Operator-honest answers from a working SEO/AI shop in Encinitas to the questions pediatricians & family medicine in Del Mar actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. Medical Board of California (MBC) aligned. NCSD-local. No fluff, no scare tactics, no $5K "compliance package" upsell.
Short answer: yes, in 2026, almost certainly. If you bill insurance electronically, use any EHR, email or text clients, or use telehealth, you're a HIPAA Covered Entity. Cash-only paper-only practices in Del Mar are increasingly rare — most NCSD practices are inside HIPAA scope.
Pediatricians & Family Medicine-specific risk: Pediatric practices have the strictest HIPAA-COPPA-FERPA overlap: pediatric medical records have parental-access rules different from adult records, school physical / immunization records may bridge HIPAA + FERPA, and patient portals serving minors require parent-proxy authentication. Vaccine information sheets (VIS) and immunization-registry uploads (CAIR2 in CA) are routine PHI events.
Pediatric-specific HIPAA EHRs with BAAs: PCC Pediatric EHR (the gold standard for pediatrics), Office Practicum, ChartLogic, Athena Health, Epic, Cerner, eClinicalWorks. Most pediatric/family-med EHRs need 2-factor on the portal for parent-proxy access. CA-specific: CAIR2 (immunization registry) handles its own data-share authority.
What most solo and 2-3 clinician pediatric & family medicine practices in Del Mar actually run:
| Layer | Vendor (one of) | Cost / mo | BAA included? |
|---|---|---|---|
| EHR + Notes + Billing | See vendor cheatsheet | $49-$99 | Yes (auto on paid plans) |
| HIPAA Email | Paubox · Hushmail · Google Workspace + BAA | $10-$25 | Yes (Google = active BAA sign) |
| Telehealth (if used) | EHR-integrated · Doxy.me · Zoom for Healthcare | $0-$25 | Yes · NOT consumer Zoom |
| Texting | Spruce · OhMD · EHR portal | $15-$30 | Yes |
| Total · solo Del Mar practice | — | $80-$150/mo | — |
30 min. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Zoom: switch to Zoom for Healthcare or use EHR telehealth.
45 min. EHR · email · telehealth · scheduling · billing · cloud backup. No BAA = vendor cannot legally hold PHI.
20 min. Most EHRs auto-include. HHS free template at hhs.gov/hipaa.
20 min. EHR · email · cloud · password manager. Authenticator app preferred over SMS.
10 min. Mac FileVault · iPhone 6+ digit passcode · BitLocker on Windows. OCR safe harbor.
45 min. Free HHS SRA tool · re-do annually. Solo practice = one page is defensible.
| Pattern | Fine range | Avoid |
|---|---|---|
| Texting from personal phone | $25K-$100K | Spruce · OhMD · EHR portal |
| PHI from non-Workspace Gmail | $50K-$250K | Workspace + BAA · Paubox · Hushmail |
| Consumer Zoom for telehealth | $50K-$150K | Zoom for Healthcare · Doxy.me · EHR telehealth |
| No Notice of Privacy Practices | $10K-$50K | HHS template · EHR intake |
| Lost unencrypted laptop with PHI | $50K-$300K | FileVault · BitLocker · 10 min one-time |
| Category | Vendor | BAA process |
|---|---|---|
| Google Workspace | Self-serve admin console · MUST sign actively | |
| Paubox | Auto · encrypts outbound | |
| Hushmail Healthcare | Auto · cheap solo tier | |
| Telehealth | Doxy.me | Auto · free tier available |
| Telehealth | Zoom for Healthcare | Active BAA setup · consumer Zoom NOT compliant |
| Texting | Spruce | Auto · HIPAA 2-way SMS |
| Cloud | Google Workspace Drive | Auto if Workspace BAA · personal Drive NOT |
Del Mar is a small, affluent coastal community with a dense cluster of wellness, mental-health, integrative-medicine, and aesthetic practices serving the Del Mar / Carmel Valley / Solana Beach corridor. Practices are mostly solo or boutique 2-3 clinician operations in mixed-use village buildings — the same coastal shared-building physical-safeguard considerations as Cardiff and Solana Beach apply.
Del Mar neighborhoods we serve practices in: Del Mar Village · Carmel Valley-adjacent · Del Mar Heights · The Beach Colony · Powerhouse Park · ZIP 92014
Most Del Mar pediatric & family medicine private practices fall under the same HIPAA + CMIA + Medical Board of California (MBC) stack. The Del Mar-local layer is mostly about physical safeguards — waiting-room privacy in mixed-use coastal buildings, shared HVAC/utilities with neighbor businesses, and coordinating BAA-eligible vendors who actually pick up the phone when you call from a 760-area-code line.
SideGuy operates out of Encinitas (next door) — we can do Del Mar-onsite compliance walkthroughs if needed, though 95% of practitioner-side HIPAA work is async/document-based and gets done faster over email + Zoom than in-person.
SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA — next door to Del Mar.
| Tier | Price | What |
|---|---|---|
| SideGuy Hour | $150 | 1 hour async · walk your stack · one-page fix-list |
| Operator Audit | $250 | 3-5 day audit · written PDF · 30-min walkthrough |
| Practice Compliance Sprint | $2,000 | 10 days · audit + cleanup + drafts + migrations + annual SRA |
Yes if you bill insurance, use any EHR, send portal messages to parents, upload to immunization registries (CAIR2), email visit summaries, or offer telehealth. Pediatric practices have the added complexity of CA SB-1419 (minor confidentiality 12-17yr) and FERPA overlap on school physical / immunization records. The federal HIPAA + state CMIA + CA SB-1419 stack is non-negotiable for any active pediatric or family medicine practice.
Your Del Mar private practice operates under HIPAA + California CMIA + Medical Board of California (MBC). Del Mar is a small, affluent coastal community with a dense cluster of wellness, mental-health, integrative-medicine, and aesthetic practices serving the Del Mar / Carmel Valley / Solana Beach corridor. Practices are mostly solo or boutique 2-3 clinician operations in mixed-use village buildings — the same coastal shared-building physical-safeguard considerations as Cardiff and Solana Beach apply.
~$80-150/month total · EHR + email + signed BAAs · telehealth tier if used.
Yes. Free HHS template · most EHRs auto-generate · every new client signs receipt.
Yes — OCR enforces HIPAA federally against solo and small practices, not just hospitals. HHS OCR Breach Reports portal shows public enforcement.
Not legal advice. Operator-grade reference by working SEO/AI operators in Encinitas, CA · next door to Del Mar. Not attorneys. HHS OCR is the federal HIPAA authority. California enforces CMIA + Medical Board of California (MBC) state-board rules.