About the Client
A leading prosthetics and orthotics provider operating roughly 40 patient-facing clinics across four Midwestern states. The organization serves amputees, pediatric patients, and post-surgical cases through a clinical workforce of prosthetists, orthotists, technicians, fitters, and front-desk staff — every one of whom needs a HIPAA-aligned device the moment they walk into a clinic for their first patient. Growth had been steady: new clinics opening, acquired practices folding in, and a constant churn of clinical hires across geographies. The internal IT team — small, centralized, and stretched — had become the bottleneck for every joiner, mover, and leaver event in the company.
The Challenge
Forty clinics across four states meant forty different shipping addresses, forty different local IT realities, and a clinical hiring cadence that did not wait for IT to catch up. The pain showed up in four places.
Joiners were arriving before their laptops did. New clinicians were sitting through paid orientation days waiting for hardware that was still being imaged at corporate, then shipped to a clinic that did not have a receiving desk. Patient schedules slipped because the device could not log into the EMR on day one.
Offboarding was leaking risk. When a clinician left, the device sometimes came back, sometimes did not, and the access revocation timeline depended entirely on whether the clinic manager remembered to file a ticket. Under a signed BAA, every missing device was a HIPAA exposure clock the organization could not afford to keep ticking.
Imaging was a single point of failure. One IT lead, building gold images by hand, was the entire provisioning capability. Any vacation, sick day, or surge in hiring blocked the whole pipeline. The Microsoft 365 E5 license entitlement was sitting unused because nobody had time to operationalize Intune and Autopilot at the clinic level.
Audit evidence was a fire drill. HIPAA BAA evidence — who had which device, when access was granted, when it was revoked, when the device was wiped — lived in a mix of spreadsheets, Rippling exports, and email threads. Pulling a clean chain of custody for a single clinician took hours. Pulling it for forty clinics was not a serious exercise.
The Approach
Surya took over the full joiner-mover-leaver lifecycle as a managed service, tied directly to Rippling as the system of record. The Microsoft 365 E5 stack — Intune, Autopilot, Conditional Access, Defender — got operationalized end-to-end, with Surya as the named operator behind it.
The pipeline runs like this. A new clinician is hired in Rippling. The Rippling event fires into the Surya workflow, which selects the correct role-based persona (clinical, technical, front desk, leadership), pulls a pre-imaged device from RTP inventory, registers it to the customer's Autopilot tenant, kits it with the role-correct peripherals, and ships it directly to the clinic with the clinician's name on the box. The clinician opens the laptop on day one, signs in with their company credentials, and lands on a fully managed desktop with the EMR client, Microsoft 365 apps, and clinical tooling already deployed.
Movers — clinicians transferring between clinics, getting promoted, or changing roles — trigger an Intune persona swap rather than a device swap. Apps, access, and policy update in place. No re-imaging, no re-shipping, no downtime.
Leavers trigger the offboarding kit automatically. A pre-paid, tamper-evident return mailer dispatches to the clinic the same day the Rippling termination is recorded. Conditional Access cuts the user's session immediately. The device returns to RTP, is wiped to NIST 800-88, the wipe certificate is issued back to the customer's ITAM, and the chain of custody closes in the audit log.
Behind the scenes, Surya maintains the gold images, runs the Intune configuration baselines against CIS benchmarks, manages the Autopilot enrollment groups, and holds a clinical change window for Windows updates so EMR access never breaks unexpectedly. The internal IT lead stopped being a single point of failure and started being a customer of the service.
Business Outcomes
Faster onboarding
Clinicians are productive on day one, with role-correct devices and apps waiting for them.
Reduced offboarding risk
Access is revoked and devices are recovered on a predictable timeline, closing the HIPAA exposure window.
Lower IT operating cost
Zero-touch provisioning removes manual imaging from the critical path for every new hire.
Audit-ready posture
A consistent, documented chain of custody across all ~40 clinics simplifies BAA and HIPAA evidence collection.
Business Outcomes
Faster onboarding
Clinicians are productive on day one, with role-correct devices and apps waiting for them.
Reduced offboarding risk
Access is revoked and devices are recovered on a predictable timeline, closing the HIPAA exposure window.
Lower IT operating cost
Zero-touch provisioning removes manual imaging from the critical path for every new hire.
Audit-ready posture
A consistent, documented chain of custody across all ~40 clinics simplifies BAA and HIPAA evidence collection.