HIPAA Compliance Consulting Services

What Does HIPAA Compliance Consulting Actually Deliver?

HIPAA compliance consulting delivers a defensible program: a completed security risk analysis, 33 customized policies, signed business associate agreements, a trained workforce, and technical safeguards that satisfy 45 CFR 164.308, 164.310, and 164.312. The deliverables are graded against what the Office for Civil Rights actually asks for during an audit, not against a generic checklist.

HIPAA consulting is one of those services where the difference between good and bad is invisible until the Office for Civil Rights shows up with a subpoena. By then, the engagement is over and the question is whether the risk analysis on file will survive scrutiny. Petronella Technology Group has been doing this work since 2002, and every HIPAA program we build is designed around one question: if the OCR requests your documentation tomorrow, can you produce it in a form that matches what the Security Rule actually requires?

The short version of what we do is this. We evaluate where protected health information (PHI) lives in your environment. We evaluate who touches it, under what conditions, and with what safeguards. We evaluate every vendor who handles it on your behalf. We put the results into a risk analysis that follows 45 CFR 164.308(a)(1)(ii)(A) and the NIST SP 800-66 Rev. 2 implementation guide. We prioritize the gaps. We help you close them. And we hand you a packet of evidence, policies, and procedures that an OCR investigator can read and recognize as a real program rather than a template someone downloaded.

Most healthcare organizations do not fail HIPAA because of sophisticated attackers. They fail because the Security Officer role was never filled, the risk analysis was never completed, the business associate agreements were never signed, and the encryption that everyone assumed was turned on was actually turned off on the one laptop that got stolen from a car. The HHS OCR enforcement record makes this pattern clear. The 2018 Anthem settlement of $16 million cited inadequate risk analysis. The 2020 Premera Blue Cross $6.85 million settlement cited the same. The 2022 Oklahoma State University Center for Health Sciences $875,000 settlement cited the same. The common thread is almost always a risk analysis that was either missing, incomplete, or performed once and never repeated.

We exist to break that pattern for our clients. What follows is what that looks like in practice.

Why Is the Security Risk Analysis the #1 HIPAA Citation?

Because 45 CFR 164.308(a)(1)(ii)(A) makes it a required implementation specification and most programs either skip it or produce something that cannot survive scrutiny. A failed risk analysis has been cited in multi-million-dollar OCR enforcement actions from Anthem in 2018 to Premera in 2020 to Oklahoma State in 2022.

The Security Rule at 45 CFR 164.308(a)(1)(ii)(A) calls the risk analysis a required implementation specification. That means you do not have the option to decline it. You perform it, or you are out of compliance. The rule requires you to "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." Those seven words, accurate and thorough, are where most programs fall apart.

What does accurate and thorough look like? It looks like a document that identifies every system that creates, receives, maintains, or transmits ePHI. It looks like an inventory of every workforce member who has access to those systems and what kind of access they have. It looks like a list of the reasonably anticipated threats to that data, including insider threats, ransomware, misconfigured cloud storage, lost laptops, and phishing. It looks like an analysis of the likelihood and impact of each of those threats, and the current controls that reduce them. It looks like a prioritized list of gaps with a timeline for closing them. And it looks like something you revisit every year, or any time your environment changes materially.

The HHS Office for Civil Rights published its guidance on risk analysis in 2010, and refreshed it through NIST SP 800-66 Rev. 2 in February 2024. We use that guidance as the spine of every engagement. When we hand you a risk analysis, the structure maps directly to what an OCR auditor will look for. There is no guessing about whether the format will pass. The format is the format HHS publishes.

We also do one thing that a lot of consultants skip. We tell the truth about the risks we find, even when the truth is uncomfortable. If your EHR vendor is not willing to sign a meaningful business associate agreement, we say so. If your cloud backup is not encrypted at rest, we say so. If the Security Officer on paper has never been trained and has no budget, we say so. A risk analysis that buries the real issues is worse than no risk analysis at all, because it creates the appearance of compliance without any of the protection.

Which Technical Safeguards Does HIPAA Actually Require?

45 CFR 164.312 requires five technical safeguards: access control, audit controls, integrity, person or entity authentication, and transmission security. Each has required and addressable sub-specs. Addressable does not mean optional. It means implement, substitute, or document why neither applies.

The Security Rule breaks safeguards into three categories: administrative, physical, and technical. The technical safeguards at 45 CFR 164.312 are the ones that get the most scrutiny from auditors because they are the ones you can measure with tools. Access control. Audit controls. Integrity. Person or entity authentication. Transmission security. Each one has sub-specifications that are either required or addressable. Addressable does not mean optional. It means you either implement the spec, implement an equivalent measure, or document why neither applies. Most breaches that get settled by HHS involve organizations that ignored the addressable spec and did not document why.

