100%
Staff HIPAA
Training Completed
$1.9M
Max annual penalty per category
60 days
Breach notification window
54
Security Rule specifications
OCR
Enforces via civil penalties
HIPAA Risk Assessment
Most organizations do not know where all their ePHI lives, who can access it, or what controls are missing, until an auditor asks. We conduct a structured risk assessment that maps every system storing or transmitting ePHI, identifies access and control gaps, and scores risks against HIPAA standards. You get a documented assessment that satisfies OCR requirements and tells you exactly where to focus first.
Security Rule Implementation
The Security Rule has 54 implementation specifications, knowing which ones apply to your environment and whether you have actually met them is where most compliance programs stall. We assess your current controls against every required and addressable specification, then implement what is missing: access controls, audit logging, encryption, workstation policies, and device safeguards. The result is a documented control set that holds up under review.
Privacy Rule & Policies
A Notice of Privacy Practices last updated in 2013, or policies that exist on paper but no one follows, are common findings in OCR audits, and easy targets for enforcement action. We develop or update your privacy policies, Notice of Privacy Practices, and operational procedures to reflect how your organization actually handles PHI today. Patients and regulators both get clear documentation of your privacy practices.
Business Associate Agreement Management
Most covered entities do not have a complete picture of which vendors qualify as business associates, and many that do have BAAs are working off outdated templates that would not survive scrutiny. We audit your vendor relationships, identify every party that requires a BAA, review existing agreements for gaps, and put compliant agreements in place. You also get a vendor management process that keeps BAAs current as your supplier base changes.
Workforce Training & Awareness
The majority of HIPAA breaches trace back to workforce error, misdirected emails, improper device disposal, unauthorized access by a well-meaning employee. Generic annual compliance training does not change behavior. We develop role-based training programs that cover both the regulatory requirements and the specific situations your staff actually face, from front desk to IT to clinical teams. Staff leave knowing what PHI is, how to protect it, and what to do when something goes wrong.
Breach Response & Notification Procedures
When a breach happens, you have 60 days to notify affected individuals, and most organizations have no plan for the first 60 minutes. Making the wrong call on whether notification is required, or missing a deadline, turns a manageable incident into an enforcement action. We build your breach response procedures from detection through notification, including the four-factor risk assessment HIPAA requires. Your team gets a tested playbook they can execute under pressure, within required timeframes, without costly mistakes.
Understanding HIPAA
What you need to know before building a compliance program
What is HIPAA?
The Health Insurance Portability and Accountability Act is a US federal law that sets national standards for protecting individually identifiable health information, known as protected health information (PHI). It covers three enforceable rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule, each with specific requirements your organisation must meet.
Who does it apply to?
HIPAA applies to covered entities, healthcare providers, health plans, and clearinghouses, and to any business associate that handles PHI on their behalf. If your company processes, stores, or transmits patient data for a healthcare client, HIPAA applies to you too, regardless of your industry.
Why does it matter?
Penalties run from $100 to $50,000 per violation, up to $1.9 million annually per category. A breach triggers mandatory notification to patients and the HHS, and for large-scale exposures, public media notification. Reputational damage and loss of patient trust typically outlast the regulatory fine itself.
How do you comply?
Compliance requires a documented risk assessment, safeguards across administrative, physical, and technical domains, signed Business Associate Agreements with every vendor handling PHI, role-based staff training, and a tested breach response plan. It is an ongoing program, not a one-time checkbox.
What Makes Us Different From Others
- Compliance That Protects Patients, Not Just Organizations HIPAA exists to protect patient privacy and safety. We build programs focused on genuinely protecting PHI, not just satisfying checkboxes that provide the appearance of compliance.
- Both Covered Entities and Business Associates Served Whether you are a healthcare provider, health plan, healthcare clearinghouse, or a business associate handling PHI on behalf of covered entities, we understand the specific obligations that apply to your role.
- Risk Assessment That Drives Action Many organizations complete HIPAA risk assessments that sit on a shelf. We conduct assessments that produce prioritized findings with clear remediation paths so the work translates directly into improved protection.
- Vendor Risk Management Included BAA management is one of the most commonly neglected areas of HIPAA compliance. We treat vendor oversight as a first-class program component, not an afterthought.
- Training Built for Real Healthcare Workflows Generic security awareness training doesn't connect to the daily reality of healthcare operations. We develop training that is relevant to how your workforce actually interacts with PHI.
