HIPAA done by people who have actually faced an OCR audit
We build HIPAA Security Rule and Privacy Rule programs for healthcare and HealthTech companies. Risk assessments that auditors accept, BAA management that survives M&A, breach response that meets the 60-day clock, and ongoing program ownership that does not rot the moment we leave. NIST 800-66 aligned, audit-ready, no template padding.
Who we work with
- Covered Entities. Hospitals, clinics, dental practices, telemedicine providers, behavioral health, ambulatory surgical centers.
- Business Associates. HealthTech SaaS, billing companies, EHR vendors, AI clinical-decision-support, claims processors, marketing agencies handling PHI.
- Healthcare-adjacent investors and acquirers. Due diligence on HIPAA posture before transactions; remediation plans baked into purchase agreements.
- Health-plan administrators and self-insured employers running internal health programs.
What we deliver
- Security Risk Assessment (SRA). NIST 800-66 aligned, organization-specific, with PHI flow mapping, system-by-system control evaluation, and a documented Risk Management Plan.
- Policy library. Written, signed, version-controlled. Privacy, Security, Breach Notification, Workforce Sanction, Information Access Management, Contingency Plan, Audit Controls, Device & Media Controls.
- Business Associate Agreement (BAA) program. Inventory of every vendor touching PHI, BAA negotiation, BAA tracking, vendor risk reviews on inbound questionnaires.
- Breach response readiness. Tabletop exercises, written breach-notification procedure, 60-day clock management, OCR notification preparation.
- Workforce training. Role-based, documented per-employee, refreshed annually with attestations stored for audit production.
- OCR audit defense. When you receive an OCR investigation letter, we produce the documentation request, write the responses, and coordinate with counsel.
- Ongoing program ownership. Quarterly access reviews, annual SRA refresh, BAA renewals. The routine that keeps a real program from rotting.
Where most HIPAA programs actually fail
- Risk assessment is too generic. A template that does not name your specific systems, vendors, and PHI workflows is not a Security Risk Assessment.
- BAAs are missing or stale. Especially with cloud vendors that swapped legal entities, were acquired, or quietly changed terms.
- Audit logs not actually reviewed. The Security Rule requires regular review. Most organizations enable logging and never look at it.
- Workforce training that nobody completed. A SCORM course in your LMS does not satisfy HIPAA without per-employee completion records.
- Encryption claims that fail inspection. “All data is encrypted” is not a control statement. OCR wants the algorithm, the key management practice, and the test that proves it.
Engagement structures
- Initial HIPAA build-out. 8 to 14 weeks. SRA, policy library, BAA program, training, breach plan. Typical fee: $40K to $120K depending on org size and PHI complexity.
- SRA only. Annual Security Risk Assessment refresh, NIST 800-66 aligned. 4 to 6 weeks. Fee: $15K to $35K.
- Ongoing program ownership. Monthly retainer covering access reviews, BAA management, training tracking, audit log oversight. Pairs with our vCISO engagement.
- OCR investigation defense. Hourly with milestone caps; coordinated with your privacy counsel.
- M&A due diligence. 2 to 3 week scoped review for investors and acquirers. Fixed fee.
Related
- Cybersecurity compliance & GRC services, multi-framework GRC
- vCISO services, executive ownership for healthcare programs
- Cybersecurity for Healthcare, vertical engagement model
