Woodlands Family Psychiatry

The setup

Woodlands Family Psychiatry is a multi-location psychiatric practice serving Spring, The Woodlands, Conroe, and the surrounding Montgomery and Harris County area. The practice operates with nine clinicians, an EHR, a patient portal, integrated telehealth, and a clinical-trials infrastructure that participates in industry-sponsored research — meaning the IT environment has to satisfy both standard HIPAA Security Rule obligations and the additional controls that Contract Research Organizations (CROs) and trial sponsors require.

For a behavioral-health practice of this size, the IT bar is higher than most buyers of managed IT services realize. Patients in this specialty are especially sensitive to the confidentiality of their records, and clinical-trial participation adds an entirely separate audit surface on top of the normal healthcare-IT requirements.

What they were running into

A growing multi-location practice has a predictable set of IT pressures — all of which are amplified in psychiatry. Clinicians move between sites and need consistent, secure access to the EHR from every location. Patient portals have to stay up and responsive, because the downstream effect of portal downtime is a flood of phone calls to front-desk staff who are already managing intake. PHI has to be protected with controls that are not only implemented but documented well enough to survive a Business Associate Agreement (BAA) audit from a partner or a complaint-driven review from the Office for Civil Rights (OCR).

Layered on top: clinical-trials participation introduces CRO-level vendor-compliance expectations. Trial sponsors routinely ask whether the practice's IT environment meets their security baseline. The honest answer has to be yes — and the evidence package has to back it up.

What we did

HIPAA Security Rule fundamentals, actually implemented

MFA across every system that touches PHI — the EHR, the patient portal's admin surface, the Microsoft 365 tenant, remote access, and every administrative portal. Full-disk encryption on every workstation and laptop. Immutable, off-site backup of the EHR, the document drives, and the mailboxes — with tested restores on a scheduled cadence, not a once-a-year afterthought.

Email security and phishing defense that actually catches things

DMARC enforcement on the practice's domain, not just DMARC monitoring. SPF and DKIM aligned. An anti-phishing and impersonation layer sized for a practice that gets continually targeted because the attackers know healthcare pays ransoms. External-sender banners so front-desk staff know when an email is from outside the practice. Scheduled phishing simulations with role-based training for the clinicians and staff who click.

Multi-location access that just works

Clinicians routinely work across sites and from home. The IT environment supports that without asking them to become system administrators. Secure remote access for legitimate clinical work, with conditional access policies so access from unexpected locations or devices requires additional verification.

Clinical-trial infrastructure and CRO-facing compliance

The trial-data environment is documented separately, with controls mapped to what CROs and sponsors expect. When a sponsor's monitoring team asks how patient trial data is segregated, encrypted, and backed up, the answer is ready — with evidence. The practice has closed trial-sponsor security reviews without the back-and-forth that usually chews up weeks.

Written policy and incident-response readiness

A written Security Rule policy, a named Security Officer, an incident-response plan tested at least annually, and a current BAA package with every vendor that touches PHI. Administrative, physical, and technical safeguards documented in the way OCR expects to see them documented.

What changed

The practice has grown from its original footprint into a multi-location, nine-clinician operation without IT becoming the bottleneck. Patient-portal uptime is stable; clinicians spend time on patients rather than on IT friction. Trial participation continues because the IT and compliance posture supports it. When BAA reviews and security questionnaires come in from partners or payers, they close cleanly.

And the specific incident the Security Rule exists to prevent — a PHI incident caused by preventable controls being absent — has not happened.

Why the partnership has lasted

A behavioral-health practice changes — more clinicians, more locations, more research participation, and the ever-evolving set of compliance obligations that come with all three. The right IT partner is one whose work grows with the practice instead of one that has to be replaced every time something shifts. Mako has been that partner across the practice's expansion. The result is an IT environment that behaves less like a cost center and more like a quiet piece of the clinical infrastructure.