million — per violation, per year. The report includes documented Inland Empire enforcement cases including a $25,000 OCR settlement in Riverside, a $250,000 state fine in San Bernardino, and a $315,000 patient lawsuit settlement in Riverside County.
How much does the report cost?
Nothing. It is a free PDF download — you fill out a short form and the report is emailed to you immediately and also available on the confirmation page. You can unsubscribe in one click.
Does Southwest Networks actually have healthcare-specific credentials?
Yes. Matt Disher, CEO of Southwest Networks, holds both the CISSP (Certified Information Systems Security Professional) and the HCISPP (HealthCare Information Security and Privacy Practitioner). The HCISPP is the gold-standard healthcare information security credential — held by fewer than 5,000 professionals worldwide. If your current IT provider says they understand HIPAA, ask whether anyone on their team holds it.
What if I want a no-pressure conversation after reading it?
Call 760-770-5200 and reference the report to schedule a free 10- to 15-minute consultation. There is no obligation, no pitch, and no pressure — even if you decide to stay with your current IT provider.
Your Patients Trust You With Everything.
It’s time your IT deserved the same trust. Download the free report and find out exactly where your practice stands — before the next audit, breach, or ransomware event forces the issue.
Reference this report when you call to schedule a free 10–15 minute consultation.