HIPAA Compliance Consulting

Protecting sensitive personal and medical information requires a
comprehensive HIPAA compliance program that is fully integrated
into the organization’s operations. 
Our preventative approach to HIPAA
compliance is based on decades of hands-on experience. We offer personalized
HIPAA compliance solutions, including program development, audits and
assessments, investigations, and comprehensive training.


HIPAA Consulting Services

Combining legal training with practical experience, our consultants have assisted clients with HIPAA compliance since the regulations were initially proposed in the late 1990s. Our experience has taught us that a “check-the-box” approach to HIPAA compliance is simply not sufficient.

INCompliance has an established reputation for assisting clients with the development of effective HIPAA compliance programs, conducting thorough, personalized audits and assessments of existing HIPAA compliance programs, and helping our clients execute effective breach investigation and remediation.

As a result of our proactive focus, our clients have experienced fewer investigations and violations than other covered entities. We are proud that virtually all of our clients facing complaints and investigations in the past have been able to resolve them expeditiously and have avoided costly penalties and enforcement actions.


When it comes to HIPAA compliance,

it’s not just a top-down or bottom-up approach that works – it’s both. Training is an essential catalyst for creating a culture of compliance. To this end, we offer meaningful training opportunities, both onsite and online, for our clients’ workforces, ensuring that HIPAA policies and procedures are fully understood by the workforce, and effectively executed.

Our training options include general HIPAA courses for the entire workforce, as well as in-depth courses for employees who are more closely involved in the day-to-day management of the organization’s HIPAA compliance program. We provide detailed training for HIPAA privacy officers specific to the key role they play in the compliance program, including management of the individual rights processes, oversight of the training program, and breach investigation, notification and remediation.


INCompliance’s approach to HIPAA compliance

is one of flexibility and scalability. We do not attempt to provide a “one size fits all” program or assessment, nor do we recommend a “cookie-cutter” solution for the wide array of entities that are subject to HIPAA. Our HIPAA consulting services are customized to best meet the needs of each client, based on its structure, size and the unique issues the client faces.

Development of Policies and Procedures

For clients who do not have written policies and procedures in place (which is the first step in developing a HIPAA compliance program), or for those who have policies and procedures that are out of date, are not being used or are not comprehensive or well-developed, we will create a complete, customized set of written policies and procedures and assist the client with the implementation of these policies and procedures. We also regularly create policy and procedure sets for entities operating as business associates.

Audit/Assessment of Existing HIPAA Compliance Programs

Our audits and assessments of privacy and/or security programs are typically conducted in three phases (though we are happy to work with clients on alternative structures). The first phase consists of familiarizing ourselves with the operations and philosophy of the organization and conducting a thorough desk audit of the organization’s written HIPAA policies, procedures and other relevant written documentation. The second phase is a comprehensive assessment of all aspects of the organization’s HIPAA compliance program, including an on-site audit of relevant day-to-day business practices to determine whether the policies have been operationalized and whether there are sufficient monitoring programs in place. Finally, in the third phase, we prepare a comprehensive final assessment report designed to assist the organization with correcting the compliance issues identified in the assessment and to achieve full compliance with the privacy and/or security regulations. We also offer best practices in our reports that the client may wish to implement. Each of these steps is tailored to meet the goals and needs of the client.

Breach Investigation

In the event that sensitive data is compromised, we know that time is of the essence. We work with our clients to quickly identify the source of the incident, analyze whether a reportable breach has occurred, assist with required notifications and implement remedial actions. We guide our clients through each step in this process to ensure that the breach is handled in a fully compliant manner, and that the organization is prepared should regulators choose to investigate the breach.

Online HIPAA Compliance and Audit Program

INCompliance offers a web-based online HIPAA self-assessment program. The program includes a detailed step-by-step process for developing a HIPAA compliance program, including templates for all required policies and documents, helpful tools and checklists. The program also includes five hours of consulting time with an INCompliance attorney-consultant, which may be used at the subscriber’s discretion.

Learn more about the HIPAA Compliance and Audit Program

HIPAA Section-by-Section

INCompliance’s HIPAA Section-by-Section resource eliminates the need to search through the Federal Register or review the Health and Human Services (HHS) website for updated HIPAA guidance. The HIPAA Section-by Section resource includes the full, unabridged text of each section of the federal HIPAA Privacy and Security Regulations coupled with the relevant commentary in an easy to read format, and the content is updated as the Regulations are amended or new guidance is issued.

