Services

HIPAA Compliance (HIPAA|360)

Privacy and security training, gap analysis, federal and state policy compliance including California CMIA. Part of the COMPLIANCE|360 bundle.

2025 NRC Recycler of the YearBundled in COMPLIANCE|360California direct service, nationwide consulting

Managed by Lisa Puckett, CSP · 2025 NRC Recycler of the Year · SWANA Vice Director · 20+ yrs in EH&S

Overview

HIPAA compliance is a continuing obligation, not a one-time certificate. Every covered entity, from a solo dental office to a multi-site clinic, has to satisfy three federal rules at once. The Privacy Rule governs how protected health information can be used and disclosed. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI. The Breach Notification Rule sets the clock and the process for notifying patients, the government, and in larger breaches the media when that information is exposed. Most small practices are confident about the front-desk privacy basics and far less prepared for the Security Rule, which is where audits actually land.

The single most-cited gap in OCR enforcement is the Security Rule risk analysis required by 45 CFR 164.308(a)(1)(ii)(A). A risk analysis is not a checklist of whether you have a firewall. It is a documented assessment of every place electronic PHI lives, the threats to it, and the likelihood and impact of each, refreshed as your systems change. A vendor security questionnaire or a gap analysis does not satisfy it, and OCR has repeatedly said so when it issues penalties.

Bay Area Compliance runs the risk analysis for you, remediates the findings, writes the Privacy and Security policies your practice actually needs, trains your staff on schedule, and manages your Business Associate Agreements. Every assessment, policy, training record, and BAA lives in your NETZERO|360 dashboard, so when a patient complains or an auditor asks, your documentation is already organized and timestamped. HIPAA|360 is part of COMPLIANCE|360 at $360 per month, all-inclusive, with no fuel surcharges.

Built for

Who Uses This Service

Medical & dental practices

Primary care, specialty, and dental offices that handle PHI every day but rarely have a dedicated compliance officer. These practices carry the same HIPAA obligations as a hospital, and they are the most common target of OCR's small-provider enforcement.

Behavioral & mental health providers

Therapists, psychiatry groups, and substance-use programs whose records are among the most sensitive PHI there is. Many also fall under 42 CFR Part 2 and California CMIA, so their privacy controls and disclosure rules have to clear a higher bar than HIPAA alone.

Ambulatory surgery & dialysis centers

Surgery centers and dialysis clinics that move PHI across scheduling, anesthesia, billing, and referring physicians. The volume of ePHI and the number of connected systems make a documented, current Security Rule risk analysis essential.

FQHCs & community health centers

Federally qualified health centers and community clinics running multiple sites, sliding-scale billing, and grant reporting on shared systems. They need one consistent HIPAA program across every location, not a different binder at each front desk.

Billing companies, MSOs & RCM vendors

Revenue-cycle, billing, and management-services organizations that touch PHI on behalf of providers. As business associates they are directly liable under HIPAA and must run their own independent risk analysis, an obligation OCR began enforcing aggressively in 2025.

Health IT, lab & imaging partners

Software vendors, reference labs, imaging centers, and other downstream partners that create, receive, maintain, or transmit ePHI. Each link in the chain needs a signed BAA and safeguards that match the Security Rule, or the whole chain is exposed.

Included with your service

What’s Included

Every hipaa|360 contract bundles the operational service with the documentation regulators expect to see.

HIPAA Privacy Rule compliance

HIPAA Security Rule assessment

Annual staff privacy training

Business Associate Agreement management

Breach notification procedures

Risk assessment and remediation

California CMIA compliance

Documentation and policy templates

How it works

From signup to inspection-ready

  1. 1

    Security Rule risk analysis

    We inventory everywhere electronic PHI is created, received, stored, and transmitted across your practice, then assess the threats and vulnerabilities to each. This is the documented risk analysis required by 45 CFR 164.308(a)(1)(ii)(A), the exact deliverable OCR asks for first, not a generic checklist.

