How HIPAA work integrates with the rest of running a practice — staff workflow, vendor onboarding, patient communication, and the operational decisions that shape compliance outcomes.
13 articles
Practice Operations is the human and procedural layer beneath the technology. Compliance breaks down most often not through technical failure but through operational drift: a new staff member never completes training, a vendor's BAA expires without notice, a workflow change introduces an exposure, a one-off accommodation becomes the norm. The articles below cover the operational discipline that keeps compliance current as the practice itself evolves.
Seven patient communication platforms that will sign a BAA, ranked by fit for independent practices. Where each is strong, where each is thin, and the workflow gap behind most communication breaches.
Zapier does not sign BAAs. That alone disqualifies it for any workflow involving PHI. Practices that use Zapier to glue together healthcare tools are creating compliance exposure they may not see until an audit.
Stripe does not sign Business Associate Agreements. Most card transactions are not PHI under HIPAA — but billing context, descriptors, and integrations can introduce PHI. The line is narrower than most practices realize.
Adobe Acrobat Sign can be HIPAA compliant on Enterprise tiers with a signed BAA. Acrobat Pro DC and individual plans are not HIPAA-eligible. Confusion between Acrobat the PDF tool and Acrobat Sign the e-signature service is common.
Loom does not sign BAAs on any plan. That alone disqualifies it for any video that captures or discusses PHI. Here is the gap and what to use instead.
You can have ten HIPAA-compliant tools and zero HIPAA compliance. The Franken-stack is what you get when operational pressure meets the absence of a compliance architecture.
Most HIPAA compliance software was built for hospital systems. The pricing reflects it. Independent practices face identical regulatory requirements with a fraction of the resources. Here is where the real value floor is in 2026.
Zoom offers a HIPAA-compliant option, but the free plan does not qualify. Here is what you need to set up before using Zoom with patients.
Microsoft Teams can meet HIPAA requirements — but only with the right Microsoft 365 plan, a BAA, and admin configuration. Here is the full guide.
Ten mistakes that recur across independent practices — not exotic security failures, but predictable operational gaps. Each one shows up repeatedly in OCR enforcement actions and breach reports.
Google Forms is only HIPAA compliant on paid Google Workspace plans with a signed BAA. Free Gmail accounts are never covered. Here is exactly what you need to configure and where Forms falls short for patient intake.
Calendly does not sign Business Associate Agreements on any plan and explicitly prohibits PHI in its terms of service. No configuration makes it compliant for healthcare scheduling.
The compliance industry has spent a decade selling binders, templates, and consultant hours. The next generation of HIPAA platforms must actually prevent breaches.
Related references
Training, BAA management, policy generation
10-minute scan of practice readiness
Implementation and rollout support
Direct primary care operations + 2026 HSA tailwind
Prominent-patient threat model, compartmentalized access controls
