The hidden compliance gap in every multi-location specialty practice

This article is part of a series, sponsored by Nexcess, examining the risks specialty practices face when AI and other IT implementations sit on infrastructure nobody is actively managing for compliance, security, or performance. This series names that gap, frames what it costs, and teaches leaders how to close it.

Multi-location specialty practices have spent years hardening their core patient management systems while third-party integrations multiplied at the edge, quietly expanding the real exposure.

Third-party point solutions (scheduling, intake, imaging) often enter through the operational side of a practice without the BAA review or HIPAA scoping that formal IT procurement requires, leaving a shadow stack where the protected health information (PHI) they touch exists outside any documented accountability structure.

The BAA stops at your patient management system

Modern specialty practices typically operate with three platform layers.

The patient management system for overseeing clinical and financial records sits at the core layer. As it’s purpose-built to support HIPAA-regulated workflows, it’s vendor-owned, well-defended, and cleanly documented. No surprises there.

On the other hand, the shadow stack exists as an ad-hoc layer of add-on products that serve a specific purpose for individual practices. A behavioral health chain likely has a telehealth add-on. Dermatology clinics may have localized image storage. Urgent care facilities use a fragmented mix of portals, intake forms, scheduling tools, and analytics databases. These tools add up, and IT leaders are all too often unaware of how they interact with each other.

The third layer is infrastructure, or the actual environment where edge tools are supported. Ideally, this is where security and compliance gaps are closed. When edge tools are adopted incrementally, instead of going through a formal review process, the infrastructure layer becomes fragmented, unwieldy, and difficult to manage.

Third-party tools handle PHI but operate beyond the scope of the organization’s BAA, because a core platform vendor covers its own silo while every system around it remains yours to defend.

Convenience integrations move PHI beyond your BAA coverage

Passing data from scheduling systems to clinical notes to billing applications to analytics tools minimizes manual workflows, which can bog down specialty practices and stand in the way of long-term business growth.

Increased data sharing means PHI is moving into general-purpose cloud hosting platforms that were never designed with HIPAA-regulated workflows in mind and typically lack access logs or clearly documented responsibility for who owns what.

Rather than targeting core patient management systems and their hardened defenses, attackers increasingly go after the platforms running third-party intake, scheduling, backup, and communications solutions that specialty practices have widely adopted.

Leaving the edge unmanaged and unsecured can have real consequences. Attackers can compromise third-party plug-ins that have been granted trusted access to a practice’s network to obtain PHI, as Broward Health reported in late 2021.

Data leaks can be invisible, too; Blue Shield of California reported its analytics tools for tracking website users’ behavior were scraping PHI and sharing it with Google Ads, undetected, for nearly three years.

Closing the BAA gap at the infrastructure layer

Organizations may see the unmanaged edge as a technical issue that proactive patching can address, which may solve the immediate problem while masking a larger issue: technical vulnerabilities at the edge are byproducts of a fractured governance structure, and leading healthcare CIOs are addressing the difference.

For multi-location specialty practices, this means treating infrastructure as a layer for active management of third-party applications. Common policies include ensuring that no data integration or edge tool is permitted to touch the network without an explicitly assigned owner, a verified operational BAA, and a documented map of where its data flows.

Applying governance to infrastructure removes the operational liability of ungoverned tools and shifts policies from passive post-integration compliance checks to continuous security monitoring across the full integration stack.

The starting point is an inventory of where data flows across every integration and how well it’s protected at each point.

An unmapped integration is a compliance blind spot waiting to be tested, and your practice owns the exposure.

About the Author

Kelly Goolsby has worked in the hosting industry for over 20 years and loves seeing Nexcess clients use new technologies to build businesses and solve problems. His roles in technology have included all facets of Sales and, more recently, Solution Architecture, Technical Sales, and Sales Training. Kelly really loves having a hand in developing new products and helping clients learn how to use them.

About Nexcess

Nexcess builds specialty cloud infrastructure for healthcare organizations that need hosting to support HIPAA-regulated workloads. The practices that work with Nexcess are not replacing their patient management system. They are giving the systems around it: patient portals, scheduling tools, digital intake platforms, and the analytics databases feeding their AI models—an environment that was actually built for that work.

When something goes wrong, everyone knows who to call. Compliance reviews move faster because the documentation already exists. And AI deployments have an infrastructure foundation that can actually account for where the data went.

Talk to our architects. We will help you work through where your systems live today and whether those environments were built for what you are asking them to do.