The Privacy Office

Patient Privacy

HIPAA compliance, written down properly.

You run a practice. You sign business associate agreements you didn't draft. The last formal HIPAA training was a slide deck someone emailed you a few years ago.

The 2026 rule amendments are coming, and you don't know precisely what they require of you, or how the people who audit you will read them.

This is the lane that takes that off your desk.

What we deliver

  • HIPAA Security Risk Analysis. A defensible document built to the Security Rule's analysis requirements. Hand it to your malpractice carrier. Hand it to an auditor. Read it yourself and understand what it says.
  • Remediation Roadmap. A phased plan with costs and priorities. You decide what to do, when, and with whom. We can execute the technical pieces or hand them to your existing IT vendor.
  • Policy and Procedure Review. We check your written policies against what your practice actually does. Gaps get flagged in plain English.
  • Business Associate Agreement Review. Which vendors actually have a BAA on file. Which ones should. Which ones are out of date.
  • Workforce Training. Calendar, attestation tracking, and content the clinical team will actually sit through.
  • Ongoing Compliance Advisory. Optional. Quarterly check-ins, annual refresh, on-call guidance between visits.

Who this is for

Independent and small-group medical, dental, and behavioral health practices in Ventura County and the surrounding region. Two to ten providers, five to thirty total staff. Cloud EHR in place. Either no internal IT, or an IT company you only call when something breaks. Probably nudged here by a malpractice carrier, a payer questionnaire, or a peer's incident.

Who this is not for

Hospital systems. Large multi-specialty groups with an internal compliance officer. Anyone shopping for a cheap checklist. Anyone looking for a rubber stamp.

How we work

  1. Twenty-minute scoping call. No cost. We confirm whether your practice matches our profile and what phase to start with.
  2. Written proposal. Fixed fee, clear deliverables, defined timeline.
  3. Assessment. Two to four weeks of light-touch work. One or two on-site visits. Minimal disruption to clinical staff.
  4. Report and debrief. A walk-through of findings with the practice owner, plus a detailed report for whoever handles IT.
  5. Remediation. Your call. We execute or coordinate. Scope is yours.

The 2026 rule amendments

The proposed 2026 amendments to the HIPAA Security Rule move several "addressable" specifications to "required", including multi-factor authentication, encryption at rest and in transit, and written risk analysis with defined content. Practices that meet the old bar will fail the new one. This is the right window to catch up.

Contact

[email protected]

← Return to The Privacy Office