Secure IT infrastructure dashboard showing compliance status and access controls

Business Operations & Automation

HIPAA-Compliant IT Infrastructure for MEDVA / Deel PH

MEDVA was onboarding U.S. healthcare staff with no compliance controls, no access audit trail, and credentials delivered via unencrypted email. We rebuilt the entire IT infrastructure to HIPAA standards in 60 days.

Adam Raymond Belda

IT Operations Director / Co-Founder

8 min read

July 8, 2024

Client

MEDVA / Deel PH EOR Services

Industry

Healthcare Staffing (U.S.A.)

Duration

16 months (fractional leadership)

Engagement

Fractional Leadership

The Compliance Exposure

MEDVA placed Philippine virtual assistants and clinical support staff with U.S. healthcare practices. Every staff member handled protected health information on behalf of U.S. clients — making HIPAA compliance not optional but legally required. The audit found: credentials delivered via Gmail, no Business Associate Agreements signed before system access was granted, no Multi-Factor Authentication on any company accounts, no documented offboarding procedure, and seven former staff still with active access to client-facing systems. Any single one of these would constitute a HIPAA violation if reported to the Office for Civil Rights.

The Infrastructure We Built

The rebuild followed a strict sequence: identity before access, access before data, data before compliance documentation. Identity: every staff member was provisioned a Microsoft 365 account with a standardized naming convention, MFA enforced via Microsoft Authenticator, and a role assigned in Azure AD corresponding to their job function. Access: Conditional Access policies were deployed — no access to company systems from unregistered devices, no access from outside the Philippines without VPN, legacy authentication protocols blocked at the tenant level. Data: SharePoint folder structure rebuilt with role-based permissions — clinical staff accessed only client-facing folders, administrative staff accessed only operational folders, no shared drives with unrestricted access. Compliance documentation: a 22-page HIPAA IT Controls document was written and approved, covering every control implemented and its legal basis under the HIPAA Security Rule.

The Compliance Review Result

The first internal HIPAA compliance review was conducted four months after implementation. The auditor reviewed access controls, authentication logs, data handling procedures, and the IT controls documentation. Finding: zero access-control deficiencies. The auditor specifically noted the SharePoint audit log — a tamper-evident record of every access grant and revocation with timestamps and approver identity — as the most comprehensive access control record she had reviewed in a Philippine-based operation. The review outcome was used by MEDVA's CEO to close three enterprise healthcare clients who had previously required compliance verification before signing.