HIPAA isn't optional.
Neither is the AI your team is already using on patient data.
We do HIPAA security and AI governance for the practices, clinics, and groups that need to keep both the patient and the auditor safe — without turning your clinical staff into part-time compliance officers.
Three places we usually find people.
If one of these sounds familiar, you're not behind. You're somewhere along the path most healthcare organizations are walking right now — usually right after a vendor email, an insurance renewal, or an incident.
AI showed up at your practice before the policy did.
An AI scribe vendor sent you a BAA and a quote. Some of your clinicians have started using it on their own. The medical assistants are pasting visit summaries into ChatGPT to "clean them up." You don't want to ban it — they like it, and the documentation is genuinely better — but nobody's running point on whether any of it's compliant.
Your HIPAA documentation hasn't aged well.
A risk analysis from three years ago, in a PDF nobody can find. Policies that mention staff who left. A BAA folder with maybe half the vendors actually in it. You know "we have HIPAA" isn't a real answer if OCR comes calling — and that the cyber insurance carrier is starting to ask the same question, with more teeth.
Cyber insurance wants proof. Your renewal is in 90 days.
The questionnaire grew again. The exclusions multiplied. The premium jumped, and the broker is hinting that the answer to one of those questions has to change — or the carrier walks. You need the documentation to back up the answers, and you need it before the renewal calendar runs out.
Six concrete pieces of work. Done in plain language.
Compliance vendors love acronyms. Auditors love evidence. Patients want their care to keep working. We translate between all three.
HIPAA Risk Analysis & Management Plan.
The §164.308 requirement OCR cites in nearly every enforcement action. We do the real version — threats specific to your environment, evaluated by likelihood and impact, with a Risk Management Plan that drives actual fixes.
AI tool governance.
Which scribes, copilots, and assistants your team can actually use. What BAAs you actually need from each vendor. How to document the call so the next risk analysis doesn't have to start from zero. And how to say no when the right answer is no.
Business Associate Agreement program.
A real vendor inventory: the BAAs that matter, the BAAs that are missing, and the vendors quietly handling PHI without one. We get the agreements signed, tracked, and reviewed annually — not stacked in a folder somewhere.
Breach response & notification.
When something happens at 3 AM Sunday, we're the people who answer. We've made the OCR calls. We've drafted the patient letters. We know the 60-day clock — and the exceptions. You don't want to be reading the regulation while it's running.
Workforce training & sanctions.
Annual training that's actually informative — not 90 minutes of clicking. A sanctions policy that holds up when something goes wrong, and a documentation trail your auditor can read. Built for clinical teams that don't have time for theater.
Cyber insurance renewal support.
Answering the questionnaire so the answers are accurate and the renewal happens. With documentation that backs each line. We've sat in calls with brokers and underwriters — we know which answers earn the renewal and which trigger more questions.
Three things you won't get from a generic IT shop.
We've sat across from OCR.
Calls about complaints, audits, breach responses. We know the questions before they're asked, the cadence the regulators use, and the evidence that holds up. Most IT vendors have read about HIPAA enforcement. We've been on the calls.
We design controls that survive a busy Tuesday.
Most security gets ignored because it gets in the way of patient care. We work with your clinical staff, not around them — and the controls we put in place are the ones that don't make your medical assistants want to throw their laptops out a window. Compliance that breaks workflow doesn't last.
We bid against the actual scope, not the hopeful scope.
Healthcare environments are messier than the diagrams suggest. Old systems nobody can replace. Vendors who showed up before BAAs were a thing. Specialty equipment talking to a server under a desk. We size to the reality, tell you what we found, and propose the work that closes the actual gaps.
The questions healthcare leaders actually ask us.
Bring better questions to the readiness call and we'll go further. These are the starters.
Does HIPAA apply to AI tools?+
What's a "real" risk analysis vs. a checklist?+
When do I need to report a breach?+
Is encryption mandatory?+
Do I need a BAA with my AI scribe vendor?+
What does this actually cost?+
Three ways in. Pick what fits.
No qualifying call before the qualifying call. Each path is real, each one's free or fixed-fee, each ends with you having a better answer than you walked in with.
HIPAA readiness call.
Bring your last risk analysis, your AI vendor list, your insurance renewal deadline, your questions. We'll tell you where the real gaps are, what's likely to surface in an audit, and roughly what it'll cost to get to a defensible posture.
Schedule the call →Take the AI Readiness Scorecard.
Especially relevant for healthcare — AI scribes and copilots are the new HIPAA exposure. Twelve questions, a real grade, no email gate. Useful even if you're not asking AI questions yet — your staff probably is.
Start the Scorecard →Read about the Exposure Report.
Same engagement style we'd run for a HIPAA pre-assessment, applied to AI exposure. Worth a look if you want to see how we run paid diagnostics — and to gauge fit before the call.
See deliverables →