HIPAA
Administrative, physical, and technical safeguards implemented under the Security, Privacy, and Breach Notification Rules — for covered entities, business associates, and the SaaS platforms that serve them.
01 — Overview
HIPAA is not certifiable. There is no HIPAA report, no HIPAA certificate, and no auditor who can hand you a signed opinion. What exists instead is a body of federal regulation, enforced by the HHS Office for Civil Rights, that expects reasonable and appropriate safeguards — and expects you to be able to prove them.
We work with hospitals, telehealth providers, HealthTech platforms, clinical research organisations, and the vast supply chain of business associates that touch protected health information. Our engagements are built around one question: if OCR opened an investigation tomorrow, what would you hand them?
02 — Engagement
We identify every path PHI takes into, through, and out of your systems — including SaaS and sub-processors.
A defensible, documented risk analysis meeting §164.308(a)(1)(ii)(A) — the single most-cited HIPAA finding.
Administrative, physical, and technical safeguards designed and deployed against the identified risks.
Notice of Privacy Practices, minimum necessary rule, access, amendment, accounting of disclosures — as running processes.
BAA library, vendor risk program, and downstream flow-down obligations.
A tested, executable breach response process aligned to the sixty-day notification clock.
03 — Deliverables
04 — Timeline
Twelve to twenty weeks for a first-time HIPAA program, driven by environment complexity and the maturity of your existing security controls. Clients with SOC 2 or ISO 27001 already in place typically complete a HIPAA overlay in eight to ten weeks.
Ready to begin?
A partner-led readiness call is complimentary. We'll scope your engagement inside forty-five minutes.
Schedule the call →05 — FAQ
Covered entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. Business associates are third parties that create, receive, maintain, or transmit PHI on behalf of a covered entity. We help you make the determination in the first meeting.
HITRUST is not a HIPAA requirement, but it is often demanded by large payers and health systems as evidence of a HIPAA-aligned program. We support HITRUST certification where the commercial case exists.
Call our incident response line. We support clients through OCR notification, corrective action plans, and — where required — resolution agreements.
Our HIPAA engagement covers federal HIPAA. State laws (California CMIA, Texas HB 300, and others) are handled as a Privacy Consulting overlay when they apply to your footprint.