Impact Risk Advisors delivers end-to-end HIPAA compliance services for covered entities and business associates - from mandatory HIPAA Security Risk Analysis (SRA) and safeguard implementation through policy development, workforce training, and continuous HIPAA monitoring. We help healthcare providers, health technology companies, and business associates build defensible HIPAA compliance programs that satisfy HHS Office for Civil Rights (OCR) requirements and protect patient data from breach and regulatory exposure.
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law enacted in 1996 that establishes national standards for the protection of sensitive patient health information. Enforced by the HHS Office for Civil Rights (OCR), HIPAA creates legally binding obligations for any organization that creates, receives, maintains, or transmits Protected Health Information (PHI) - including both physical PHI and electronic PHI (ePHI).
HIPAA compliance is not optional and is not self-certifying. There is no HIPAA certification body - instead, OCR enforces HIPAA through complaint investigations, random audits, and breach-triggered enforcement actions. Organizations must demonstrate ongoing compliance through documented policies, implemented safeguards, workforce training, and completed Security Risk Analyses. When a breach occurs, OCR scrutinizes whether the breached organization had a defensible, functioning HIPAA compliance program in place.
For business associates - including SaaS platforms, cloud providers, analytics tools, billing systems, and any vendor that handles PHI on behalf of a covered entity - HIPAA compliance is equally mandatory. A Business Associate Agreement (BAA) is required, but signing a BAA without the underlying security controls creates massive liability exposure during OCR investigations.
"Signing a Business Associate Agreement without implementing the required HIPAA safeguards is not compliance - it's contractual exposure without protection. Real HIPAA compliance starts with the Security Risk Analysis and ends with continuous monitoring."
Requires covered entities and business associates to implement Administrative, Physical, and Technical safeguards to protect the confidentiality, integrity, and availability of electronic PHI (ePHI). Includes the mandatory Security Risk Analysis requirement.
Establishes national standards for the protection of PHI in all forms - electronic, paper, and oral. Governs how covered entities may use and disclose PHI, grants patients rights over their health information, and requires Notice of Privacy Practices (NPP).
Requires covered entities to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. Business associates must notify covered entities within 60 days of breach discovery. OCR investigates all breaches affecting 500 or more individuals.
HIPAA applies to two distinct categories of organizations - each with its own compliance obligations and regulatory exposure. Understanding which category applies to your organization is the first step in any HIPAA compliance program.
Covered entities are the primary subjects of HIPAA - organizations that directly create, receive, maintain, or transmit PHI as part of their core operations. They are subject to all three HIPAA rules: Privacy, Security, and Breach Notification.
Business associates are vendors, contractors, subcontractors, and service providers that perform functions on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting PHI. BAs are directly liable under HIPAA - not just contractually through their BAA - and face the same OCR enforcement risk as covered entities.
Every covered entity must have a signed, compliant Business Associate Agreement in place with each business associate before any PHI is shared. BAAs must specify permitted uses of PHI, require the BA to implement HIPAA-required safeguards, establish breach reporting obligations, and include required regulatory provisions. Impact Risk Advisors reviews, negotiates, and maintains your BAA registry as part of our HIPAA compliance program - ensuring every vendor relationship is properly documented and monitored.
The HIPAA Security Rule requires covered entities and business associates to implement three categories of safeguards - each containing a mix of Required specifications (mandatory) and Addressable specifications (must implement or document a justified alternative).
Administrative safeguards are the policies and procedures that govern how your organization protects ePHI - including how you manage security responsibilities, conduct workforce training, authorize access, and respond to incidents. They represent the largest and most documentation-intensive safeguard category.
Formal risk analysis (SRA), risk management program, sanction policy, and information system activity review
Designated HIPAA Security Officer with documented responsibility for the security program
Authorization procedures, workforce clearance, and termination procedures for ePHI access
Periodic security reminders, malicious software protection training, login monitoring, and password management training
Data backup plan, disaster recovery plan, emergency mode operations, and testing procedures
Written BAAs with all business associates - required before any PHI is shared
Technical safeguards are the technology controls and procedures that protect ePHI and control access to it. These are the controls most frequently tested during OCR investigations and breach inquiries - and the areas where most healthcare organizations have the highest rate of control gaps.
Unique user identification, emergency access procedures, automatic logoff, and encryption/decryption of ePHI
Hardware, software, and procedural mechanisms to record and examine ePHI access activity - audit logs must be retained and reviewed
Mechanisms to authenticate ePHI has not been altered or destroyed in an unauthorized manner
Procedures to verify that the person or entity seeking ePHI access is the one claimed - includes multi-factor authentication
Encryption of ePHI transmitted over electronic networks - TLS 1.2+ for data in transit, AES-256 for data at rest
Physical safeguards address the physical security of the facilities and equipment that store, access, or process ePHI. While often overlooked compared to technical controls, physical safeguards are a persistent source of OCR audit findings - particularly for organizations with distributed workforces, remote access, and BYOD policies.
