The 2026 HIPAA Security Rule changed what’s required for your practice. Here’s your gap list.

We talk small independent practices through the 2026 Security Rule and deliver the written gap list in 14 days. Remote-first, nationwide.

In 2026, the HIPAA Security Rule converted dozens of “addressable” implementation specifications to required. For a 1 to 25 clinician practice running without an in-house IT team, that means there are almost certainly gaps in your environment you haven’t documented yet.

We review your specific environment against the current requirements. We document every gap we find and send you the written list in 14 days. Yours to keep, whether you hire us for the follow-up work or not.

Here is what the 2026 HIPAA Security Rule actually changed.

Before 2026, the Security Rule had a category called “addressable” implementation specifications. Addressable did not mean optional. It meant “do it, or document why you are not doing it and what you are doing instead.” Most small practices read “addressable” as “we can skip this,” and that reading was always incorrect. What the 2026 revision did was remove the off-ramp. Dozens of specifications that were addressable are now required. The biggest ones for a 1 to 25 clinician practice are encryption for electronic protected health information at rest, encryption for electronic protected health information in transit, and multi-factor authentication for any account that can reach electronic protected health information from outside the office network. We will put the HHS source in the footer and the Federal Register notice in the Readiness Checklist PDF.

What this looks like inside a practice like yours.

Picture a primary care practice. Eight clinicians. Three front-desk staff. Two billers. One office manager who runs everything that is not a patient visit. No in-house IT. The electronic health record runs in a browser, and the clinicians log in from the office and, sometimes, from home on the weekends. Email runs on Microsoft 365. File storage runs on whatever the last vendor set up. There is a backup somewhere. Nobody has checked on the backup in a while. That is not a failing practice. That is most practices. When we review an environment like this against the 2026 Security Rule, we usually find between 8 and 20 gaps on the first pass. Some are 30-minute fixes. Some take a policy, a signature from the office manager, and a staff huddle. None of them are reasons to panic. All of them are reasons to have a written list.

Why this falls to people like us.

You did not go into medicine to read regulations written by a federal agency. The 2026 Security Rule update runs for hundreds of pages across the rule text, the preamble, and the commentary HHS published with it. Reading it is a weekend. Understanding which parts apply to a 10-person practice versus a 10,000-person health system is another weekend. And then you have to translate the language into an actual change in your environment: which account needs MFA, which folder needs to be encrypted, which policy needs to be written down, which vendor needs a BAA on file. That translation is the part nobody wrote down for you. The last IT person who set up your email told you that you were “HIPAA compliant,” and you had no reason to push back because you had patients to see. We are the people who read the rule so you do not have to, and then we send you the practice-specific list of what that means for your environment, in plain language, in 14 days.

What you get in 14 days.

The 14-day deliverable is a written, practice-specific gap list against the 2026 Security Rule. Here is exactly what is in it.

• Every gap we found in your environment, named in plain language.
• A one-paragraph explanation of what each gap is, what the rule requires, and why the gap matters.
• A rough remediation path for each gap: configuration change, policy document, staff action, or vendor escalation.
• A priority ordering. Highest-impact fixes at the top. What to do first if you only do three.
• No protected health information anywhere in the document. The gap list is about controls, vendors, and environment. Patient data does not belong in this artifact and it is not in this artifact.
• A page of notes on what we did not review, so you know where the scope ends.

The list is yours. Yours to keep, yours to act on yourself, yours to give to the next IT person you hire. If you hire us for the 90-day gap-closure engagement, we work from the same list. If you do not, the list still has real value on its own.

What you get in 90 days.

The 90-day engagement is the work itself. Start with the 14-day gap list. End with a documented, dated record of every gap we named and every one we closed, with your sign-off on each. Here is what that looks like on a week-by-week basis.

• Week 1: the 14-day gap list lands. Kickoff call is held. The priority order is confirmed with you. The first two fixes are already underway.
• Week 2: the first closed gap hits your inbox, with written evidence of what changed. Friday progress note shows the full list, status of each item, and what we are working next.
• Weeks 3 through 10: we work the list with you. Each Friday you get the same progress note. We run a 20-minute check-in each week on a day that works for your front desk schedule. You approve policies as they are drafted. Your staff implements role-level changes as we pass each one to your office manager.
• Weeks 11 and 12: the remaining gaps close. Final documentation file is delivered. Your office manager signs off on the policy set. The record is yours to keep, and yours to show an insurance broker or incoming IT partner without a follow-up call to us.

Two promises in that window that you already read in the hero. The list lands in 14 days or we refund your deposit. Every gap we name gets closed before the engagement ends, or we stay on the open ones free until they are.

