Designed by a graduate cybersecurity professor. Engineered for a New Hampshire-licensed home health agency. Now available to peer clinical operators across the state.
Most HIPAA infrastructure is sold by IT firms that have never operated under HIPAA. We don't. NH Care Center, LLC — a licensed home health agency operating under He-P 809 and RSA 151 — is run by the same person who designs and deploys the infrastructure stack you would buy from GraniteVector. The Security Rule is not a marketing claim here. It is the operational reality we live under every day.
No pitch. No slide deck. If we're not the right fit, we'll say so on the call and tell you who is.
Ten pages. Full network topology. Every HIPAA Security Rule control mapped to a specific implementation. Every He-P 809 operational duty tied to an inspectable artifact. The actual production stack we run at NH Care Center, documented for peer clinical operators who want to copy it.
Read the BlueprintTo our knowledge, only one operator in New Hampshire occupies all three of these positions at the same time.
Aneesh Thatal teaches graduate-level cybersecurity and health informatics at New England College and Manchester Community College — HIPAA Security Rule, HITECH, ONC certification, MACRA/MIPS, and clinical data governance — to working professionals in the field. M.S. Computer Information Systems, Magna Cum Laude.
Co-owner and operator of NH Care Center, LLC — a New Hampshire-licensed home health agency under He-P 809 and RSA 151. A clinically licensed entity that must satisfy HIPAA in actual patient workflows, sign the documents, and absorb the audit exposure.
Designer and deployer of the full HIPAA Security Rule stack now running at NH Care Center: Microsoft 365, Entra hybrid identity, Intune, Conditional Access, Defender, BitLocker, LAPS, ASR, Purview DLP, sensitivity labels, Exchange transport rules with OME, NPS/RADIUS PEAP, UniFi zone-based firewall, Control D under BAA.
Three industries pretend to address HIPAA for small clinical healthcare operators. None of them stand where the operator stands.
The IT firms selling “HIPAA-compliant managed services” have rarely, if ever, operated under HIPAA themselves. The compliance consultants writing the policies have rarely, if ever, configured a Conditional Access policy or a transport rule. The academic experts teaching the regulation almost never build the stack or carry the audit risk.
GraniteVector exists because one operator does all three. The reference architecture is documented. The trade-offs are honest, because they were made on our own licensed operation first. The buyer is not buying compliance theater. The buyer is buying the actual stack a licensed clinical operator runs.
We design, build, and document the HIPAA Security Rule infrastructure stack for production clinical healthcare operations. Three engagement tiers, scoped to your operation.
Hardware at cost · co-management optional
For one clinical office, up to ~25 endpoints. The same architecture running at NH Care Center, replicated and adapted for your operation. Identity, endpoint, network, data, communications, retention, and access — built and documented.
Read the Reference ArchitectureHardware at cost · co-management optional
For 2–5 clinical offices. Federated identity, multi-VLAN segmentation, expanded DLP and retention scope, multi-site backup and BCDR architecture.
Read the Reference ArchitecturePriced after architecture review · review fee credited against build
For operators outside the reference profile — behavioral health groups, ambulatory surgical centers, multi-line clinical entities, FQHC-adjacent operators.
Schedule architecture reviewEvery engagement is anchored to the published NH Care Center Reference Architecture. Every deliverable is documented and portable. Co-management retainer optional after deployment; 30-day exit clause on every retainer.
Not every clinical operator needs the full Reference Stack on day one. If you're early in growth, under ten employees, or operating from a single office with a small footprint, Foundation gets you to a defensible HIPAA Security Rule baseline without architect-tier scope — or architect-tier cost.
Hybrid Entra identity, custom Conditional Access policy design, NPS/RADIUS 802.1X, UniFi Zone-Based Firewall, custom DLP, the full He-P 809 operational artifact set. Those live in the Reference Stack — and you can graduate to it when your operation grows.
Not marketing. These are in every proposal and on every SOW we sign.
Month-to-month retainers, no multi-year lock-in, no auto-renewing traps. If we stop delivering value, you can leave. That's the clause on every engagement we sign.
