Services
HIPAA Compliance (HIPAA|360)
Privacy and security training, gap analysis, federal and state policy compliance including California CMIA. Part of the COMPLIANCE|360 bundle.
Managed by Lisa Puckett, CSP · 2025 NRC Recycler of the Year · SWANA Vice Director · 20+ yrs in EH&S
Overview
HIPAA compliance is a continuing obligation, not a one-time certificate. Every covered entity, from a solo dental office to a multi-site clinic, has to satisfy three federal rules at once. The Privacy Rule governs how protected health information can be used and disclosed. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule sets the clock and the process for notifying patients, the government, and in larger breaches the media when that information is exposed. Most small practices are confident about the front-desk privacy basics and far less prepared for the Security Rule, which is where audits actually land.
The single most-cited gap in OCR enforcement is the Security Rule risk analysis required by 45 CFR 164.308(a)(1)(ii)(A). A risk analysis is not a checklist of whether you have a firewall. It is a documented assessment of every place electronic PHI lives, the threats to it, and the likelihood and impact of each, refreshed as your systems change. A vendor security questionnaire or a gap analysis does not satisfy it, and OCR has repeatedly said so when it issues penalties.
Bay Area Compliance runs the risk analysis for you, remediates the findings, writes the Privacy and Security policies your practice actually needs, trains your staff on schedule, and manages your Business Associate Agreements. Every assessment, policy, training record, and BAA lives in your NETZERO|360 dashboard, so when a patient complains or an auditor asks, your documentation is already organized and timestamped. HIPAA|360 is part of COMPLIANCE|360 at $360 per month, all-inclusive, with no fuel surcharges.
Built for
Who Uses This Service
Medical & dental practices
Primary care, specialty, and dental offices that handle PHI every day but rarely have a dedicated compliance officer. These practices carry the same HIPAA obligations as a hospital, and they are the most common target of OCR's small-provider enforcement.
Behavioral & mental health providers
Therapists, psychiatry groups, and substance-use programs whose records are among the most sensitive PHI there is. Many also fall under 42 CFR Part 2 and California CMIA, so their privacy controls and disclosure rules have to clear a higher bar than HIPAA alone.
Ambulatory surgery & dialysis centers
Surgery centers and dialysis clinics that move PHI across scheduling, anesthesia, billing, and referring physicians. The volume of ePHI and the number of connected systems make a documented, current Security Rule risk analysis essential.
FQHCs & community health centers
Federally qualified health centers and community clinics running multiple sites, sliding-scale billing, and grant reporting on shared systems. They need one consistent HIPAA program across every location, not a different binder at each front desk.
Billing companies, MSOs & RCM vendors
Revenue-cycle, billing, and management-services organizations that touch PHI on behalf of providers. As business associates they are directly liable under HIPAA and must run their own independent risk analysis, an obligation OCR began enforcing aggressively in 2025.
Health IT, lab & imaging partners
Software vendors, reference labs, imaging centers, and other downstream partners that create, receive, maintain, or transmit ePHI. Each link in the chain needs a signed BAA and safeguards that match the Security Rule, or the whole chain is exposed.
Included with your service
What’s Included
Every hipaa|360 contract bundles the operational service with the documentation regulators expect to see.
HIPAA Privacy Rule compliance
HIPAA Security Rule assessment
Annual staff privacy training
Business Associate Agreement management
Breach notification procedures
Risk assessment and remediation
California CMIA compliance
Documentation and policy templates
How it works
From signup to inspection-ready
- 1
Security Rule risk analysis
We inventory everywhere electronic PHI is created, received, stored, and transmitted across your practice, then assess the threats and vulnerabilities to each. This is the documented risk analysis required by 45 CFR 164.308(a)(1)(ii)(A), the exact deliverable OCR asks for first, not a generic checklist.
- 2
Remediate gaps & write policies
We turn the risk-analysis findings into a prioritized remediation plan and draft the Privacy and Security policies and procedures your practice is missing. You get tailored documents covering access controls, encryption, minimum necessary, sanctions, and contingency planning, not blank templates.
- 3
Train your privacy & security staff
Every workforce member receives role-appropriate HIPAA Privacy and Security training, with completion logged and dated. Training is refreshed annually and after material changes, and every record is retained so you can prove it on demand.
- 4
Manage Business Associate Agreements
We identify every vendor that touches your PHI, confirm a compliant BAA is in place per 45 CFR 164.308(b) and 164.502(e), and track renewals. Unsigned or expired BAAs are one of the quietest ways a practice inherits a downstream breach, so we close that gap and keep it closed.
- 5
Ongoing monitoring & breach readiness
HIPAA compliance is continuous, so we keep your risk analysis, policies, and training current as your systems change and stand up a breach-response plan before you need it. If an incident happens, you have a documented assessment and notification workflow ready to meet the Breach Notification Rule's deadlines.
Regulatory Framework
HIPAA compliance is not a single regulation, it is a stack of federal rules enforced by the HHS Office for Civil Rights, layered with stricter California law. A defensible program has to satisfy every one of them, with documentation to prove it.
HIPAA Privacy Rule
45 CFR Part 160 & Part 164, Subparts A and E
Sets the national standards for using and disclosing protected health information, the minimum-necessary principle, patient rights of access and accounting, and the Notice of Privacy Practices. Applies to every covered entity regardless of size.
HIPAA Security Rule
45 CFR Part 164, Subpart C
Requires administrative, physical, and technical safeguards for electronic PHI. The risk analysis at 164.308(a)(1)(ii)(A) is the cornerstone requirement and the single most-cited gap in OCR enforcement actions.
Breach Notification Rule
45 CFR 164.400 through 164.414
Requires notice to affected individuals without unreasonable delay and no later than 60 days after discovery, plus notice to HHS and, for breaches of 500 or more records, to the media. Larger breaches are posted publicly on the OCR portal.
Business Associate Requirements
45 CFR 164.308(b) and 164.502(e)
Requires a written Business Associate Agreement with any vendor that handles PHI on your behalf, and holds business associates directly liable, including their own duty to perform an independent Security Rule risk analysis.
HITECH Enforcement & Penalties
42 USC 1320d-5; 45 CFR Part 160, Subpart D
Establishes the four-tier civil monetary penalty structure OCR uses to assess HIPAA violations by level of culpability, along with OCR's authority to investigate complaints and conduct compliance audits.
California CMIA
California Civil Code 56 et seq.
The Confidentiality of Medical Information Act predates HIPAA and is stricter in several areas. It gives patients a private right of action to sue over improper disclosures (Civil Code 56.35 and 56.36), so when both laws apply, the more protective rule controls.
Penalty Warning
OCR penalties follow a four-tier structure based on culpability, from a violation the entity could not reasonably have known about up to willful neglect left uncorrected. Per-violation minimums escalate by tier, currently $145, $1,461, $14,602, and $73,011 for penalties assessed on or after January 28, 2026, with a maximum annual cap of $2,190,294 for all violations of an identical provision in a calendar year. These amounts are adjusted for inflation every year, and OCR has at times applied lower annual caps to the first three tiers under its enforcement discretion. In California, CMIA exposure stacks on top, including patient lawsuits and statutory damages per affected individual.
Frequently Asked Questions
Absolutely. HIPAA applies to every covered entity regardless of size. We scale our program to fit your practice, whether you have 3 employees or 300. Small practices often benefit the most because they typically lack dedicated compliance staff.
Ready to Simplify Your Compliance?
One vendor for waste disposal, training, and regulatory compliance across the Bay Area, led by the 2025 NRC Recycler of the Year. Get a free assessment today.