HIPAA done by people who have actually faced an OCR audit
We build HIPAA Security Rule and Privacy Rule programs for healthcare and HealthTech companies — risk assessments that auditors accept, BAA management that survives M&A, breach response that meets the 60-day clock, and ongoing program ownership that does not rot the moment we leave. NIST 800-66 aligned, audit-ready, no template padding.
For a working overview of what HIPAA actually requires, see our HIPAA compliance checklist blog post.
Who we work with
- Covered Entities. Hospitals, clinics, dental practices, telemedicine providers, behavioral health, ambulatory surgical centers.
- Business Associates. HealthTech SaaS, billing companies, EHR vendors, AI clinical-decision-support, claims processors, marketing agencies handling PHI.
- Healthcare-adjacent investors and acquirers. Due diligence on HIPAA posture before transactions; remediation plans baked into purchase agreements.
- Health-plan administrators and self-insured employers running internal health programs.
What we deliver
- Security Risk Assessment (SRA). NIST 800-66 aligned, organization-specific, with PHI flow mapping, system-by-system control evaluation, and a documented Risk Management Plan.
- Policy library. Written, signed, version-controlled — Privacy, Security, Breach Notification, Workforce Sanction, Information Access Management, Contingency Plan, Audit Controls, Device & Media Controls.
- Business Associate Agreement (BAA) program. Inventory of every vendor touching PHI, BAA negotiation, BAA tracking, vendor risk reviews on inbound questionnaires.
- Breach response readiness. Tabletop exercises, written breach-notification procedure, 60-day clock management, OCR notification preparation.
- Workforce training. Role-based, documented per-employee, refreshed annually with attestations stored for audit production.
- OCR audit defense. When you receive an OCR investigation letter, we produce the documentation request, write the responses, and coordinate with counsel.
- Ongoing program ownership. Quarterly access reviews, annual SRA refresh, BAA renewals — the routine that keeps a real program from rotting.
Where most HIPAA programs actually fail
- Risk assessment is too generic. A template that does not name your specific systems, vendors, and PHI workflows is not a Security Risk Assessment. OCR wants PHI flows mapped to systems mapped to controls.
- BAAs are missing or stale. Especially with cloud vendors that swapped legal entities, were acquired, or quietly changed terms. We routinely find active BAA rosters that do not match the actual vendor list by 30-40%.
- Audit logs not actually reviewed. The Security Rule requires regular review. Most organizations enable logging and never look at it. OCR will ask for evidence.
- Workforce training that nobody completed. A SCORM course in your LMS does not satisfy HIPAA without per-employee completion records.
- Encryption claims that fail inspection. "All data is encrypted" is not a control statement. OCR wants the algorithm, the key management practice, and the test that proves it.
Engagement structures
- Initial HIPAA build-out. 8-14 weeks. SRA, policy library, BAA program, training, breach plan. Ends with you HIPAA-ready and OCR-defensible. Typical fee: $40K–$120K depending on org size and PHI complexity.
- SRA only. Annual Security Risk Assessment refresh, NIST 800-66 aligned. 4-6 weeks. Fee: $15K–$35K.
- Ongoing program ownership. Monthly retainer covering access reviews, BAA management, training tracking, audit log oversight. Pairs with our vCISO engagement.
- OCR investigation defense. Hourly with milestone caps; coordinated with your privacy counsel.
- M&A due diligence. 2-3 week scoped review for investors and acquirers. Fixed fee.
What we will not do
- Sell you HIPAA-in-a-box SaaS as a substitute for a real program
- Sign off on a Security Risk Assessment without doing it ourselves
- Take a healthcare client where the right answer is "stop processing PHI in this system" and pretend otherwise
- Hand the engagement to junior staff after consultation
Available as referral or white-label
We deliver HIPAA programs directly, sub-contract for healthcare-focused MSPs and MSSPs whose clients need a HIPAA specialist, and partner with privacy counsel and HealthTech investors on M&A due diligence. Compensation terms negotiable per relationship.
Related
- Cybersecurity compliance & GRC services — multi-framework GRC
- vCISO services — executive ownership for healthcare programs
- HIPAA compliance checklist (blog)