  2. 2

    Remediate gaps & write policies

    We turn the risk-analysis findings into a prioritized remediation plan and draft the Privacy and Security policies and procedures your practice is missing. You get tailored documents covering access controls, encryption, minimum necessary, sanctions, and contingency planning, not blank templates.

  3. 3

    Train your privacy & security staff

    Every workforce member receives role-appropriate HIPAA Privacy and Security training, with completion logged and dated. Training is refreshed annually and after material changes, and every record is retained so you can prove it on demand.

  4. 4

    Manage Business Associate Agreements

    We identify every vendor that touches your PHI, confirm a compliant BAA is in place per 45 CFR 164.308(b) and 164.502(e), and track renewals. Unsigned or expired BAAs are one of the quietest ways a practice inherits a downstream breach, so we close that gap and keep it closed.

  5. 5

    Ongoing monitoring & breach readiness

    HIPAA compliance is continuous, so we keep your risk analysis, policies, and training current as your systems change and stand up a breach-response plan before you need it. If an incident happens, you have a documented assessment and notification workflow ready to meet the Breach Notification Rule's deadlines.

Regulatory Framework

HIPAA compliance is not a single regulation, it is a stack of federal rules enforced by the HHS Office for Civil Rights, layered with stricter California law. A defensible program has to satisfy every one of them, with documentation to prove it.

HIPAA Privacy Rule

45 CFR Part 160 & Part 164, Subparts A and E

Sets the national standards for using and disclosing protected health information, the minimum-necessary principle, patient rights of access and accounting, and the Notice of Privacy Practices. Applies to every covered entity regardless of size.

HIPAA Security Rule

45 CFR Part 164, Subpart C

Requires administrative, physical, and technical safeguards for electronic PHI. The risk analysis at 164.308(a)(1)(ii)(A) is the cornerstone requirement and the single most-cited gap in OCR enforcement actions.

Breach Notification Rule

45 CFR 164.400 through 164.414

Requires notice to affected individuals without unreasonable delay and no later than 60 days after discovery, plus notice to HHS and, for breaches of 500 or more records, to the media. Larger breaches are posted publicly on the OCR portal.

Business Associate Requirements

45 CFR 164.308(b) and 164.502(e)

Requires a written Business Associate Agreement with any vendor that handles PHI on your behalf, and holds business associates directly liable, including their own duty to perform an independent Security Rule risk analysis.

HITECH Enforcement & Penalties

42 USC 1320d-5; 45 CFR Part 160, Subpart D

Establishes the four-tier civil monetary penalty structure OCR uses to assess HIPAA violations by level of culpability, along with OCR's authority to investigate complaints and conduct compliance audits.

California CMIA

California Civil Code 56 et seq.

The Confidentiality of Medical Information Act predates HIPAA and is stricter in several areas. It gives patients a private right of action to sue over improper disclosures (Civil Code 56.35 and 56.36), so when both laws apply, the more protective rule controls.

Penalty Warning

OCR penalties follow a four-tier structure based on culpability, from a violation the entity could not reasonably have known about up to willful neglect left uncorrected. Per-violation minimums escalate by tier, currently $145, $1,461, $14,602, and $73,011 for penalties assessed on or after January 28, 2026, with a maximum annual cap of $2,190,294 for all violations of an identical provision in a calendar year. These amounts are adjusted for inflation every year, and OCR has at times applied lower annual caps to the first three tiers under its enforcement discretion. In California, CMIA exposure stacks on top, including patient lawsuits and statutory damages per affected individual.

Frequently Asked Questions

Absolutely. HIPAA applies to every covered entity regardless of size. We scale our program to fit your practice, whether you have 3 employees or 300. Small practices often benefit the most because they typically lack dedicated compliance staff.

Ready to Simplify Your Compliance?

One vendor for waste disposal, training, and regulatory compliance across the Bay Area, led by the 2025 NRC Recycler of the Year. Get a free assessment today.

833-247-OSHAGet My Quote