Common questions, answered plainly

"HIPAA-aligned" means the security controls Front Range Health IT deploys — BitLocker, MFA, Defender, Huntress, Conditional Access, audit logging — correspond to the specific technical safeguards required under 45 CFR § 164.312 of the HIPAA Security Rule.

It does not mean your practice is "HIPAA compliant." HIPAA compliance is a program, not a certification. It requires administrative safeguards (policies, workforce training, designated security officer), physical safeguards (facility access controls, workstation security), and technical safeguards (what Front Range Health IT provides). You need all three, plus regular risk assessments.

Front Range Health IT handles the technical safeguard layer. We'll tell you clearly what we cover and what your practice is still responsible for.

A Business Associate Agreement (BAA) is a contract required by HIPAA between your practice (a "covered entity") and any vendor that may access, store, or transmit protected health information (PHI) on your behalf. Without a signed BAA, using that vendor is a HIPAA violation regardless of how secure the vendor actually is.

Front Range Health IT operates as a Business Associate of your practice, which means you need a signed BAA with Front Range Health IT — included in the client agreement at onboarding. Front Range Health IT also requires BAAs with the third-party tools that handle PHI: Microsoft, Acronis, and NinjaOne. Please see the Security & Compliance page for current BAA status.

The HIPAA Security Rule applies to all covered entities — there's no small-practice exemption. The Office for Civil Rights has issued significant fines to solo and small group practices, including a $100,000 fine to a small dermatology practice in 2013 and a $32,150 settlement with a solo practitioner in 2019.

Beyond regulatory risk: ransomware operators specifically target small healthcare practices because they often have fewer defenses and are more likely to pay. A single ransomware event that encrypts your EHR and patient records can cost more to recover from than several years of managed IT.

We're not trying to scare you into buying more than you need. Our Essential tier ($125/user/month) covers the core technical safeguards. We'll help you assess what level of coverage makes sense for your specific situation.

HIPAA requires breach notification to HHS and affected individuals within 60 days of discovering a breach affecting 500 or more individuals. For smaller breaches, notification is required within 60 days of the end of the calendar year in which the breach occurred.

Front Range Health IT's incident response process (documented on the Security page) includes scope assessment to determine whether PHI was accessed or exfiltrated, which is the threshold question for breach notification. We produce the incident documentation you'll need if HHS investigates.

Front Range Health IT is not a HIPAA attorney. We'll give you the technical facts. Your attorney advises on breach notification decisions.

Both tiers include the exact same security stack: Microsoft 365 management, endpoint security (Defender, Huntress, DNSFilter), BitLocker + MFA enforcement, Intune MDM, Acronis cloud backup, monthly health reports, quarterly business reviews, HIPAA documentation review, incident response coordination, and priority staff onboarding.

The only difference: Professional HIPAA ($175/user/month) adds 24/7 after-hours emergency support. Essential HIPAA ($125/user/month) has email support during business hours (Mon–Fri, 8 a.m.–6 p.m. MT). If your practice management software going down at 7 p.m. is a clinical problem, Professional is the right tier. See Pricing for the full comparison table.

30-day notice to cancel. No cancellation fees. No lock-in penalties. Your Microsoft 365 tenant, domain, backups, and data stay yours — Front Range Health IT removes delegated access (GDAP) and hands over documentation of what was configured.

The only non-refundable item is the onboarding fee ($1,500), which covers the work of deploying and configuring the security stack. That work is done regardless of whether you stay a client, so it's not refundable after onboarding is complete.

Front Range Health IT doesn't resell hardware. We can advise on what to buy — specific models, specs, and where to purchase — and configure hardware after you receive it.

Hardware purchases (computers, switches, access points, NAS devices) are outside the monthly service fee. We'll give you honest purchasing guidance rather than upselling hardware we profit from.

Hardware purchases, software licenses (M365, etc. are billed separately through Microsoft at your cost), specialized clinical software support beyond initial setup, and project work outside the scope of managed services (major infrastructure overhauls, new office builds, etc.).

Project work is quoted separately and transparently before any work begins. No surprise invoices.

Three concrete differences: (1) Healthcare-only — all clients are dental, medical, or nursing home, which means the security baseline and documentation are designed for healthcare, not adapted from generic templates. (2) Colorado-only — local presence means on-site when needed and knowledge of Colorado-specific requirements like the Colorado Privacy Act. (3) Transparent pricing — rates are on this website; you don't need to get a quote to know what it costs.

No. Front Range Health IT builds onto your existing environment. If you're already using Microsoft 365, we take over management. If you have existing hardware, we assess it and enroll what meets security requirements. If you're using Eaglesoft, Dentrix, or another EHR, we configure the network and security around it — not replace it.

The security stack (Defender, Huntress, DNSFilter) gets deployed to your existing endpoints. The main change most practices experience is MFA enforcement on all accounts — which is disruptive for about 15 minutes and then invisible.

EHR vendors support their software, not your IT environment. Most don't manage your network, endpoints, Microsoft 365 tenant, or backups — and they're typically not your Business Associate for HIPAA purposes (check your contract carefully).

Front Range Health IT works alongside your EHR vendor. We manage the infrastructure and security layer; they manage the clinical application. The two roles don't conflict.

Typical onboarding for a 5–15 person practice takes 2–4 weeks, depending on complexity and your availability for access and device enrollment. The onboarding process includes: environment assessment, Microsoft 365 GDAP setup and security configuration, endpoint enrollment (Intune), security tool deployment (Defender, Huntress, DNSFilter), BitLocker enforcement, and documentation.

Onboarding is designed to minimize disruption to clinical operations. Most of the configuration happens in the background; staff-visible changes (MFA enrollment, Intune device enrollment) are scheduled during low-activity windows.

Professional tier clients have after-hours emergency support via a dedicated contact line. Essential tier clients have email support during business hours (Monday–Friday, 8 a.m.–6 p.m. MT), with acknowledgment within 4 hours during business hours.

For monitoring: the Huntress SOC monitors endpoints 24/7 regardless of tier. Security incidents are responded to at any hour. "After-hours support" refers to break/fix and user-facing support, not security monitoring.

For security incidents: Huntress SOC detection is continuous. Front Range Health IT responds to critical security alerts within 1 hour. For non-critical issues: acknowledgment within 4 hours during business hours, resolution depending on complexity and severity.

Front Range Health IT is a one-person operation. If a response feels slower than expected, contact Jaccob directly at 720-449-6940. There's no queue to navigate.

Your Microsoft 365 data (email, Teams, SharePoint, OneDrive) is stored in Microsoft's US-based datacenters under Microsoft's standard data residency commitments. Your Acronis backups are stored in Acronis's US-based cloud infrastructure. Front Range Health IT doesn't store your clinical or business data — we manage access to systems that do.

Your data stays in your accounts, not in Front Range Health IT's infrastructure. If you leave, you take your data with you.

Yes. Front Range Health IT doesn't replace your clinical software — we configure the network and security environment around it. We have experience with Eaglesoft, Dentrix, Open Dental, Curve Dental, Dexis, eClinicalWorks, Epic, Athenahealth, PointClickCare, and others.

Initial setup includes working through the network and endpoint requirements for your specific software, including imaging systems and any peripherals with their own network requirements. If your software has unusual requirements, we'd rather know upfront during the discovery call than find out during onboarding.