Services
HIPAA is not a checkbox — it is a Privacy Rule, a Security Rule with 50+ implementation specifications, a Breach Notification Rule with a 60-day clock, and HITECH penalties that put business associates directly in OCR's enforcement crosshairs. We build the §164.308(a)(1)(ii)(A) risk analysis, the administrative/physical/technical safeguards under §164.308–316, the encrypted PHI pipelines on HIPAA-eligible AWS/GCP/Azure services, the Business Associate Agreement workflow under §164.504(e), and the Breach Notification runbook under §164.400–414. Engineering-grade controls, lawyer-readable evidence, OCR-defensible documentation. From 7,500 EUR for the Assessment.
OCR's Resolution Agreement tracker is a wall of seven-figure settlements for failures that are entirely preventable in code: missing risk analyses, unencrypted laptops, audit logs that no one reads, and BAAs that were never signed. Civil monetary penalties under the HITECH tiered structure reach $2,067,813 per violation category per year (2024 adjusted). The right deliverable is not a binder of policies — it is a system where every PHI touchpoint is logged, every workforce member has a unique ID, every backup is encrypted under a customer-rotatable KMS key, and every BAA is current. We build it that way the first time.
The foundational artefact OCR asks for first. Asset inventory, threat/vulnerability pairing, likelihood/impact scoring against NIST SP 800-30, residual-risk decisions signed by the Security Official, and a tracked remediation plan refreshed at least annually.
§164.312 controls in code: unique user IDs, automatic logoff, AES-256 at rest, TLS 1.2+ in transit, integrity controls, person/entity authentication with MFA, and audit logs that survive tampering. KMS keys customer-rotatable and segregated per tenant.
§164.308 programme: Security Official designation, workforce clearance, sanctions policy, contingency plan with backup/DR/emergency-mode operation, periodic evaluation, and a security incident procedures runbook that ties to the Breach Notification workflow.
§164.504(e) Business Associate Agreement template, subcontractor BAA flow-down, vendor due-diligence questionnaire, and an inventory that tracks each BAA's effective date, scope, and renewal. Cloud provider BAAs (AWS/GCP/Azure) executed before any PHI lands.
§164.400–414 runbook: four-factor risk assessment template, BA-to-CE notification within 60 days, CE-to-individual notification, HHS OCR portal submission (500+ within 60 days; annual for smaller), and media notification triggers. Encrypted-PHI safe-harbour evidence pre-staged.
§164.312(b) audit controls: per-record PHI access events, immutable log store (S3 Object Lock or equivalent), 6-year retention to match §164.530(j), and a weekly log-review SOP with anomaly alerts feeding the security incident procedure.
Week 1: confirm covered-entity vs business-associate status, inventory every PHI touchpoint, map data flows across cloud accounts and subcontractors, and identify the cloud provider BAA scope you actually operate within.
Weeks 2–3: full §164.308(a)(1)(ii)(A) risk analysis using NIST SP 800-30 methodology, gap-score every Privacy and Security Rule implementation specification, and produce a remediation roadmap signed by the Security Official.
Weeks 4–12: build technical safeguards in code and IaC, ship administrative policies and workforce training, execute BAAs, stand up audit logging with 6-year retention, and dry-run the Breach Notification workflow.
Monthly: log review, vendor BAA tracking, sanctions log, quarterly risk-analysis delta, annual full refresh, and an OCR-style audit dry run that exercises the §164.308 documentation request list.
Two to three weeks, fixed scope. §164.308(a)(1)(ii)(A) risk analysis, gap analysis against the Privacy and Security Rules, PHI data-flow map, BAA inventory, and a remediation roadmap with effort/cost ranges. 7,500 EUR fixed.
Eight to twelve weeks. Administrative/physical/technical safeguards build-out, encryption and audit logging, IAM hardening, BAA templates and subcontractor flow-down, workforce training materials, security incident procedures, Breach Notification runbook. 22,000 EUR fixed.
Monthly retainer. Quarterly risk-analysis refresh, weekly log review SOP, sanctions tracking, BAA renewals and vendor due diligence, annual OCR-style audit dry run, and incident response on retainer. 4,000 EUR/month.
OCR investigation defence and Resolution Agreement support quoted separately on a time-and-materials basis. Three-month minimum on Ongoing Compliance, month-to-month thereafter with 30 days notice. NDA, DPA and BAA signed before kickoff.
A patient app plus a role-based staff suite that unifies multiple clinics — appointments, records, and dashboards, HIPAA-capable for the US & EU.
Patient app for a 40-city lab network — appointment booking, digital results, 2,500+ tests, scheduling and accounting integrations.
Tablet-first endoscopy recording, patient records, and DICOM/HL7 export — built on Laravel + React with browser-tier WebRTC capture for US & EU clinics.
GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · HITECH-aware
We read the repo, the Terraform, the IAM policy and the audit-log pipeline before writing a single policy paragraph. The safeguards are evidenced by code, not by a PDF that contradicts what production actually does.
HIPAA, SOC 2 CC and C series, ISO 27001 Annex A — the underlying controls overlap by 70%+. We build one evidence library that discharges duties across all three so you do not run parallel audits.
Every artefact is written to survive an OCR data request. Versioned in your repo, signed by the Security Official, traceable to the §164.308 implementation specification it discharges.
For HHS OCR investigations and Resolution Agreement support we work alongside your healthcare counsel and produce the evidence packages they need — not the marketing decks a generalist consultant would deliver.
Covered entities under 45 CFR §160.103 are health plans, healthcare clearinghouses, and healthcare providers that transmit PHI electronically in connection with a HIPAA transaction. Business associates are vendors that create, receive, maintain or transmit PHI on behalf of a covered entity — most SaaS products serving providers, payers or pharma fall here. HITECH 2009 made business associates directly liable to OCR enforcement. We classify your role, draft or review the Business Associate Agreement (BAA) per §164.504(e), and document subcontractor flow-down so downstream vendors (cloud, analytics, support tools) inherit the same obligations.
The Security Rule (45 CFR §164.308–316) requires administrative, physical and technical safeguards. Technical: access control with unique user IDs (§164.312(a)), automatic logoff, encryption at rest and in transit (AES-256, TLS 1.2+), audit logs that capture PHI access (§164.312(b)), integrity controls (§164.312(c)), and authentication (§164.312(d)). Administrative: workforce clearance, sanctions policy, contingency plan with data backup/disaster recovery/emergency mode operation (§164.308(a)(7)), and the §164.308(a)(1)(ii)(A) risk analysis — refreshed at minimum annually. Physical: facility access controls, workstation security, device and media disposal (§164.310). We build all of this into your AWS/GCP/Azure account using HIPAA-eligible services under the cloud provider's BAA.
AWS lists ~150 HIPAA-eligible services under its BAA (EC2, S3, RDS, Lambda, ECS/EKS, CloudFront, KMS, etc.); GCP and Azure publish equivalent lists. PHI must only land on eligible services with the BAA executed before processing. We configure dedicated VPCs with no public PHI surface, KMS-backed encryption, CloudTrail+VPC Flow Logs piped to an immutable log store, IAM with least-privilege roles and SCP guardrails, and S3 bucket policies that deny non-TLS access. Logging retention is 6 years to match the §164.530(j) record retention requirement.
Under 45 CFR §164.400–414, a breach is an impermissible use or disclosure of unsecured PHI that compromises security or privacy, unless a four-factor risk assessment demonstrates low probability of compromise. Covered entities must notify affected individuals without unreasonable delay and in no case later than 60 calendar days; notify HHS OCR within 60 days for breaches affecting 500+ individuals (and annually for smaller breaches); notify prominent media for 500+ in a state/jurisdiction. Business associates must notify the covered entity within 60 days. Encryption per NIST SP 800-111 (at rest) and FIPS 140-2 validated modules (in transit) provides safe harbour — encrypted PHI is not 'unsecured' and the breach clock does not start. We bake the runbook, log evidence and BA-to-CE notification template in before launch, not after the incident.
HIPAA is a floor, not a ceiling. State laws often add: California CMIA covers a broader medical-info definition than HIPAA; Texas HB 300 extends covered-entity status. CCPA/CPRA now applies to HIPAA-adjacent data not covered by HIPAA (e.g., wellness app data outside a provider relationship). 42 CFR Part 2 imposes stricter consent rules for substance-use disorder records — recently aligned with HIPAA via the 2024 final rule. For EU patients, GDPR Article 9 (special category data) applies in parallel and requires lawful basis, DPIA, and EU representative for non-EU controllers. We build a single PHI/PII data map that satisfies all overlapping regimes.
Three packages. HIPAA Assessment is 7,500 EUR fixed (two to three weeks): §164.308(a)(1)(ii)(A) risk analysis, gap analysis against the Privacy and Security Rules, PHI data flow map, BAA inventory, and remediation roadmap. Implementation is 22,000 EUR fixed (eight to twelve weeks): technical/administrative/physical safeguards build-out, encryption and audit logging, IAM hardening, BAA templates, workforce training materials, incident response runbook, and Breach Notification workflow. Ongoing Compliance is 4,000 EUR/month: quarterly risk-analysis refresh, log review, sanctions tracking, BAA renewals, vendor due diligence, and an annual HHS OCR-style audit dry run. OCR investigation defence and Resolution Agreement support quoted separately.