- Breach Response Readiness Before You Need It Trying to figure out breach notification obligations during an active incident creates delays and mistakes. We build your response procedures in advance so your team can act correctly and quickly when it matters most.
Our medical practice was growing fast and our HIPAA program was not keeping pace. garrisonOne completed a full risk assessment, updated our policies for our EHR and cloud tools, trained our staff, and gave us a documented compliance program that satisfied our next OCR review. We now feel genuinely confident in our HIPAA posture.
Client results
See how we have helped
Healthcare
Medical Practice — Access Governance
200+ orphaned accounts remediated, zero audit findings after rollout, and full privileged access brought under governance across a multi-site medical practice.
200+
Orphaned accounts removed
0
Audit findings
100%
PAM coverage
Healthcare
Healthcare Group — JML Workflows
Joiner-mover-leaver delays caused access provisioning gaps and HIPAA exposure. garrisonOne automated JML workflows and implemented access certification across clinical systems.
3 to 7 days
Provisioning reduced to hours
100%
HIPAA access controls
2yr
Compliance maintained
Related Services: Healthcare Cybersecurity | Security Assessment & Audit | Penetration Testing | All Compliance Services
See How We Have Helped Similar Organisations
HIPAA IAM for Specialty Clinic Group
Healthcare: Entra ID and HIPAA compliance across 6 clinic locations
Read Case StudyHIPAA Compliance for Medical Practice
Healthcare: Identity management built around HIPAA Security Rule requirements
Read Case StudyFrequently asked questions
Who must comply with HIPAA?
HIPAA applies to covered entities, which include healthcare providers that conduct certain electronic transactions, health plans, and healthcare clearinghouses. It also applies to business associates, meaning any person or organization that performs functions or activities involving the use or disclosure of PHI on behalf of a covered entity. If you provide services to healthcare organizations and handle patient data in any form, HIPAA likely applies to you.
What is protected health information (PHI)?
PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes medical records, billing information, diagnoses, treatment histories, and any data that could be used to identify a patient in connection with their health condition or care. Electronic PHI, referred to as ePHI, is subject to the additional technical safeguard requirements of the Security Rule.
What are the main components of HIPAA?
The three rules most relevant to compliance programs are the Privacy Rule, which governs the use and disclosure of PHI; the Security Rule, which sets requirements for protecting electronic PHI; and the Breach Notification Rule, which requires covered entities and business associates to notify affected parties following a breach of unsecured PHI. Each rule has specific requirements that must be addressed in your compliance program.
What is a Business Associate Agreement?
A Business Associate Agreement is a contract between a covered entity and a business associate that defines the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, and establishes accountability for HIPAA compliance. Without a valid BAA in place, a covered entity is potentially liable for how its vendors handle PHI.
What constitutes a HIPAA breach?
A HIPAA breach is an impermissible use or disclosure of PHI that compromises its security or privacy. This includes unauthorized access, theft of devices containing ePHI, misdirected communications containing PHI, and improper disposal of records. Not every security incident is a breach under HIPAA, and the rules provide a risk assessment framework for determining whether notification is required.
What are the penalties for HIPAA non-compliance?
Penalties range from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category. The tier applied depends on the level of culpability, from unknowing violations to willful neglect. Criminal penalties apply in cases of knowing misuse of PHI. Reputational damage and state-level penalties can compound federal enforcement actions.
How often should we conduct a HIPAA risk assessment?
HIPAA requires the risk assessment to be an ongoing process rather than a one-time event. Most organizations conduct a formal reassessment annually and following significant changes to their environment, such as new systems, facility changes, workforce changes, or technology implementations that affect how PHI is stored, processed, or transmitted.
Does HIPAA compliance make our systems fully secure?
HIPAA compliance establishes a strong baseline of security and privacy controls for healthcare data. It does not guarantee that systems are fully secure against all possible threats. We recommend treating HIPAA compliance as a minimum standard and investing in additional security measures wherever your risk assessment identifies specific vulnerabilities that go beyond what HIPAA requires.
Resources
Company
Contact
- US: 4752 Euclid Rd Suite 11,
Virginia Beach, VA 23462 - India: Orchard Street, Sector 61,
Gurgaon, Haryana - Phone: (301) 825-5518
- info@garrisonone.com