Our proof is the runbook.

We are an independent shop and we are not going to list a hundred client logos here. What we will do is show you the runbook. Every phase of our own 2026 Security Rule readiness work, on our own environment, on camera. Yours to watch before you ever pay us a dollar. We did the work on ourselves first because we figured you should be able to check our math before you trust us with yours.

Proof 1: The runbook itself.

Phase-by-phase walkthrough of how we got our own environment to the 2026 Security Rule bar. Video plus written notes. Free to watch, free to download, yours to adapt for your own practice if you want to do this yourself.

Proof 2: The founder on every call.

You will not be handed off. The person you meet on the consultation is on every weekly check-in through week 12. No account manager layer. No ticket queue.

Proof 3: BAAs on file.

We sign Business Associate Agreements with our healthcare clients. Standard BAA language, signed before any work begins that could involve access to your systems.

If you are looking for a vendor with a thousand practice logos on their homepage, we are not that vendor. If you are looking for a vendor who will show you the work before you sign, and keep the work visible every week after you do, you are in the right place.

Quick answers to what most people ask.

Is this about the 2026 HIPAA Security Rule changes?

The Department of Health and Human Services revised the HIPAA Security Rule. The biggest change for small practices: dozens of specifications that used to sit in the “addressable” category are now flatly required. “Addressable” never meant optional… it meant “do it, or document why you are not doing it and what you are doing instead.” The 2026 revision removes that off-ramp for most of the specifications that matter. The ones most likely to hit a 1 to 25 clinician practice: encryption of electronic protected health information at rest, encryption of electronic protected health information in transit, multi-factor authentication for any account that can reach ePHI from outside the office network, an annual security risk analysis on real environment evidence not a template checklist, a current technology asset inventory, and a network map that shows how ePHI actually moves through the practice. The Readiness Checklist carries the full list with Federal Register citations.

Are you Techsico Enterprise Solutions?

No. Techsico IT and Techsico Enterprise Solutions are separate companies. Different legal entities. Different owners. Different operations. We are Techsico Information Technology LLC, headquartered in Tulsa, Oklahoma. We share a brand prefix and not much else. The footer on this site carries our full legal entity line.

Who is this for, and who is this not for?

This is built for independent practices in the 1 to 25 clinician range who handle their own IT decisions without a dedicated in-house IT team. Primary care, behavioral health, dental, chiropractic, PT / OT, optometry, small specialty. We also work with IT-staffed practices and clinics in the 100+ range when they come to us through the funnel; we do not turn away size. The marketing is tuned for the smaller-practice owner because that is most of who we serve. If you are a hospital or a regional health system with a full procurement process, we are probably not the cleanest fit, but if you still want a call we take it.

What do I come away with after the consultation?

A written summary of your current posture against the 2026 Security Rule, based on what you tell us on the 30-minute call, plus a recommendation on whether the 14-day written gap list is worth your time and money. If the recommendation is no, we say no. If it is yes, you decide whether to move forward that day or later. Either way, the summary is yours. No follow-up “proposal” where the real pitch lives.

What does this cost?

The consultation call is free. The written 14-day gap list is a flat fee we share on the consult once we understand your environment size. The 90-day gap-closure engagement is separately scoped after the gap list is delivered, so you can see what you are actually buying before you commit. No surprise pricing. No “oh by the way this is extra” additions mid-engagement.

Do you sign Business Associate Agreements?

If the vendor touches electronic protected health information on your behalf, yes. That includes your EHR vendor, your practice management software, your billing service, your cloud storage provider (Microsoft, Google, Dropbox… whoever hosts the records), your scanning service, your shredding company if they shred anything with patient info on it. Not with: your internet provider (they are a conduit, not a handler), your electric company, your accountant if they never see patient data. When you hire us for the engagement, we review your vendor list against this rule and tell you which BAAs are missing.

What if we start the engagement and it is not working?

The 14-day written gap list carries the deposit-refund promise if it does not land. The 90-day engagement has written mid-engagement checkpoints where either side can call pause or stop. Work is scoped and documented every Friday, so if something is off, we see it together fast. Cancellation inside the engagement window reverts to the counsel-approved engagement terms, which we share with you before you sign anything.

Can we do this without you and just use your runbook?

Yes, and we mean it. The runbook is published free. If your office manager has bandwidth to work through it, and you have someone who can configure MFA and sign policies, you can get to the same bar we get practices to. The reason you might still hire us: speed and the written paper trail. Doing it yourself is a season of weekends. Doing it with us is a scoped engagement with a dated record at the end.

Ready to see the gap list?

Free 30-minute call. No sales pitch.

Free. Yours to keep whether you hire us or not.