Industry-Specific Compliance Notes (Healthcare-Adjacent)

If your consulting firm touches health data, you're a HIPAA business associate. Full stop. This means you face the same penalties as hospitals and insurers: $100 to $50,000 per violation, with annual maximums reaching $1.5 million per violation category. The Office for Civil Rights doesn't care that you're "just a consultant."

This guide covers what healthcare-adjacent firms actually need to implement. No theory. No "it depends." Just the specific controls, documentation, and technical configurations that pass audits.

You're a business associate if you handle Protected Health Information (PHI) while providing services to a covered entity. PHI means any health data tied to an identifiable person: names, dates of birth, medical record numbers, email addresses in patient communications, even IP addresses in health app logs.

You're definitely covered if you:

• Analyze patient satisfaction survey data containing names or member IDs
• Process billing records for healthcare providers
• Store or transmit electronic health records, even temporarily
• Provide IT services to hospitals, clinics, or health plans
• Build software that touches patient scheduling, billing, or clinical data

Common misconception: "We only see de-identified data." Unless you've applied the Safe Harbor method (removing 18 specific identifiers) or obtained a statistical expert's certification, your data isn't de-identified under HIPAA. Removing names isn't enough.

Before touching any PHI, you need a signed Business Associate Agreement (BAA) with your client. No BAA means no work. Period.

Your BAA must specify:

• Permitted uses and disclosures of PHI (be narrow: "billing analysis for Q1 2024" not "business purposes")
• Your obligation to implement administrative, physical, and technical safeguards
• Prohibition on using or disclosing PHI except as permitted
• Requirement to report breaches within 24-48 hours (negotiate this timeline)
• Your agreement to make PHI available to individuals upon request
• Return or destruction of PHI at contract termination

Critical clause to add: "Business Associate may use de-identified data for internal analytics and benchmarking purposes." Without this, you can't use insights from one client to improve services for others.

Get your BAA template reviewed by healthcare counsel. Generic online templates miss state-specific requirements and modern subcontractor provisions.

HIPAA requires an annual risk assessment. Here's the step-by-step process that satisfies auditors:

Step 1: Inventory all PHI touchpoints

• List every system, application, and database containing PHI
• Document physical locations (offices, data centers, employee homes)
• Map data flows: where PHI enters, how it moves, where it's stored, when it's destroyed

Step 2: Identify threats and vulnerabilities Use the NIST SP 800-30 framework. Document:

• Ransomware and malware risks
• Unauthorized access (internal and external)
• Loss or theft of devices
• Improper disposal
• Natural disasters affecting availability
• Vendor/subcontractor failures

Step 3: Assess current safeguards For each threat, document existing controls:

• Technical: encryption, access controls, audit logs, firewalls
• Administrative: policies, training, incident response plans
• Physical: locked server rooms, badge access, visitor logs

Step 4: Determine likelihood and impact Rate each risk as Low/Medium/High for both likelihood and impact. High-likelihood + High-impact risks require immediate remediation.

Step 5: Document remediation plan For each identified risk, specify:

• Mitigation action (implement MFA, encrypt laptops, update firewall rules)
• Responsible party
• Target completion date
• Residual risk after mitigation

Tool recommendation: Use Vanta, Drata, or Secureframe for automated evidence collection. Manual spreadsheets work but triple your audit prep time.

Vague "implement encryption" guidance fails audits. Here's what actually passes:

Encryption requirements:

• Data at rest: AES-256 encryption for all databases and file storage containing PHI
• Data in transit: TLS 1.2 or higher for all PHI transmissions (disable TLS 1.0 and 1.1)
• Laptops and mobile devices: Full-disk encryption (BitLocker for Windows, FileVault for Mac)
• Email: Use encrypted email gateway (Virtru, Zix, Paubox) or portal-based secure messaging

Access controls:

• Unique user IDs for every person accessing PHI (no shared accounts)
• Multi-factor authentication (MFA) required for all PHI system access
• Role-based access: grant minimum necessary permissions
• Automatic logoff after 15 minutes of inactivity
• Immediate access termination upon employee departure

Audit logging:

• Log all PHI access: user ID, timestamp, action taken, data accessed
• Retain logs for 6 years (HIPAA requirement)
• Review logs quarterly for unauthorized access patterns
• Alert on suspicious activity: after-hours access, bulk downloads, failed login attempts

Specific tool stack that works:

• Identity management: Okta or Azure AD with MFA enforced
• Endpoint protection: CrowdStrike or SentinelOne with EDR enabled
• Log management: Splunk, Datadog, or Sumo Logic with HIPAA-specific dashboards
• Backup: Veeam or Druva with encryption and 30-day retention minimum

You need written policies for these specific areas. Auditors will ask for them by name:

1. Security Management Process

• Risk assessment procedures (annual minimum)
• Risk management strategy
• Sanction policy for violations
• Information system activity review

2. Assigned Security Responsibility Name a specific person as your Security Officer. Include their contact information in your policies.

