Meet all HIPAA Security Rule, Privacy Rule, and Breach Notification Rule obligations, ensuring Protected Health Information (PHI) remains protected across your covered entity or business associate organisation.
HIPAA compliance requires administrative, physical, and technical safeguards for electronic PHI (ePHI) and documented proof that they work. The HHS Office for Civil Rights has levied over $130M in penalties since 2016. Our programme is designed to produce the documented evidence that OCR investigators look for: a completed Security Risk Analysis, documented risk treatment, trained workforce, and a tested breach notification procedure.
Complete the mandatory SRA per 45 CFR 164.308(a)(1)(ii)(A), identifying and assessing risks to ePHI across all systems.
Review, remediate, and track BAAs with every vendor handling PHI per 45 CFR 164.502(e) and 164.314(a)(2).
Assess access controls, audit logging, automatic logoff, ePHI encryption, and integrity controls per 45 CFR 164.312.
Assess workforce security, information access management, training, contingency planning, and evaluation per 45 CFR 164.308.
Assess facility access controls, workstation security, and device/media controls per 45 CFR 164.310 across all ePHI locations.
Implement 60-day breach notification per 45 CFR 164.408 to HHS and affected individuals, with media notification thresholds.
Implement ePHI encryption at rest and in transit per 45 CFR 164.312(a)(2)(iv) and 164.312(e)(1) across all systems and backups.
Deploy RBAC, unique user IDs, emergency access, and automatic logoff per 45 CFR 164.312(a)(1) for all ePHI systems.
Implement audit logging per 45 CFR 164.312(b) covering login events, PHI access, modifications, and disclosures with tamper-resistant storage.
Deploy role-based HIPAA training per 45 CFR 164.308(a)(5) covering PHI handling, security awareness, and sanctions for violations.
Develop and test contingency plans per 45 CFR 164.308(a)(7) including data backup, DR, emergency mode operations, and testing procedures.
Implement disposal and reuse policies per 45 CFR 164.310(d) for electronic media containing ePHI, including data wiping and accountability.
Update SRA per 45 CFR 164.308(a)(1)(ii)(A) reflecting new systems, changed environments, and emerging threats.
Ongoing BAA review and tracking per 45 CFR 164.314(a)(2), monitoring vendor compliance, renewals, and new vendor onboarding.
Annual security awareness refresher per 45 CFR 164.308(a)(5) with phishing simulation and scenario-based PHI handling drills.
Periodic tabletop exercises testing 60-day HHS notification per 45 CFR 164.408 with documented outcomes.
Annual review of HIPAA policies and procedures reflecting regulatory changes, OCR enforcement, and operational changes.
Maintain investigation-ready documentation: SRA results, risk treatment plans, training records, BAA inventory, and breach response evidence.
Healthcare providers (hospitals, clinics, physicians), health plans, and healthcare clearinghouses that create, receive, maintain, or transmit PHI must comply with all HIPAA Rules.
EHR vendors, telehealth platforms, healthcare data analytics companies, billing services, and any IT provider accessing PHI on behalf of a covered entity is a HIPAA Business Associate.
AWS, Azure, GCP and other cloud providers serving healthcare customers execute BAAs, but SaaS companies built on cloud who process PHI must implement their own HIPAA controls.
A structured six-phase process from the mandatory Security Risk Analysis through to ongoing compliance maintenance and OCR investigation readiness.
Complete the mandatory SRA: threat, vulnerability, and risk assessment across all ePHI systems, identifying gaps and producing a prioritised risk treatment plan.
Implement administrative safeguards including workforce security, information access management, security awareness training, contingency planning, and evaluation programmes.
Deploy technical safeguards including access controls, audit logging, automatic logoff, ePHI encryption at rest and in transit, and integrity controls per HIPAA Technical Safeguard standards.
Implement physical safeguards covering facility access, workstation security, and device/media controls. Execute BAAs with all business associates handling PHI.
Establish breach notification procedures meeting 60-day HHS notification requirements, conduct workforce HIPAA training, and test incident response through tabletop exercises.
Annual SRA updates, BAA review and tracking, security awareness refreshers, breach notification drills, policy and procedure reviews, and OCR investigation readiness maintenance.