Response time, resolution targets, and escalation path in writing. Missed the SLA? Service credit applies automatically. You shouldn't have to chase us to hold us accountable.
Everything we configure is documented and portable. If you ever leave, you walk away with the credentials, the diagrams, and the runbook. No vendor hostage-taking.
We don't take commissions, referral fees, or rebates from hardware or software vendors. Our recommendation is the best fit for you — not the best margin for us.
Every 90 days: written posture assessment, what we did, what we found, what's next. You see the roadmap before we do the work. No surprises on the invoice.
On the discovery call. Early. Honestly. We'll often recommend someone better suited — including competitors — when the fit isn't right. Losing a deal we shouldn't have won isn't a loss.
No — small is where we start. Foundation is built specifically for 3-10 person clinical operations. Reference Stack engagements scale up from there. You have the same regulatory and audit obligations as a larger organization with a fraction of the staff and budget.
A regular MSP sells managed services. We sell the deployment of a documented reference architecture that is currently running inside a licensed clinical operation the founder co-owns and operates. After the build, an optional co-management retainer keeps the stack maintained. The work is sold as an architecture engagement, not a per-seat MSP contract — because the value is in the architecture, not the helpdesk.
We don't claim HIPAA compliance as a marketing label — compliance is a legal status that belongs to covered entities and their business associates, not to a vendor's marketing page. What we can say is that NH Care Center, the licensed home health agency the founder co-owns and operates, runs under the HIPAA Security Rule, He-P 809, and RSA 151 — and the infrastructure stack at NHCC is the same one we deploy for you. We sell infrastructure that meets the Security Rule's technical safeguards. We don't sell compliance programs, policy templates, or attestations. That's a different practice and a different liability.
We're vendor-neutral and budget-honest. Where an open-source or self-hosted platform meets the requirement, we use it and skip the per-seat licensing tax. Where commercial or enterprise tooling is genuinely better for your case, we specify that and tell you why. No pass-through vendor markups, no hidden rebates, no pressure to buy what you don't need. Hardware is at cost. You pay for our expertise and the hardware — not a middleman.
We meet you where you are. If your team already runs specific firewalls, hypervisors, EDR, or cloud providers, we work with them — and we'll tell you candidly whether they fit or should be migrated. The only thing we require is something defensible under audit and something we can document and hand back to you if you ever leave.
Reference Stack and Foundation are fixed-fee engagements with scope locked before signature. Optional co-management retainers after deployment carry a written SLA and a 30-day cancellation clause from either side. No multi-year lock-in, no auto-renewing traps, no early-termination fees. If we stop delivering value, you should be able to leave. So that's how we wrote it.
Yes. Clinical healthcare is our deepest specialty — the Reference Stack and the Blueprint case study are built specifically for clinical operators under HIPAA and He-P 809. But the same infrastructure discipline serves law firms, accounting practices, financial advisors, nonprofits, education, and other regulated SMBs with real audit, insurance, or PII obligations. Those engagements are scoped individually rather than fitting the three published tiers above — reach out and we'll tell you straight whether the fit is right.
Foundation is a productized HIPAA baseline for 3-10 person clinical operators who need defensible posture but not full architecture — flat fee, fixed scope, 2-3 week build. The Reference Stack is an architect-tier engagement for production clinical operations of 10+ employees or multi-site footprints, with full HIPAA Security Rule and He-P 809 mapping. Foundation is the on-ramp; the Reference Stack is the destination. A Foundation client who grows into multi-site operations can graduate.
The Reference Stack tiers and Foundation are published above. Hardware is pass-through at cost. The architecture review for custom engagements is priced after scope is defined. The pricing is firm — there is no haggling tier, no negotiated discount, no bundle pricing. The work is anchored to a documented reference architecture, not a service catalog, and discounting the work would discount the architecture.
Read the ten-page case study of the production HIPAA infrastructure running at NH Care Center. If the architecture fits your operation, the next step is a 30-minute call.
