Operator-honest answers from a working SEO/AI shop in Encinitas to the questions audiologists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Speech-Language Pathology & Audiology Board (SLPAB) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.
Short answer: yes, in 2026, almost certainly.
You are a HIPAA Covered Entity the moment any one of these is true:
Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only audiology practice in 2026, you're inside HIPAA scope.
Audiologists-specific risk: Audiogram results, real-ear measurements, hearing-aid programming files (NOAH database), tinnitus assessments, and cochlear-implant mapping files are all PHI. The #1 audiology-specific gap: NOAH databases on shared office workstations without unique user logins · plus hearing-aid Bluetooth-connected apps that route PHI through manufacturer cloud (some Phonak / Oticon / Widex / Starkey workflows require BAA verification).
Audiology-specific HIPAA practice management with BAAs: Sycle, CounselEAR, Blueprint Solutions, TIMS Software (Sycle). NOAH 4.x database storage requires HIPAA-compliant local or cloud deployment. Hearing-aid manufacturer BAAs: Phonak (Sonova), Oticon (Demant), Widex, Starkey, Signia (Sivantos) — all sign BAAs for clinical-portal access. For real-ear measurement: Verifit (Audioscan), Aurical (GN Otometrics).
This is the stack most solo and 2-3 clinician audiology practices in 2026 actually run:
| Layer | Vendor (one of) | Cost / mo | BAA included? |
|---|---|---|---|
| EHR + Notes + Billing | See vendor cheatsheet below | $49-$99 | Yes (auto on signup for paid plans) |
| HIPAA Email | Paubox · Hushmail · Google Workspace + BAA | $10-$25 | Yes (Google requires active BAA sign) |
| Telehealth (if used) | EHR-integrated · Doxy.me · Zoom for Healthcare | $0-$25 | Yes — NOT consumer Zoom |
| Texting / SMS | Spruce · OhMD · EHR portal | $15-$30 | Yes |
| Cloud backup (optional) | Google Workspace · Box for Healthcare | $0-$15 | Yes (active BAA required) |
| Total · solo practice | — | $80-$150/mo | — |
30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.
45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.
20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.
20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.
10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).
45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.
| Pattern | Typical fine range | How to avoid |
|---|---|---|
| 1. Texting clients from a personal phone | $25K-$100K | Spruce, OhMD, or EHR portal |
| 2. Sending PHI from Gmail (not Workspace + BAA) | $50K-$250K | Workspace + BAA, Paubox, or Hushmail |
| 3. Consumer Zoom or FaceTime for telehealth | $50K-$150K | Zoom for Healthcare or Doxy.me or EHR telehealth |
| 4. No Notice of Privacy Practices on file | $10K-$50K | HHS template + EHR intake flow |
| 5. Lost / stolen unencrypted laptop with PHI | $50K-$300K | FileVault / BitLocker · 10 min one-time |
Audiology-specific HIPAA practice management with BAAs: Sycle, CounselEAR, Blueprint Solutions, TIMS Software (Sycle). NOAH 4.x database storage requires HIPAA-compliant local or cloud deployment. Hearing-aid manufacturer BAAs: Phonak (Sonova), Oticon (Demant), Widex, Starkey, Signia (Sivantos) — all sign BAAs for clinical-portal access. For real-ear measurement: Verifit (Audioscan), Aurical (GN Otometrics).
| Category | Vendor | BAA process |
|---|---|---|
| Google Workspace | Self-serve in admin console · MUST sign actively | |
| Paubox | Auto with subscription · encrypts outbound by default | |
| Hushmail for Healthcare | Auto with subscription · cheap solo tier | |
| Telehealth | Doxy.me | Auto with any tier · including free |
| Telehealth | Zoom for Healthcare | Active BAA setup required · consumer Zoom is NOT compliant |
| Texting | Spruce | Auto with subscription · HIPAA-eligible 2-way SMS |
| Cloud storage | Google Workspace Drive | Auto if Workspace BAA signed · personal Drive is NOT |
| Cloud storage | Dropbox HIPAA | Auto with Business plan + BAA · sign actively |
SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice audiologists:
| Tier | Price | What |
|---|---|---|
| SideGuy Hour | $150 one-time | One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list |
| Operator Audit | $250 one-time | 3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough |
| Practice Compliance Sprint | $2,000 one-time | 10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA |
Yes if you bill insurance (Medicare, Medi-Cal, commercial, VA), use any practice-management software (Sycle, CounselEAR, Blueprint), maintain NOAH databases for hearing-aid programming, use cloud-connected manufacturer portals, or offer tele-audiology. Cash-only paper-only audiology practices selling only out-of-warranty hearing aids may technically fall outside scope but virtually no modern NCSD audiology practice operates that way in 2026.
~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.
Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.
Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.
A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.
Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.
Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Speech-Language Pathology & Audiology Board (SLPAB) record-keeping rules. California SLPAB requires 7-year minimum record retention for audiology records. Pediatric audiology has parallel FERPA implications for school-contracted assessments under IDEA. CA AB-1252 (telehealth audiology) clarified that virtual hearing screenings and consultations are reimbursable across compact-state lines.
Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.
Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.