Learn more about the HIPAA Section-by-Section Resource


Failure to terminate access of departing employee leads to HIPAA penalty
December 2018

HIPAA settlement highlights need for caution when speaking with media
November 2018

Lights, camera, HIPAA! HHS announces settlement related to “Boston Med”
August 2018

Judge upholds fourth largest HIPAA penalty of $4.3 million for Texas cancer center
June 2018

HHS reveals top 10 HIPAA compliance issues: Is your organization prepared for a government audit or investigation?
May 2018

Doctor pleads guilty to providing protected health information to drug maker
March 2018

Reminder: Notice of 2017 small HIPAA breaches due to HHS soon
February 2018

HIPAA enforcement actions highlight importance of maintaining and auditing security practices
April 2017

OIG publishes Resource Guide for measuring compliance program effectiveness
March 2017 

Are your HIPAA practices in sync with today’s technology? Three notable HIPAA enforcement actions in 2017
February 2017

OCR releases HIPAA guidance on cloud computing services
October 2016 

OCR announces new initiative to investigate HIPAA breaches affecting fewer than 500 individuals
August 2016

OCR launches HIPAA Phase 2 Audits and announces deadline and focus areas
July 2016

Failure to execute a BAA results in $1.55 million fine for Minnesota hospital system
March 2016

New guidance and information from OCR and ONC on patient access to medical information
March 2016

Could this be you? ALJ Upholds $239,000 HIPAA Penalty for Lincare, Inc.
February 2016 

HIPAA settlement with University of Washington Medicine highlights need for organization-wide risk analysis
December 2015 

Government brings HIPAA criminal charges against drug company employees
November 2015 

Anthem Announces Largest Ever Health Care Industry Cyber Attack
February 2015

Don’t Let This Be You: Provider Agrees to a $150,000 HIPAA Settlement in Potential Security Breach Matter
December 2014

HIPAA Back-to-Basics Bulletin Series: HIPAA Privacy Training
August 2014

Hospital System Discloses HIPAA Breach Affecting 4.5 Million Individuals
August 2014

$800,000 HIPAA Settlement in Alleged Medical Record Dumping Matter
June 2014

HHS Reports HIPAA Breaches Increased Substantially and Predicts More Enforcement in 2014
June 2014

HIPAA Back-too-Basics Bulletin Series: HIPAA Compliance in the Social Media Era
June 2014

HIPAA Back-to-Basics Bulletin Series: Roles and Key Functions of Privacy and Security Officers
May 2014

HIPAA Back-to-Basics Bulletin Series: PHI of Deceased Individuals and Sharing PHI with Family and Friends
April 2014

HHS Announces Second Round of HIPAA Audits
April 2014

HIPAA Back-to-Basics Bulletin Series: Security Risk Analysis
March 2014

HHS Announces First HIPAA Settlement with a County Government
March 2014

HHS Issues Guidelines on HIPAA and Sharing Information Related to Mental Health
February 2014

HIPPA Back-to-Basics Bulletin Series: Annual Breach Reporting Deadline March 1
February 2014

Analysis of Final HIPAA Omnibus Rule: Notice of Privacy Practices
February 2013

Analysis of Final HIPAA Omnibus Rule: Research, GINA, Hybrid Entities and Other Miscellaneous Provisions
February 2013

Analysis of Final HIPAA Omnibus Rule: Enforcement Provisions
February 2013

Analysis of the Final HIPAA Omnibus Rule: Individual Rights Regarding Restrictions and Access
February 2013

Business Associates and Business Associate Agreements
February 2013

HHS Releases New Sample HIPAA Business Associate Agreement
January 2013

Analysis of the Final HIPAA Omnibus Rule: Changes to Marketing, Sale of PHI and Fundraising Requirements
January 2013

Once More into the Breach: Major Changes in the HIPAA Breach Notification Requirements
January 2013

What You Will and Won’t Find In the Final Omnibus HIPAA Rule
January 2013

Final Omnibus HIPAA Rule Issued by HHS
January 2013 

OCR’s First-Ever Settlement for a Breach Affecting Fewer Than 500 People
January 2013 

New HIPAA Tools for Mobile Devices
December 2012 

Computer Viruses Pose Security and HIPAA Challenges
October 2012 

CMS Has HIPAA Breaches Too
October 2012 

Another Costly HIPAA Breach
September 2012

Protecting Multimedia PHI
August 2012

OCR HIPAA Audit Contractor Comments on First Round of Audits
July 2012

Despite What GAO Says – OCR has a Plan
HIPAA Audit Protocols and OCR’s Plan for Future HIPAA Audits
July 2012 