Policies to limit physical access to facilities holding ePHI while ensuring proper authorized access - visitor logs, access badge systems, security camera documentation
Policies specifying proper workstation use and the physical surroundings of workstations that access ePHI - screen placement, clean desk requirements
Physical safeguards for workstations - screen locks, physical security cables, device tracking for remote and portable devices
Policies governing the receipt, removal, movement, reuse, and disposal of hardware and electronic media containing ePHI - includes secure data destruction
HIPAA compliance is a continuous program - not a one-time project. Without dedicated security leadership, the same challenges recur in nearly every organization we work with.
The HIPAA Security Risk Analysis is the single most commonly cited deficiency in OCR enforcement actions - and mandatory under 45 CFR §164.308(a)(1). Organizations routinely treat the SRA as optional or complete inadequate assessments that fail to meet OCR's own guidance on what a proper SRA must include.
Every vendor, contractor, or service provider that touches PHI requires a signed, compliant Business Associate Agreement. Most organizations have partial BAA coverage at best - missing agreements with cloud providers, analytics platforms, IT support vendors, and dozens of other business associates who regularly access ePHI.
HIPAA requires security awareness and training for all workforce members - not just clinical staff. Generic annual checkboxes don't satisfy OCR's expectations. Training must be role-based, documented, tracked to completion, and refreshed when the threat environment or operations change.
Unique user IDs, automatic logoff, audit logs for ePHI access, and person/entity authentication are required under the HIPAA Technical Safeguards. Organizations routinely fail these - shared login credentials, no audit trail for ePHI access, and missing multi-factor authentication create OCR enforcement exposure.
Without a documented Breach Notification procedure, organizations discovering a PHI breach have no clear process for the legally required 60-day HHS notification, individual notification, or media notification for large breaches. Delayed or deficient notification is independently sanctionable under HIPAA.
HIPAA is not a one-time project - it requires periodic evaluation and updating of your security program as operations, technology, and threats change. Organizations that implement HIPAA controls and then let them decay create a compounding compliance gap that OCR can treat as willful neglect when a breach investigation reveals outdated safeguards.
Impact Risk Advisors' HIPAA compliance methodology is built around the way OCR actually evaluates compliance - starting with the mandatory Security Risk Analysis and building a program that is documented, implemented, trained, monitored, and defensible under enforcement scrutiny.
We don't sell HIPAA checklists or generic policy templates. Our vCISO team embeds in your organization as genuine security leadership - understanding your specific environment, workflows, and risk profile before recommending a single safeguard or drafting a single policy. Every deliverable we produce is specific to your organization and stands up to OCR review.
We conduct a comprehensive, OCR-compliant Security Risk Analysis - documenting all ePHI flows, identifying threats and vulnerabilities, scoring risk, and producing a risk management plan that satisfies the 45 CFR §164.308(a)(1) requirement.
We implement and document the specific Administrative, Technical, and Physical safeguards required for your environment - including access controls, audit logging, encryption, MFA, and facility security procedures.
We develop the complete HIPAA policy and procedure suite - Privacy Policy, Security Policy, Breach Notification Procedures, Incident Response, Workforce Sanctions, BAA Management, and all supporting documentation.
We design and deliver HIPAA-specific security awareness training - role-based, documented, and tracked to completion - that satisfies the HIPAA Administrative Safeguard training requirements and reduces human-layer breach risk.
We maintain your HIPAA compliance program on an ongoing basis - monitoring controls, updating policies, reviewing the SRA annually, managing your BAA registry, and keeping your program aligned with OCR guidance and evolving HHS enforcement priorities.
ePHI inventory, current safeguard review, compliance gap analysis, and OCR-compliant SRA preparation.
Full OCR-compliant SRA - threat/vulnerability analysis, risk scoring, and risk management plan.
Administrative, Technical, and Physical safeguard implementation with complete policy documentation suite.
Role-based HIPAA security training delivery, tracking, and documentation of workforce completion.
Annual SRA update, quarterly BAA reviews, ongoing monitoring, and OCR audit readiness maintenance.
The HIPAA Security Risk Analysis (SRA) is not optional. Under 45 CFR §164.308(a)(1), every covered entity and business associate is required to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." It must be documented, reviewed periodically, and updated when significant environmental or operational changes occur.