On the access control side, we look at unique user identification (required), emergency access procedures (required), automatic logoff (addressable), and encryption and decryption (addressable). We help you implement role-based access control, least privilege, and multi-factor authentication on any system that touches ePHI. We review your privileged access model and look for shared accounts, shared passwords, and orphaned accounts from former workforce members. These are the exact findings that show up in OCR investigations year after year.

On the audit control side, we help you define what events you log, where you log them, who reviews the logs, and how long you retain them. The Security Rule does not prescribe a retention period, but HIPAA's general documentation requirement is six years, so that is the standard we apply. We configure log aggregation, alerting on suspicious patterns, and monthly review cadences with documented evidence that someone actually read the reports.

On the transmission security side, we enforce TLS 1.2 or higher for any ePHI in motion. We disable SMB v1. We turn off SMTP relay for unauthenticated senders. We force encryption for email containing ePHI, either through a dedicated secure-email gateway or through encrypted attachments with strong passphrases delivered through a separate channel. These are table stakes, but we see them missing on real engagements all the time.

On the encryption-at-rest side, we verify whole-disk encryption on every endpoint that could possibly store ePHI, including the sales laptop someone uses to print quotes from the EHR. The 2014 Concentra settlement of $1.7 million cited an unencrypted stolen laptop as the root cause. A single device, encrypted properly, would have eliminated the breach entirely. Encryption at rest is the cheapest HIPAA control by a wide margin, and it prevents more dollars of OCR liability per dollar of effort than anything else we do.

Business Associate Agreements Are Not Paperwork

Every vendor who creates, receives, maintains, or transmits ePHI on your behalf is a business associate. Your cloud backup provider. Your EHR host. Your document shredder. Your managed IT provider. Your email filter. Your fax service. Your billing company. Your transcription vendor. Your SMS appointment reminder platform. The list is longer than most organizations realize. Every one of them needs a signed business associate agreement (BAA) that meets the requirements of 45 CFR 164.504(e). Missing BAAs are one of the most common findings in OCR enforcement, and a 2016 settlement against Raleigh Orthopaedic Clinic cited a missing BAA as a factor in a $750,000 penalty.

As part of our consulting engagement we inventory every vendor in your environment, classify them by whether they handle ePHI, request BAAs from every business associate, review the language of the BAAs that come back, and flag any that fall short of 164.504(e). When a vendor refuses to sign a BAA or insists on one that limits their liability to below their insurance coverage, we help you decide whether to replace the vendor or escalate the discussion. We have seen major EHR vendors and major cloud providers both push back on BAA terms, and we have seen them both capitulate when a client with the right consultant pushes back. You are the customer. You are allowed to negotiate.

Business associates also flow downstream. A subcontractor that handles your ePHI on behalf of your business associate is itself a business associate under the HITECH Act, and they need their own agreement. Part of our work is verifying that your business associates have BAAs in place with their subcontractors. This is the kind of detail that gets missed when HIPAA compliance is treated as a template exercise, and it is the kind of detail that matters enormously when a subcontractor experiences a breach that cascades upstream.

Breach Notification Readiness

The HIPAA Breach Notification Rule at 45 CFR 164.400 requires that you notify affected individuals, HHS, and in some cases the media within 60 days of discovering a breach of unsecured PHI. The clock starts on discovery, not on the date of the incident. The difference matters, because most breaches are discovered weeks or months after they happen. When the clock starts, most organizations are not ready. The contact list is stale. The notification letter has not been drafted. The call center is not stood up. The web-posting requirement for breaches affecting 500 or more individuals in a state is an afterthought. We see this pattern on every breach engagement we respond to.

As part of our HIPAA consulting program we build a breach notification runbook that includes the contact decision tree, the notification-letter templates pre-approved by your counsel, the vendor for call-center intake, the web-posting template, the HHS online submission process for Secretary notifications, and the media release template for breaches affecting 500 or more residents of a state or jurisdiction. We run a tabletop exercise at least annually to stress-test the runbook. We validate the list of affected-individual contact records is current. We confirm your cyber insurance carrier is on speed dial and knows the specific ePHI involved.

The biggest single mistake organizations make in breach response is talking to regulators before talking to counsel. The second biggest is sending notification letters that accidentally disclose more than required. We help you avoid both. Our incident-response workflow integrates with your legal team from hour one, and every communication that leaves your organization is reviewed for scope and content before it goes.

