HIPAA readiness.
The Security Rule has been settled law for two decades. Most violations the OCR pursues are still failures of documentation, not technology. We build the documentation correctly the first time, so it holds up to scrutiny.
Who needs this
Covered entities (providers, payers, clearinghouses) and business associates handling PHI on their behalf. The most common trigger is a hospital or insurer requiring a BAA before a contract goes live, a SaaS company onboarding healthcare customers, or a clinic preparing for an OCR resolution agreement.
What's included
- Security Rule risk analysis (45 CFR ยง164.308(a)(1)(ii)(A)), the document the OCR asks for first
- Privacy Rule policy library (Notice of Privacy Practices, minimum necessary, access requests)
- Breach notification program and 60-day response runbook
- Business associate agreement template and counterparty review
- Workforce training program (initial and annual)
- Sanctions policy aligned with HHS guidance
- HIPAA-aligned tabletop exercise
What you get
- Risk analysis report. Asset inventory, threat catalog, likelihood and impact scoring, and a risk management plan.
- Policy library. 18 to 24 policies covering Security, Privacy, and Breach Notification Rules.
- BAA program. Template, review checklist, counterparty register.
- Audit-ready binder. Indexed for OCR. We organize evidence the way investigators expect to see it.
Common questions
What's the difference between HIPAA "compliance" and HIPAA certification?
HHS doesn't certify HIPAA compliance. There is no official certification body. What protects you is a defensible risk analysis, a current policy library, and evidence of training and remediation. We build the artifacts that hold up if the OCR ever opens an investigation.
Can you also do SOC 2?
Yes. SOC 2 plus HIPAA is a common combination for health-tech SaaS. We map overlapping controls so you do the work once.