Toledo's healthcare landscape is substantial — from ProMedica and Mercy Health anchor systems down to independent physician practices, specialty clinics, dental offices, physical therapy groups, and behavioral health providers spread across Lucas, Wood, Ottawa, and Fulton counties.
Every single one of those practices handles Protected Health Information (PHI). And every single one is required under HIPAA to maintain technical, physical, and administrative safeguards that protect that PHI from unauthorized access, disclosure, or destruction.
The problem is that most small and mid-sized healthcare practices in Toledo don't have a dedicated HIPAA security officer or an IT team that understands healthcare compliance. They have a general-purpose IT setup — or worse, consumer-grade technology — and an assumption that their EHR vendor takes care of the HIPAA part.
They don't. Here's what you actually need.
What HIPAA's Technical Safeguard Requirements Actually Mean
HIPAA's Security Rule requires covered entities and their business associates to implement three categories of safeguards: administrative, physical, and technical. The technical safeguards are where IT comes in — and they're more specific than most practices realize.
Access Controls: You must limit who can access ePHI (electronic Protected Health Information) to authorized users only. This means unique user IDs for every person who accesses your systems, automatic logoff on workstations, and emergency access procedures. Shared login credentials are a HIPAA violation — a common one that shows up repeatedly in OCR investigation findings.
Audit Controls: Your systems must be able to record and examine activity in information systems that contain ePHI. That means audit logging — who accessed what record, when, from where — and someone actually reviewing those logs. If you can't answer 'who accessed this patient's record on March 15th at 2:47 PM,' you have a gap.
Integrity Controls: You must have mechanisms to ensure ePHI hasn't been altered or destroyed without authorization. Checksums, version control for electronic records, and backup verification all play a role here.
Transmission Security: Any ePHI sent over electronic networks must be encrypted. Email with PHI must be encrypted. Data transmitted between your EHR and other systems must be encrypted. Sending patient information via standard unencrypted email is a violation, full stop.
The Business Associate Agreement Problem
Here's something that trips up Toledo healthcare practices constantly: every vendor who handles, stores, processes, or transmits PHI on your behalf must sign a Business Associate Agreement (BAA) before you share any PHI with them.
That includes your IT provider. If your managed IT company has access to systems containing patient records — and they do, if they're doing their job — they must have a signed BAA on file. An IT company that won't sign a BAA, or doesn't know what one is, cannot serve a healthcare practice in a compliant manner.
It also includes your cloud storage provider, your backup vendor, your email platform, your video conferencing system if you conduct telehealth, your billing software, and your patient communication tools. Each one needs a BAA.
Flyght signs BAAs with every healthcare client we serve. It's not optional — it's the foundation of any compliant healthcare IT relationship.
Encryption: Where Most Toledo Practices Fall Short
HIPAA's encryption requirements are nuanced — the Security Rule classifies encryption as 'addressable' rather than 'required,' which many practices interpret as optional. It's not. 'Addressable' means you must assess whether it's reasonable and appropriate, implement it if it is, or document a compliant alternative if it isn't. In 2026, for a healthcare practice in Toledo with any kind of network-connected infrastructure, the answer is always 'yes, encryption is required.'
Here's what needs to be encrypted:
Laptops and workstations: Every device that can access or store ePHI must have full-disk encryption. If a laptop is stolen from a physician's car in a Toledo parking garage, encrypted data cannot be read by the thief — and that matters enormously for breach notification requirements.
Email: PHI in email must be encrypted in transit. If you're using Microsoft 365, you have encryption capabilities built in — but most practices haven't configured them. Sending a patient's lab results to another provider in an unencrypted email is a violation.
Backups: Your backup data contains PHI. It must be encrypted at rest and in transit. Tapes or drives leaving your facility must be encrypted.
Mobile devices: Tablets and smartphones used to access patient information must be encrypted and enrolled in mobile device management (MDM) so they can be remotely wiped if lost.
The Risk Analysis You're Required to Do (And Probably Haven't)
HIPAA requires covered entities to conduct a thorough, accurate, and scope-of-organization risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This isn't a one-time checkbox — it must be reviewed and updated periodically and whenever significant changes occur.
A proper HIPAA risk analysis is a documented process that identifies where ePHI lives in your organization, assesses the likelihood and impact of threats to that ePHI, evaluates the adequacy of your existing controls, and produces a risk management plan to address gaps.
The Office for Civil Rights (OCR) — the federal agency that enforces HIPAA — identified failure to conduct a compliant risk analysis as the most common finding in HIPAA investigations and audits. Toledo-area practices that haven't done this are carrying significant regulatory and financial exposure.
Flyght helps healthcare practices complete HIPAA-aligned risk analyses as part of our healthcare IT program. We document your ePHI inventory, assess your technical controls, and produce the risk management plan that HIPAA requires — and that OCR wants to see.
Ransomware and Healthcare: A Toledo-Specific Warning
Healthcare is the most targeted sector for ransomware attacks in the United States. Attacks on hospitals and healthcare systems in Ohio — including incidents affecting facilities in the Greater Toledo area — have made local news in recent years. But the smaller practices — the 5-physician cardiology group in Maumee, the behavioral health clinic in Sylvania, the dental practice in Perrysburg — don't make the news when they get hit. And they do get hit.
For healthcare practices, a ransomware attack isn't just an IT disaster — it's a HIPAA breach. The encryption of ePHI by ransomware meets the definition of a breach under the HIPAA Breach Notification Rule unless the practice can demonstrate with low probability that ePHI was not compromised — a very high bar to clear.
That means breach notification obligations to affected patients, notification to HHS, and if more than 500 patients are affected in a given state, notification to media in that state. The reputational and financial consequences for a Toledo healthcare practice can be severe.
Proper cybersecurity — including EDR, 24/7 SOC monitoring, network segmentation, and tested backup and disaster recovery — is not optional for healthcare. It's the difference between a bad day and a practice-ending event.
Is Your Toledo Practice Actually HIPAA Compliant?
Flyght serves healthcare practices across the Toledo metro area, including Lucas, Wood, Ottawa, Fulton, and Henry counties. We understand HIPAA's technical requirements, sign Business Associate Agreements as a standard part of our engagement, and build IT environments specifically designed for healthcare compliance.
We offer a free HIPAA IT assessment for Toledo-area practices — a candid look at your current technical safeguards, where the gaps are, and what it would take to get fully compliant. No fear-mongering, no inflated estimates. Just a clear picture of where you stand.
Call us at (419) 670-7100 to find out if we serve your location. Your patients trust you with their most sensitive information — your technology should be worthy of that trust.