HIPAA-Compliant IT for Healthcare Practices
Charlotte healthcare since 2003. Imaging-system support.
Netsafe Solutions delivers HIPAA-compliant IT for Charlotte healthcare practices — PHI protection, EHR integration, 24/7 M365 tenant monitoring. 22-year Microsoft Partner, device-based pricing.
Netsafe Solutions provides HIPAA-compliant IT services to Charlotte-area healthcare practices from our office at 8510 McAlpine Park Drive, Suite 203. We manage Microsoft 365 tenants with PHI-ready security hardening, deliver 24/7 SOC monitoring via Black Point Cyber on both endpoints and M365, and sign Business Associate Agreements (BAA) as standard practice. Our stack — SentinelOne EDR, Checkpoint Harmony for email security, DefensX DNS filtering, Microsoft Entra ID with Conditional Access, and FIDO2 hardware keys for admin accounts — is configured to the HIPAA Security Rule's administrative, physical, and technical safeguards. Pricing is per-device monthly for support, with each security tool priced individually on a month-to-month basis -- tailored to what your business actually needs. No onboarding fee, and we've supported healthcare clients since our founding on November 21, 2003.
Why Healthcare IT Is Different
Healthcare IT isn't just regular IT in a clinic — it's regulated IT. Every computer, mobile device, email account, and cloud service that touches Protected Health Information (PHI) falls under the HIPAA Security Rule, which means specific technical and administrative controls are mandatory, not optional. A single compromised user account in a small medical practice can expose thousands of patient records, trigger mandatory breach notification under HIPAA's Breach Notification Rule, and result in penalties up to $1.5 million per violation category per year under OCR enforcement.
The reality for Charlotte healthcare practices: HHS reports that over 89 million individuals were affected by healthcare data breaches in 2023 — the highest on record. 77% of those breaches involved hacking or IT incidents, not physical theft or employee error. Small practices (under 500 records) are increasingly targeted because they're perceived as softer targets than hospitals.
Netsafe Solutions configures healthcare IT specifically for HIPAA. We don't sell a generic managed service and hope it passes audit — we build the environment to meet the Security Rule from day one, then prove it with documented evidence and quarterly Secure Score reporting.
What Netsafe Solutions Provides for Healthcare Practices
HIPAA Security Rule Compliance (Full Coverage)
Netsafe configures every healthcare client environment to meet HIPAA's three safeguard categories:
Administrative safeguards:
- Business Associate Agreement (BAA) signed with every healthcare client before any PHI access — standard procedure, not negotiated
- Workforce security procedures: role-based access, termination-day offboarding with full Entra ID lockdown and session revocation
- Security awareness training via Phin (monthly phishing simulations + HIPAA-specific modules)
- Documented incident response plan with breach notification timelines aligned to HIPAA's 60-day rule
Physical safeguards:
- Workstation and device policies via Microsoft Intune
- Full-disk encryption (BitLocker on Windows, FileVault on Mac) enforced via Intune compliance policies
- Mobile device management with selective wipe for BYOD — separates PHI from personal data
Technical safeguards:
- Multi-factor authentication enforced for all users via Microsoft Entra ID, with Conditional Access policies blocking logins from untrusted locations
- Audit logging via Microsoft 365 unified audit log — retained 180 days minimum, exportable on demand for OCR audits
- Encryption in transit and at rest — Exchange Online, OneDrive, SharePoint, Teams all encrypted by default; we verify and document
- Access controls — unique user identification, automatic logoff, PIM for privileged roles
- Integrity controls — version history and immutable M365 backups prevent ransomware from destroying PHI
PHI Protection Across the M365 Tenant
Email is where 90%+ of PHI breaches start in small healthcare practices. Netsafe hardens the M365 tenant with:
- Checkpoint Harmony (formerly Avanan) — AI-based email threat protection catching phishing, BEC, and PHI-exfiltration attempts that bypass Exchange Online Protection
- Microsoft Purview sensitivity labels — "PHI/Confidential" label applied to all patient-related correspondence, with DLP policies that block external sharing automatically
- Data Loss Prevention (DLP) policies — block outbound emails containing detected PHI (social security numbers, medical record numbers, dates of birth in specific patterns) unless sender approves via justification workflow
- Black Point Cyber SOC on M365 tenant — 24/7 human SOC analysts monitoring for account takeovers, suspicious foreign logins, malicious OAuth app consent, and email forwarding rule abuse. Average response time: 7 minutes. Analysts can disable compromised accounts, expire tokens, and force password resets.
