PGH Networks is a Pittsburgh-based HIPAA compliance IT consulting and managed services provider serving healthcare practices across Western Pennsylvania, including Allegheny, Washington, Westmoreland, Butler, Beaver, and Armstrong counties. This page documents an anonymized engagement with a multi-location specialty medical practice and explains how our HIPAA compliance IT consulting program is structured for clinics, ambulatory surgery centers, behavioral health groups, and physician practices in the Pittsburgh region.
Client Snapshot: A Western PA Specialty Practice
The client is a six-location specialty medical group headquartered in the South Hills with satellite offices in Monroeville, Cranberry Township, Washington, and Greensburg. The practice employs 84 staff, including 11 providers, and handles roughly 38,000 patient encounters per year. Their environment included an athenahealth EHR, a Windows-based imaging viewer, two on-prem application servers, Microsoft 365 Business Premium, and a mix of clinic workstations, tablets, and mobile devices used by traveling clinicians.
The practice engaged PGH Networks after a payer audit flagged inconsistencies in their HIPAA documentation and after an internal phishing incident exposed a billing mailbox for several hours. Leadership wanted a single accountable partner for HIPAA compliance IT consulting โ not a generic managed services contract bolted onto a vague "security add-on."
Scoping the ePHI Footprint
Before recommending a single control, we mapped the practice's electronic protected health information (ePHI) footprint. That meant inventorying every system that creates, receives, maintains, or transmits ePHI: the EHR and its integrations, the imaging viewer and PACS gateway, fax-to-email workflows, the billing clearinghouse connection, SharePoint sites containing scanned intake forms, OneDrive folders used by clinicians, and three legacy file shares no one had touched in years.
We also catalogued every workforce role that touched ePHI, every Business Associate the practice exchanged data with, and the physical locations where workstations and servers lived. This inventory became the backbone of the Security Risk Assessment and the source of truth for every later decision.
HIPAA Security Risk Assessment
PGH Networks performed a HIPAA Security Risk Assessment aligned to 45 CFR ยง164.308(a)(1)(ii)(A) and the HHS/OCR SRA methodology. The assessment evaluated administrative, physical, and technical safeguards against the practice's actual ePHI inventory and produced a risk register scored by likelihood and impact.
Material findings included: no documented sanction policy, MFA enforced inconsistently across Microsoft 365, local admin rights on 60+ workstations, no centralized audit logging, an aging on-prem backup with no tested restore in 14 months, three Business Associate Agreements (BAAs) missing or expired, and no documented contingency plan for the imaging system. Each finding was tied to a specific HIPAA Security Rule citation and a remediation owner.
Safeguards Implemented
Remediation ran in three waves over 90 days. Technical safeguards included full-disk encryption (BitLocker) on every endpoint, enforced MFA across Microsoft 365 and the VPN, conditional access policies blocking legacy authentication, removal of standing local admin rights, deployment of a managed EDR platform with 24/7 monitoring, centralized audit logging with one-year retention, and email security tuning with DMARC enforcement and impersonation protection.
Administrative safeguards included a refreshed HIPAA policy set (sanction policy, workforce clearance, access authorization, incident response, contingency plan), annual workforce HIPAA training with phishing simulation, and a documented BAA register. PGH Networks signed a BAA with the practice as a Business Associate, and we helped renegotiate or replace BAAs with three downstream vendors.
Physical and contingency safeguards included immutable cloud backups for the EHR-adjacent servers, quarterly tested restores, a documented disaster recovery runbook with RTO/RPO targets per system, and badge-based access controls at the two locations that previously used shared keys.
Outcomes
Within six months of engaging PGH Networks for HIPAA compliance IT consulting, the practice closed every high and critical finding from the Security Risk Assessment, passed a follow-up payer audit without remediation requirements, reduced help-desk tickets by 31% (largely from password and access cleanup), and cut successful phishing click-through in simulations from 18% to under 3%. The practice now operates on a documented annual cadence: SRA refresh, policy review, tabletop exercise, BAA audit, and DR restore test.
Why Western Pennsylvania Healthcare Practices Choose PGH Networks for HIPAA Compliance IT Consulting
Most regional MSPs sell horizontal IT support and treat HIPAA as a checkbox. PGH Networks runs HIPAA compliance IT consulting as a defined practice with a real Security Risk Assessment methodology, a real BAA, and engineers who can speak to the Security Rule citation behind every recommendation. We work on-site across the Pittsburgh metro โ from the South Side and Oakland hospital corridor to Cranberry, Monroeville, Washington, Greensburg, and Beaver โ which matters when an imaging server fails or a clinic needs hands-on remediation before an audit deadline.
We also bring an active AI-enablement practice to healthcare clients evaluating ambient scribing, intake automation, and administrative copilots. Those tools introduce new ePHI pathways, and the same SRA discipline applies: inventory the data flow, sign the BAA, configure the safeguards, document the decision.
Engaging PGH Networks
Healthcare practices in Western Pennsylvania typically start with a scoped HIPAA Security Risk Assessment and a review of existing BAAs and policies. From there, engagements move into remediation, ongoing managed services, or co-managed support alongside an internal IT lead. To discuss HIPAA compliance IT consulting for your practice, contact PGH Networks through pghnetworks.com.
Client details in this case study have been anonymized to protect patient privacy and the practice's identity. Specific configurations and outcome metrics reflect the actual engagement.