Home / Customers / Behavioral health network

Multi-state behavioral health network closes its HIPAA + 42 CFR gap in 12 weeks.

From a brittle co-managed stack and a HITRUST finding that put expansion at risk — to a dedicated tenant, 24/7 SOC, signed BAA, and an automated evidence pipeline that the customer's auditor described as “the cleanest control plane they'd seen this year.”

Note: Case study anonymized pending customer approval. Tier, services, timeline, and architecture are accurate; customer identity, exact metrics, and clinic-level detail are withheld until written sign-off.
Industry Behavioral health
HIPAA + 42 CFR Part 2
Footprint ~650 employees
14 clinic locations
Tier Enterprise / Regulated
Dedicated GCP tenant
Time to value 12 weeks kickoff to GA
SOC tuned in week 6
Challenge

A HITRUST finding, a HIPAA gap, and no central SOC.

The customer had grown from 3 clinics to 14 in five years on the back of acquisitions. Each acquired clinic brought its own MSP, its own EDR (or none), and its own “we documented it somewhere” HIPAA posture. The 42 CFR Part 2 overlay — required for substance-use disorder records — meant a single missed control could pause expansion entirely.

Their most recent HITRUST gap assessment flagged three structural problems:

  • No central SOC. Three different EDR consoles, no SIEM correlation, alerts triaged by the IT manager in his inbox.
  • No signed BAA with the helpdesk vendor. Tickets routinely contained PHI; the contractual exposure was material.
  • Evidence collection was a manual fire drill. Quarterly reviews ate two weeks of the IT manager's time and still produced incomplete packs.

The CIO had budget but no time to run a 6-month RFP. They needed an operator who could land a compliant baseline in a quarter, not a year.

Solution

Dedicated tenant. AiT Hosted Agents. SOC Sentinel. BAA before week one.

We scoped Enterprise / Regulated in the discovery call and structured the engagement around three parallel work streams so onboarding wouldn't sequence into a 9-month project:

  • Dedicated GCP subproject under our intelligentit.io org. Customer telemetry, ticket data, AI workloads, and evidence vault all live in a tenant only this customer can access. BAA signed before any PHI moved.
  • AiT SOC Sentinel correlation layer on top of SentinelOne EDR, Adlumin MDR, and Trustify email security. One queue, AI-triaged, escalated to a named analyst pod with a 1-hour P1 SLA.
  • AiT Hosted Agents trained on the customer's clinical operations playbooks. The intake-triage agent now drafts compliant patient-handling notes that previously took clinicians 8–12 minutes per session.
  • AiT Trust Portal wired into the evidence pipeline. Continuous control collection replaced the quarterly fire drill; auditors get a single read-only URL.
  • vCISO hours scaled to the audit calendar — 16 hrs/mo during HITRUST renewal quarters, 8 hrs/mo steady-state. Same named CISO across the engagement.
SentinelOne EDR Adlumin MDR Trustify Email AiT SOC Sentinel AiT Hosted Agents AiT Trust Portal Dedicated GCP tenant vCISO (named)
Results

Audit-ready in a quarter. Clinician-hours back. Zero PHI exposure.

Hypothetical-but-representative outcomes inside the first two quarters under management:

12 wks Kickoff to fully-operational dedicated tenant
94% Reduction in noisy alerts after SOC Sentinel tuning
~6 hrs/wk Clinician time returned per provider from Hosted Agents
2 days HITRUST evidence pull, down from 2 weeks

Beyond the numbers: the customer's compliance officer now spends her time on policy work instead of chasing screenshots. The CIO's standing “security risk” line on the board deck moved from amber to green. And the expansion pipeline that the HITRUST finding had quietly frozen was reopened the same quarter.

The first time our auditor said “this is the cleanest evidence pack I've reviewed all year,” I knew we'd made the right call. Three months earlier we were screenshotting EDR consoles into a Word doc.
— Customer compliance officer, anonymized pending sign-off

Have a similar gap to close?

Thirty minutes. We map your compliance posture, your incident history, and your team to the right tier — with a written quote inside 5 business days.

Book a strategy call See pricing →