Endpoint Security for Clinical Workstations
Every clinical device — front-desk check-in stations, provider laptops, clinical workstations, tablets — runs the same managed security stack:
- SentinelOne EDR — endpoint detection and response with behavioral AI, catching ransomware, lateral movement, and credential theft
- Black Point Cyber SOC endpoint monitoring — working alongside SentinelOne, SOC analysts respond to threats in 16-minute average response time
- NinjaOne RMM — patch management, software deployment, remote remediation; patch compliance reported to client quarterly
- DefensX DNS filtering — blocks malicious domains at the DNS layer before any user interaction
- BitLocker full-disk encryption — enforced and verified via Intune; required under HIPAA Security Rule §164.312(a)(2)(iv)
EHR & Practice Management Integration
Netsafe manages the IT infrastructure around whatever EHR or practice management system you run — we're not the EHR vendor, but we handle every IT integration point:
- Single sign-on (SSO) via Entra ID for cloud-hosted EHRs that support SAML (Athenahealth, eClinicalWorks cloud, DrChrono, Kareo, Practice Fusion, and others)
- Dedicated workstation configuration for local EHR installs — server access, performance tuning, driver compatibility
- Scanner/multifunction printer integration — HIPAA-compliant scan-to-folder, scan-to-email with encryption
- Backup coordination — we integrate M365 backup with on-prem server backup for practices running hybrid infrastructure
- VPN and remote access for telehealth and work-from-home clinical staff — split-tunnel configurations that keep PHI traffic inside the encrypted tunnel
- EHR migration and upgrade support — we plan and manage the IT side (workstation prep, network readiness, data backup, cutover scheduling) while coordinating with your EHR vendor's technical support for platform-specific configuration
Vendor Risk Management
HIPAA requires covered entities to assess and document their business associates (your IT provider, EHR vendor, billing service, etc.). Netsafe provides:
- Signed BAA with your practice
- SOC 2 Type II reports from our tool vendors (Microsoft, SentinelOne, Black Point Cyber, NinjaOne) assembled annually for your audit file
- Vendor risk questionnaires completed on request for your compliance officer
---
How We Price Healthcare IT
Most MSPs force their entire tool stack on every client regardless of need. Netsafe Solutions builds your stack around what your business actually requires — transparent, itemized, month-to-month on every tool.
Per-Device Support
Monthly per endpoint · Quoted- Unlimited remote helpdesk during business hours
- On-site support available (pre-approved T&M)
- 1-year service agreement — standard MSP practice
Microsoft 365 Licensing
Monthly per mailbox · MSRP rates- Business Basic — $7.20/user/mo
- Business Standard — $15.00/user/mo
- Business Premium — $26.40/user/mo
- Enterprise (E3/E5) — quoted per tenant
- Licensing sourced through Pax8
Security & Management Tools
Each priced individually · Month-to-month · No forced bundles- NinjaOne RMM — monitoring, patch management, remote management, vulnerability scanning
- SentinelOne EDR — AI-powered endpoint detection and response
- Black Point Cyber SOC — 24/7 human-led endpoint + M365 tenant monitoring
- DefensX — DNS filtering and web protection
- Checkpoint Harmony — advanced email security (anti-phishing, anti-BEC)
All M365 pricing reflects current month-to-month Microsoft MSRP. Tool pricing is quoted per customer based on environment size and needs. No onboarding fee — migrations and security hardening are included in the first month’s management fee. Contact us for a custom quote →
Why Charlotte Healthcare Practices Choose Netsafe
Frequently Asked Questions
Does Netsafe Solutions sign a Business Associate Agreement?
Yes — signed before any PHI access as standard practice. Our BAA covers Netsafe's responsibilities for safeguarding PHI, breach notification timelines, subcontractor flow-down, and termination procedures. We don't negotiate BAA terms individually; our BAA is reviewed annually by counsel and available on request before engagement.
Is Microsoft 365 HIPAA compliant?