Despite its mandatory status, the SRA is the single most commonly cited HIPAA violation in OCR enforcement actions. Many organizations either skip it entirely, use inadequate self-assessment tools that don't satisfy OCR's own Security Risk Assessment guidance, or complete it once and never update it - creating compounding enforcement exposure as their environment changes.
Impact Risk Advisors' HIPAA Security Risk Analysis follows OCR's official SRA guidance and covers all ePHI flows across your entire environment - cloud systems, on-premise infrastructure, mobile devices, third-party integrations, and workforce endpoints - producing documentation that stands up to OCR investigator review.
Every significant OCR HIPAA settlement in the past five years has included a finding that the organization failed to conduct an adequate, organization-wide Security Risk Analysis. The SRA is the foundation OCR uses to assess whether an organization's entire HIPAA compliance program is credible.
Identify and document all locations where ePHI is created, received, maintained, or transmitted - including cloud systems, on-premise servers, mobile devices, workstations, third-party integrations, and backup systems.
Identify reasonably anticipated threats to ePHI confidentiality, integrity, and availability - and the existing vulnerabilities that could enable those threats to materialize - across your entire environment.
Evaluate existing safeguards - technical controls, administrative procedures, and physical measures - and assess their effectiveness in mitigating identified threats and vulnerabilities.
Assign likelihood and impact ratings to each identified risk - producing a documented risk level score for every threat/vulnerability combination across your ePHI environment.
Produce a documented risk management plan identifying the security measures that will reduce risk to an appropriate level - with management approval, implementation timelines, and ongoing monitoring procedures.
Achieving HIPAA compliance is not a finish line - it is the starting point of an ongoing compliance obligation. HIPAA explicitly requires periodic review and updating of your security program as environmental changes, operational changes, new threats, and evolving OCR guidance create new compliance requirements.
The organizations that face the most severe OCR enforcement actions are not necessarily those with the worst initial compliance posture - they are often those that implemented HIPAA safeguards years ago and then allowed them to decay without review. OCR investigators treat decayed compliance programs as evidence of willful neglect, which carries the highest penalty tier.
Impact Risk Advisors maintains your HIPAA compliance program on a continuous basis - so that when an OCR investigation, a breach, or a business associate audit occurs, your program is current, documented, and defensible.
Mandatory annual SRA review and update to reflect operational changes, new ePHI systems, workforce changes, and evolving threat landscape - with management review and documented approval.
Systematic review of your business associate inventory - adding new vendors, reviewing updated BAAs, and identifying BAA expiration or deficiency before they create OCR exposure.
Refreshed, role-based HIPAA security awareness training with documented completion records - satisfying the administrative safeguard training requirement with audit-ready evidence.
Ongoing review of security events, incident tracking, and maintained breach notification procedures - so your organization is always prepared to respond within HIPAA's 60-day notification window.
Updated risk analysis every year - and on significant change
Quarterly vendor review and BAA gap remediation
Role-based annual workforce security training
Ongoing ePHI access audit log review
Annual policy review and management approval
Breach response readiness and notification procedures
OCR Audit Ready
Your HIPAA program is current, documented, and defensible - at all times
HIPAA compliance is a security program - not just a documentation exercise. Our vCISO, risk assessment, and penetration testing services work together to build the security controls your HIPAA program requires and validate that they actually work.
Your virtual CISO owns the entire HIPAA compliance program - serving as your designated HIPAA Security Officer, leading the Security Risk Analysis, managing your BAA registry, developing policies, and overseeing all safeguard implementation. HIPAA requires a named Security Officer; your vCISO fills that role.
Explore vCISO ServicesThe convergence of security leadership, formal risk assessment, and technical control validation - producing a HIPAA compliance program that is documented, implemented, trained, and defensible under OCR scrutiny.
The HIPAA Security Risk Analysis is satisfied by our formal risk assessment methodology. Our penetration testing services validate the technical safeguards your HIPAA program relies on - identifying vulnerabilities in ePHI-handling systems before an attacker or OCR investigator does.
Explore Risk AssessmentEvery Impact Risk Advisors HIPAA engagement produces a defined set of deliverables - OCR-defensible documentation and implemented safeguards that constitute a functioning, auditable HIPAA compliance program.
A comprehensive, OCR-compliant Security Risk Analysis documenting your entire ePHI environment, identified threats and vulnerabilities, risk scores, and a documented risk management plan with remediation priorities and management sign-off.
A structured gap analysis measuring your current administrative, technical, and physical safeguards against all HIPAA Security Rule requirements - with clear identification of Required versus Addressable deficiencies and implementation recommendations for each gap.
