HIPAA

HIPAA compliance the OCR would defend.

Administrative, physical, and technical safeguards implemented under the Security, Privacy, and Breach Notification Rules — for covered entities, business associates, and the SaaS platforms that serve them.

01 — Overview

HIPAA is not certifiable. There is no HIPAA report, no HIPAA certificate, and no auditor who can hand you a signed opinion. What exists instead is a body of federal regulation, enforced by the HHS Office for Civil Rights, that expects reasonable and appropriate safeguards — and expects you to be able to prove them.

We work with hospitals, telehealth providers, HealthTech platforms, clinical research organisations, and the vast supply chain of business associates that touch protected health information. Our engagements are built around one question: if OCR opened an investigation tomorrow, what would you hand them?

02 — Engagement

Our approach.

  1. I

    Data flow mapping & PHI inventory

    We identify every path PHI takes into, through, and out of your systems — including SaaS and sub-processors.

  2. II

    Security Rule risk analysis

    A defensible, documented risk analysis meeting §164.308(a)(1)(ii)(A) — the single most-cited HIPAA finding.

  3. III

    Safeguards implementation

    Administrative, physical, and technical safeguards designed and deployed against the identified risks.

  4. IV

    Privacy Rule & patient rights operationalisation

    Notice of Privacy Practices, minimum necessary rule, access, amendment, accounting of disclosures — as running processes.

  5. V

    Business Associate Agreements & vendor oversight

    BAA library, vendor risk program, and downstream flow-down obligations.

  6. VI

    Breach response playbook

    A tested, executable breach response process aligned to the sixty-day notification clock.

03 — Deliverables

What you receive.

  • PHI data flow diagrams and system inventory
  • Documented Security Rule risk analysis and risk management plan
  • Complete HIPAA policy suite (Security, Privacy, Breach)
  • Administrative, physical, and technical safeguards implementation
  • Notice of Privacy Practices and patient rights procedures
  • Business Associate Agreement library and BA due diligence
  • Workforce HIPAA training and sanction policy
  • Breach response playbook with sixty-day notification workflow
  • OCR audit readiness pack — the file you hand over on day one

04 — Timeline

Expected duration.

Twelve to twenty weeks for a first-time HIPAA program, driven by environment complexity and the maturity of your existing security controls. Clients with SOC 2 or ISO 27001 already in place typically complete a HIPAA overlay in eight to ten weeks.

Ready to begin?

A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.

Schedule the call →

05 — FAQ

Common questions.

Are we a covered entity or a business associate?+

Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Business associates are third parties that create, receive, maintain, or transmit PHI on behalf of a covered entity. We help you make the determination in the first meeting.

Do we need HITRUST as well?+

HITRUST is not a HIPAA requirement, but it is often demanded by large payers and health systems as evidence of a HIPAA-aligned program. We support HITRUST certification where the commercial case exists.

What if we've already had a breach?+

Call our incident response line. We support clients through OCR notification, corrective action plans, and — where required — resolution agreements.

Does this cover state privacy laws too?+

Our HIPAA engagement covers federal HIPAA. State laws (California CMIA, Texas HB 300, and others) are handled as a Privacy Consulting overlay when they apply to your footprint.