3. Workforce Security

• Authorization and supervision procedures
• Workforce clearance procedures (background checks for PHI access)
• Termination procedures (access revocation checklist)

4. Information Access Management

• Access authorization process
• Access establishment and modification procedures
• Isolating healthcare clearinghouse functions (if applicable)

5. Security Awareness and Training

• Training on malware protection
• Log-in monitoring procedures
• Password management training
• Security reminders (quarterly minimum)

Training frequency: Initial training upon hire, annual refresher training, and immediate training after any policy change or security incident.

Documentation requirement: Maintain training completion records for 6 years. Use an LMS (TalentLMS, Lessonly) to automate tracking.

A breach is unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy. The moment you discover a breach, you have 60 days to notify affected individuals.

Immediate actions (within 24 hours):

1. Contain the breach: disable compromised accounts, isolate affected systems
2. Notify your Security Officer and legal counsel
3. Notify the covered entity client (your BAA requires this)
4. Begin forensic investigation to determine scope

Breach assessment (within 5 days): Determine if the breach qualifies for the "low probability of compromise" exception. This requires documenting:

• Nature and extent of PHI involved
• Unauthorized person who accessed PHI
• Whether PHI was actually acquired or viewed
• Extent to which risk has been mitigated

If breach affects 500+ individuals:

• Notify OCR within 60 days via their online portal
• Notify prominent media outlets in affected states
• Post notice on your website for 90 days

If breach affects fewer than 500 individuals:

• Maintain internal log of breaches
• Submit annual notification to OCR (due by March 1 each year)

Notification content must include:

• Brief description of what happened
• Types of PHI involved
• Steps individuals should take to protect themselves
• What you're doing to investigate and prevent future breaches
• Contact information for questions

If you use any third-party tools that touch PHI, you need BAAs with those vendors.

Common vendors requiring BAAs:

• Cloud hosting: AWS, Azure, Google Cloud (all provide standard BAAs)
• Email: Google Workspace, Microsoft 365 (must enable HIPAA compliance features)
• Communication: Slack, Zoom (enterprise plans with BAA)
• Project management: Asana, Monday.com (if storing PHI in tasks)
• Analytics: Segment, Mixpanel (if tracking health app usage)
• CRM

  CRM

  Click to read the full definition in our AI & Automation Glossary.

  : Salesforce, HubSpot (if storing patient contact information)

Red flag vendors: Any vendor unwilling to sign a BAA cannot touch PHI. Find alternatives or architect your systems to exclude PHI from those tools.

Subcontractor oversight requirements:

• Annual review of subcontractor security practices
• Verification of their own HIPAA compliance program
• Incident notification procedures
• Right to audit their controls

Use this checklist every January to maintain compliance:

• [ ] Complete annual risk assessment and document findings
• [ ] Review and update all HIPAA policies (version control required)
• [ ] Conduct workforce training and document completion
• [ ] Review access controls and remove unnecessary permissions
• [ ] Test backup and disaster recovery procedures
• [ ] Review audit logs for previous 12 months
• [ ] Verify all BAAs with clients and vendors are current
• [ ] Update inventory of all PHI systems and data flows
• [ ] Review and test incident response plan
• [ ] Document all security incidents and breach assessments
• [ ] Submit annual breach report to OCR if applicable (due March 1)

OCR settles most cases without litigation. Recent settlements for business associates:

• $100,000: Small consulting firm, unencrypted laptop stolen from car
• $387,200: Analytics company, failed to conduct risk assessment for 3 years
• $2.3 million: IT services firm, inadequate access controls and no audit logs
• $6.85 million: Cloud storage provider, delayed breach notification

State attorneys general can also pursue enforcement. California, Massachusetts, and New York are particularly aggressive.

Beyond fines, expect 12-24 months of corrective action plans with quarterly reporting to OCR. Budget $50,000-$150,000 in legal and consulting fees for breach response.

HIPAA compliance for consulting firms requires three things: signed BAAs before touching data, documented technical controls that actually work, and annual proof you're maintaining those controls.

Start with the risk assessment. It forces you to inventory where PHI lives and identify gaps. Then implement the technical safeguards in order: encryption, access controls, audit logging. Finally, document your policies and train your team.

Budget 40-60 hours for initial compliance setup if you're starting from zero. Annual maintenance requires 20-30 hours plus training time.

The alternative is explaining to your malpractice carrier why you didn't have a BAA in place when the breach happened.