A complete, organization-specific HIPAA security policy library - drafted to reflect your actual practices, reviewed by management, and maintained with annual update cycles. Covers all HIPAA administrative safeguard policy requirements.
A detailed implementation plan mapping every required and addressable HIPAA safeguard to specific technical controls, responsible owners, implementation timelines, and evidence requirements - providing a clear operational roadmap from current state to compliant state.
A complete inventory of all business associates with PHI access - including BAA status, expiration tracking, and gap identification. All BAAs are reviewed for HIPAA-required provisions and flagged for renegotiation where deficient.
A continuous HIPAA compliance architecture - including annual SRA update schedule, quarterly BAA reviews, annual training cycle, access review procedures, and incident monitoring - that keeps your program perpetually current and OCR-defensible.
HHS Office for Civil Rights enforces HIPAA through complaint investigations, random compliance audits, and breach notifications. HIPAA non-compliance carries escalating civil and criminal penalties - and reputational consequences that extend far beyond financial sanctions.
OCR imposes civil monetary penalties on a four-tier scale based on culpability - from unknowing violations at $100-$50,000 per violation to willful neglect uncorrected at $50,000+ per violation, with annual caps of $1.9 million per category. Multiple violation categories in a single enforcement action compound rapidly into multi-million-dollar settlements.
Following a breach affecting 500 or more individuals, OCR investigates the breached organization's entire HIPAA compliance program - not just the specific incident. Organizations with inadequate documentation, missing SRAs, or decayed safeguards face Corrective Action Plans (CAPs) requiring years of OCR oversight, monitoring, and reporting.
HHS publicly lists all breaches affecting 500 or more individuals on the OCR "Wall of Shame" - a permanent, searchable public record of your organization's breach history. Healthcare breaches generate significant media coverage, damage patient trust, reduce referrals, and negatively impact payor contract negotiations and credentialing.
In addition to federal OCR enforcement, state attorneys general have independent authority to enforce HIPAA and impose civil penalties. Multiple states have brought HIPAA enforcement actions alongside - and sometimes independently of - OCR investigations, creating dual enforcement exposure for covered entities and business associates operating across state lines.
Business associates that suffer a breach affecting covered entity PHI face direct OCR enforcement liability - not just contractual liability to the covered entity. The 2013 HIPAA Omnibus Rule made business associates directly and independently subject to HIPAA enforcement, meaning a breach at a health tech vendor can trigger its own OCR investigation regardless of covered entity notification.
Cyber liability insurers increasingly condition HIPAA-related coverage on evidence of a compliant security program - including a completed Security Risk Analysis, documented safeguards, and workforce training. Organizations that cannot demonstrate HIPAA compliance at time of claim may face coverage denials, reduced settlements, or exclusions for PHI-related breach costs.
We serve the full spectrum of HIPAA-regulated organizations - from independent medical practices to healthcare technology platforms that are subject to HIPAA as business associates.
Enterprise HIPAA programs, SRA management, workforce training, and OCR audit preparation for complex multi-site environments
Right-sized HIPAA compliance for small to mid-size practices - SRA, policies, BAA management, and staff training without enterprise complexity
HIPAA compliance with heightened privacy protections for behavioral health, substance use disorder, and mental health records under 42 CFR Part 2
HIPAA business associate compliance for EHR platforms, telehealth tools, patient engagement apps, and scheduling software handling ePHI
HIPAA compliance for reference labs, radiology centers, and pathology groups - including diagnostic result transmission and PHI sharing with ordering providers
HIPAA compliance for retail pharmacy chains, specialty pharmacies, and PBMs - prescription data handling, patient consent, and BA agreement management
HIPAA business associate compliance for analytics companies, clinical AI vendors, and population health platforms processing de-identified and identifiable PHI
HIPAA compliance for medical billing companies, RCM platforms, and clearinghouses - including transaction standard compliance alongside Security and Privacy Rule obligations
Whether you're a covered entity that needs a defensible HIPAA Security Risk Analysis or a health technology business associate that needs to build a HIPAA compliance program from the ground up, Impact Risk Advisors delivers the vCISO leadership, SRA methodology, and continuous monitoring program your organization needs. Start with a free HIPAA compliance consultation and have your gap analysis in hand within two weeks.
🔒 Confidential. Attorney-client privilege considerations available. We respond within 1 business day.
Common questions about HIPAA requirements, Security Risk Analysis, business associate obligations, OCR enforcement, and what to expect from a HIPAA compliance engagement.
Our vCISO team can answer questions about your specific HIPAA obligations, BAA requirements, or breach notification situation.
Talk to a HIPAA Expert