Microsoft 365 can be configured to meet HIPAA requirements, but it isn't HIPAA compliant out of the box. Microsoft offers a BAA for covered services (Exchange Online, SharePoint, OneDrive, Teams, Intune, Entra ID, most enterprise features) when the tenant is properly configured. Netsafe handles the configuration: Conditional Access, MFA, audit log retention, sensitivity labels, DLP, Secure Score optimization, and documented risk assessment. Some M365 features (personal OneDrive, Sway, consumer Copilot, third-party connectors) are NOT covered under Microsoft's BAA and are blocked by default on our managed tenants.
What happens if our practice is breached?
We follow the incident response plan documented with your practice at onboarding. Immediate steps: SOC containment (account disable, token revocation, device isolation) — typical time from detection to containment is under 15 minutes. Then forensics (what data was accessed, when, by whom), internal notification (your practice leadership), and HIPAA breach assessment (was the incident reportable under the 60-day rule). If reportable, we help document the notification letter to affected patients and the OCR report. We do not replace your compliance officer or your legal counsel — we're the IT partner, not the regulator.
Do you work with our specific EHR?
We manage the IT infrastructure around any EHR system — workstation configuration, network access, single sign-on, backup coordination, scanner and printer integration, and telehealth remote access. For EHR migrations or upgrades, we plan and manage the IT side of the project while coordinating with your EHR vendor's support team. We don't replace your EHR support contract — we handle the IT around it.
How does Netsafe handle PHI in email?
Three-layer approach: (1) Microsoft Purview sensitivity labels applied to emails and attachments containing PHI. (2) DLP policies that block outbound PHI emails to external recipients unless the sender adds a justification. (3) Encryption via Microsoft 365 Message Encryption (recipients get a secure portal link rather than the PHI traveling in plain email). For clinical workflows that require frequent external PHI exchange (consulting specialists, patient portals), we implement scoped sharing rules that balance usability with protection.
What's the difference between Defender for Business and SentinelOne?
Defender for Business is Microsoft's entry-level endpoint protection, bundled with Business Premium. It's antivirus + basic EDR. SentinelOne is enterprise-grade EDR with behavioral AI, ransomware rollback, and deeper forensics. For healthcare environments where a single ransomware incident could halt patient care and trigger mandatory breach notification, we deploy SentinelOne as the baseline — not Defender. The additional cost per device is small relative to the breach risk it mitigates.
Can we use personal mobile devices (BYOD) for clinical work?
Yes, with Microsoft Intune BYOD enrollment and app protection policies. The policies enforce PIN/biometric lock on Outlook, Teams, and any M365 app; block copy/paste of PHI from managed apps to personal apps; require device encryption and jailbreak detection; and allow Netsafe to selectively wipe only the M365 apps (not the personal phone) when an employee leaves. This satisfies HIPAA's "minimum necessary" principle without requiring the practice to provide phones.
How often do you audit our HIPAA posture?
Quarterly Secure Score report with remediation recommendations, annual documented risk assessment (required by HIPAA §164.308(a)(1)(ii)(A)), and continuous Secure Score monitoring via Microsoft 365 Lighthouse. When Microsoft releases new baseline controls, we evaluate them and implement within 30 days for managed tenants. ---
Let’s Talk About Your Healthcare IT
Tell us about your environment and what you’re dealing with. We’ll get back within one business day with a straight assessment and a quote. No pressure, no sales pitch.
Or call us directly
(704) 333-0404
Explore Other Netsafe Solutions Services
Areas We Serve
Netsafe Solutions provides IT services for healthcare across 27 cities in North Carolina and South Carolina.
North Carolina: Charlotte, Concord, Huntersville, Matthews, Cornelius, Waxhaw, Gastonia, Kannapolis, Monroe, Mooresville, Salisbury, Statesville, Hickory, Newton, Shelby, Albemarle, Greensboro, Winston-Salem, Lexington
South Carolina: Rock Hill, Fort Mill, Columbia, Spartanburg, Lancaster, Chester, York, Gaffney
Netsafe Solutions — IT services for healthcare in Charlotte since 2003.
8510 McAlpine Park Drive, Suite 203, Charlotte, NC 28211 | (704) 333-0404
Last Updated: April 2026