FAQ

The Final Action on the HIPAA Security Rule NPRM is scheduled for May 2026. We are actively monitoring these changes and aligning our process with the final requirements. We recommend getting started early so your documentation is completed and ready when the updated rule takes effect, as we expecting to be temporarily saturated during this time.

No. We will not access any of your systems or PHI. We will not operate as a business associate under a BAA agreement. Instead, we provide guides on how to exactly implement our recommended safeguards and limited support. 

Unfortunately, cybersecurity risk cannot be fully eliminated, so security cannot be guaranteed. Our recommendations are based on the information provided by each practice and are designed to align with the HIPAA Security Rule.

Implementation and maintenance of safeguards and procedures are the responsibility of the practice. Because of this, we cannot guarantee compliance or prevent all security incidents.

Our role is to provide a structured, practical framework to help you align to security requirements efficiently, while you retain control over your systems and operations.

Our documentation is mapped to the HIPAA Security Rule (45 CFR § 164 Subpart C) to support alignment. A detailed crosswalk is available upon request.

We provide a service less expensive than typical services, and do most of the work for you. In order for us to provide this service, we are designed to operate efficiently. Because of this, our service may not be the best fit for:

• Practices with uncommon or complex cybersecurity models (large number of devices/unique systems, etc.)

• Practices wishing us to directly implement safeguards for them

• Practices wanting a comprehensive assessment or the most stringent security controls possible 

• Practices preferring communication over calls. (Instead of email)

The Security Rule requires regulated entities to comply with the HIPAA Security Rule regardless of their size. The intent of this rule is to require safeguards to protect the confidentiality, integrity and availability of your client's PHI in a world of growing cyberattacks. 

In many cases, audits and enforcement actions are triggered by data breaches or complaints. Lack of proper risk assessment, safeguards, and documentation can significantly increase the risk of heavy penalties. 

When properly implemented and maintained, our approach significantly reduces risk and supports alignment with the HIPAA Security Rule. 

You may request a full refund at any point leading up to our work generating your documentation. While we begin active work in the background, you may then request a partial refund. Once we have finished our work and provide you the drafted documentation, you may request reasonable corrections within a 30 day window. 

I'm a Software Quality engineer with a Master’s degree in Computer Science working in the medical device industry. Part of my work focuses on performing software and cybersecurity risk management and developing related procedures under FDA guidance and standards like IEC 62304 and ISO 14971.

My background includes hands-on experience with cybersecurity concepts through formal coursework and practical exercises, but more importantly, I work in a regulated environment where security risks must be systematically identified, documented, and mitigated. This includes building and reviewing systems in regulated environments where risk management, documentation, and audit readiness are critical. I apply that same structured, risk-based approach to help small practices implement practical, HIPAA-aligned safeguards. I am currently preparing for the CISA (Certified Information Systems Auditor) certification, with a focus on risk assessment and compliance.