Medical · Maryland

Managed IT diligence for medical practices in Maryland.

Practices like yours hold patient charts, imaging, billing, and everything else HIPAA calls protected health information. A practice answers for its IT vendor's failures: HIPAA holds the covered entity responsible, breach notification runs on a federal clock, and downtime during patient hours is a clinical problem, not just a business one.

What binds you

The frameworks behind the stakes

HIPAA Security RuleThe frameworkAdministrative, physical, and technical safeguards for electronic PHI, including a required risk analysis.
HIPAA Business Associate AgreementThe frameworkA signed BAA before any vendor touches systems holding PHI.
HHS breach notificationThe frameworkFederal reporting duties when PHI is compromised, on defined timelines.

Add this to your checklist

Is the EHR itself inside the backup scope, and who coordinates with the EHR vendor?

It joins the 18 questions every buyer should ask in writing. The full list and the printable version are on the Protect page.

Where you are

The Maryland layer

Maryland, like every U.S. state, has a data breach notification law that sets duties and deadlines when personal information is compromised. Whatever its exact deadline, a provider bound by a contractual 72-hour notice clock has already committed to moving faster than any state statute requires of you, which is why that clause belongs in your agreement regardless of where you operate. The National Conference of State Legislatures maintains a fifty-state table of these laws; searching "NCSL security breach notification laws" will find it if the link below has moved.

Before hiring anyone, run their legal entity through Maryland's Secretary of State business search: every state operates one, free, and it shows whether the company exists, when it was formed, and whether it is in good standing. Search "Maryland Secretary of State business search" to reach it directly. Maryland's attorney general's office is the place to check for consumer complaints and to report provider misconduct.

NCSL 50-state breach-law tablesource