Office of Management and Budget Extends Review of Final HIPAA Regulations
June 2012

First Enforcement Action Under HITECH Breach Rules Results in $1.5M Settlement
March 2012

Hospital Pays $865,000 to Settle HIPAA Complaints
July 2011

Proposed Rule Modifies HIPAA’s Accounting of Disclosures Requirements
July 2011

HHS Announces Second Penalty for Violations of HIPAA Privacy Rule
February 2011

Civil Monetary Penalty for Violations of HIPAA Privacy Rule
February 2011

Final Guidance on HIPAA Security Rule Risk Analysis Released
August 2010

New HIPAA-HITECH Proposed Regulations Issued
July 2010

HHS Posts List of Reported HIPAA Breaches Affecting 500 or More Individuals
February 2010

Privacy and Security Compliance for a Children’s Hospital

We conducted an HHS “mock audit” of privacy and security compliance and continue to provide ongoing assistance with all aspects of the hospital’s HIPAA compliance program. The hospital felt that this exercise was truly valuable, as it confirmed that they have a strong HIPAA compliance program in place. Because we also identified areas where the documentation of their program could be better, they were able to gain valuable information and make necessary changes through a mock audit rather than an actual HHS audit.

Privacy Assessment for a Governmental Mental Health Agency

We performed a HIPAA privacy assessment for a large governmental agency charged with managing the mental health and substance abuse delivery system, processing claims and funding treatment providers. This organization was best categorized as a health plan for HIPAA purposes, although it also offered some programs which constituted treatment and educational programs, in addition to having some unique programs that were not covered by HIPAA, such as housing services. The assessment included an on-site visit, which was spread over several days, as well as a desk audit. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were subsequently retained under a separate engagement to assist the client with implementing our recommendations, including widespread revision of the written policies and procedures.

HIPAA Privacy Assessment for a Company which Provides Care Management Services

We performed a HIPAA privacy assessment for a company which provides certain care management services, acting as a business associate of health plans. This complex organization acted as both a provider, and a business associate of health plans. The assessment included an on-site visit and a desk audit. During the on-site visit, we identified several unique issues which arose as a result of their dual roles as provider and health plan business associate. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions. We were able to establish a creative solution for one of the identified issues that allowed them to manage the issue without extensive restructuring of their operations.

HIPAA Privacy Assessment for a Benefits Management Company

We performed a HIPAA privacy assessment for a company which provided benefits management services for a limited category of benefits. This engagement included an on-site visit and a desk audit. During the on-site visit, we were able to identify, through employee interviews, practices that presented compliance risks, of which the privacy officer had been unaware prior to the assessment. At the conclusion of the engagement, we prepared an extensive, detailed report for the client that outlined the compliance risks and offered recommended solutions.

Privacy and Security Assessment with HHS Protocols for a Major University with a Medical School

We conducted a privacy and security assessment of all of the university’s health care components, utilizing the HHS protocols and our own checklists and forms. The audit included the university’s clinical operations, academic programs and employee and student health plans. According to the client, the audit was invaluable in assisting it in identifying covered functions and reviewing a myriad of unique issues related to the university’s various clinics, academic programs and health plans. The information provided during the process itself, as well as in report and recommendations, provided valuable guidance. Although the university had a robust compliance program in place prior to the audit, the university has made revisions and improvements to strengthen its HIPAA Privacy Compliance Program as a result of the audit recommendations. The university continues to refer to the report and recommendations as it adds new clinics and programs.

HIPAA Privacy Consulting for a Public Retirement System

INCompliance has provided HIPAA privacy consulting services to this organization for many years. We initially helped them review their overall operations (including their employee and retiree health plans) and determined which aspects of their operations were covered entities, reviewed current policies and practices with respect to the disclosure of information, and assisted with the development of new written HIPAA policies and procedures. We continue to regularly assist in analyzing issues as they arise. The organization is somewhat unique in that it is a public retirement system that offers health care coverage, in addition to pension benefits, to retirees, and it also offers an employee health plan to its employees. According to the client, our consultants’ knowledge and expertise have been very valuable in assisting them in sorting through their compliance obligations, in an environment that does not always easily fit into the traditional mold of a covered entity.

Ready to get started?

Upcoming Events

For More Information

See More

HIPAA Products

HIPAA Compliance and Audit Program

HIPAA Section-by-Section Resource

Stay Informed

Receive updates from our consultants regarding the latest compliance topics.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text.