Virtual HIPAA Compliance Officer Services

Both the HIPAA Security Rule and the Privacy Rule require you to designate a Security Officer and a Privacy Officer. In small and mid-size organizations, the same person often holds both titles, and in very small organizations the practice owner fills the role by default whether or not they have any training. That arrangement almost always fails an audit. The officer role is not a nameplate. It comes with real responsibilities: maintaining policies and procedures, coordinating workforce training, responding to incidents, fulfilling individual rights requests, managing the accounting of disclosures, reviewing audit logs, overseeing the risk management process, and being the point of contact for HHS when a complaint comes in.

Petronella Technology Group offers a virtual Compliance Officer service for organizations that do not want to hire full-time for the role. We attend your compliance committee meetings, maintain your policy library, coordinate annual training delivery, receive and respond to individual rights requests, handle vendor BAA renewals, and track your risk register. When HHS or a state regulator has a question, they talk to us first. When a workforce member reports a suspected incident, we investigate and document. The service runs on a monthly retainer and is priced based on the size of your organization and the complexity of your environment. Every engagement includes unlimited access to the Petronella consulting team for ad-hoc questions.

We have been the virtual Compliance Officer for practices in North Carolina, South Carolina, Virginia, and Florida. The common thread across all of them is that the practice owner wants the peace of mind of a real HIPAA program without having to learn the regulations themselves. That is what the service is designed to provide.

Workforce Training and Policy Library

HIPAA requires you to train every workforce member on your policies and procedures with respect to PHI, to the extent necessary for them to perform their function. New hires have to be trained within a reasonable time after they start. Current workforce has to be re-trained when policies change materially. The rule does not specify a frequency for ongoing training, but annual training is the generally accepted standard and it is what most cyber insurance carriers now require as a condition of coverage. We build the training program, deliver it through the platform of your choice, track completion, and keep the evidence in a form an auditor can retrieve on request.

Standalone workforce training is also available for clients who already have a consulting relationship elsewhere but want our content. See our HIPAA training offering for details on the curriculum and delivery options.

The policy library is the other half of the training work. HIPAA compliance requires written policies and procedures covering 33 different topic areas spanning the administrative, physical, and technical safeguards plus the Privacy Rule. Most organizations we meet have either no policies at all, or they have policies that were copied from a template and never customized to match what they actually do. Neither of those situations survives an audit. Our policy library is built from the Security Rule and Privacy Rule text, customized to your environment, reviewed with your Security and Privacy Officers, and updated whenever the regulations change. The 2013 Omnibus Rule, the 2021 Information Blocking Rule from the 21st Century Cures Act, the 2024 HIPAA Rule changes for reproductive healthcare privacy all require policy updates, and we handle those updates as part of the engagement.

Credentials, Footprint, and Why It Matters

Petronella Technology Group was founded in 2002 at 5540 Centerview Drive, Raleigh, North Carolina. We hold CMMC Registered Practitioner Organization status (RPO #1449, verifiable at cyberab.org/Member/RPO-1449-Petronella-Cybersecurity-And-Digital-Forensics) and our consulting team includes multiple CMMC-RP practitioners. Craig Petronella, the founder, holds CMMC-RP, CCNA, CWNE, and Licensed Digital Forensic Examiner certifications, the last registered as DFE number 604180. We carry a BBB A-plus rating continuously since 2003 and our team is listed in the North Carolina digital forensic examiner registry at forensicresources.org.

Those credentials matter because HIPAA compliance overlaps with other frameworks. Healthcare organizations under contract with federal agencies often need NIST 800-53 alignment. Defense-adjacent healthcare work can require CMMC certification. Organizations handling health research data can face FISMA obligations. When a consultant can only do HIPAA, the first time your contract environment changes you have to hire someone new. We cover the adjacent frameworks in-house, and our consulting engagement is designed to grow with your contract base.

The other reason credentials matter is incident response. If your HIPAA consultant also has forensic capability, then when an incident happens you are not handing off to a third party you have never met. Our team handles network forensics and crypto forensics in-house, with chain-of-custody procedures that have survived litigation. The same people who built your program are the ones who investigate when it fails. That continuity is uncommon in the market and it is one of the reasons clients stay with us.

Pricing is custom per engagement, determined by the number of workforce members, the number of systems in scope, the number of business associates, and whether you need ongoing virtual Compliance Officer services or a point-in-time risk analysis. We do not publish fixed package prices because the delta between a 10-person dental office and a 300-person behavioral-health network is too large to average. For a scoped quote, contact us or call (919) 348-4912 and we will schedule a free 15-minute intake with our team to understand your environment before we propose a fee.