Most HIPAA Vendors Sell You
A Rule That Isn't Law Yet.
We assess you against the Security Rule OCR actually enforces — the 2003 standards as amended by the 2013 Omnibus Final Rule. Risk analysis failures remain the #1 most-cited finding in OCR investigations, and in 2026 OCR expanded that enforcement initiative to cover risk management: what you actually did about what you found.
Legal Authority
Who Must Comply
The 2013 Omnibus Final Rule (78 FR 5566) implemented the HITECH Act and made business associates — and their subcontractors — directly liable for Security Rule compliance. The chain of liability runs all the way down.
Covered Entities
Providers, health plans, and clearinghouses that transmit health information electronically in connection with a covered transaction.
Business Associates
Any vendor that creates, receives, maintains, or transmits ePHI on behalf of a covered entity — IT firms, billing companies, cloud providers, MSPs.
Subcontractors
Any entity handling ePHI on behalf of a business associate. Post-Omnibus, you hold the BAA obligation — not your customer.
Healthcare SaaS
EHR vendors, telehealth platforms, and app developers whose products store, process, or transmit ePHI.
What The Rule Actually Requires
The 14 Documents
OCR Can Ask You For
Eighteen standards. Thirty-six implementation specifications — 14 Required, 22 Addressable. Six standards carry no implementation specification at all; you comply with the standard text itself. Here is how it maps to documents you actually have to produce.
| # | Policy Document | Satisfies (45 CFR) |
|---|---|---|
| 00 | Information Security Program (ISP) | §164.306(b),(d)(3),(e); §164.308(a)(2),(a)(8); §164.316 |
| 01 | Risk Management Policy | §164.306(a); §164.308(a)(1)(i),(ii)(A),(ii)(B) |
| 02 | Sanction Policy | §164.308(a)(1)(ii)(C); §164.530(e) |
| 03 | Audit, Logging & Activity Review Policy | §164.308(a)(1)(ii)(D); §164.312(b) |
| 04 | Workforce Security Policy | §164.308(a)(3) |
| 05 | Access Control Policy | §164.308(a)(4); §164.312(a),(d) |
| 06 | Security Awareness & Training Policy | §164.308(a)(5); §164.530(b) |
| 07 | Security Incident Response Policy | §164.308(a)(6) |
| 08 | Breach Notification Policy | §164.400–414 |
| 09 | Contingency Planning Policy | §164.308(a)(7) |
| 10 | Business Associate Management Policy | §164.308(b); §164.314(a); §164.502(e) |
| 11 | Facility & Workstation Security Policy | §164.310(a),(b),(c) |
| 12 | Device & Media Control Policy | §164.310(d) |
| 13 | Data Integrity & Transmission Security Policy | §164.312(c),(e) |
The Gap
What Most Practices
Actually Have
Training records. Maybe a BAA folder. Occasionally an old risk assessment the EHR vendor ran once. That is three of fourteen.
A checklist review of your policies is not a risk analysis. A vendor questionnaire is not a risk analysis. §164.308(a)(1)(ii)(A) requires an accurate and thorough assessment covering all ePHI, everywhere it is created, received, maintained, or transmitted — which means it starts with an asset inventory and a data-flow map, not a template.
What It Costs To Be Wrong
Civil monetary penalties, inflation-adjusted effective January 28, 2026.
| Tier | Culpability | Per Violation | Calendar-Year Cap |
|---|---|---|---|
| 1 | Did not know | $145 – $73,011 | $2,190,294* |
| 2 | Reasonable cause | $1,461 – $73,011 | $2,190,294* |
| 3 | Willful neglect, corrected | $14,602 – $73,011 | $2,190,294* |
| 4 | Willful neglect, uncorrected | $73,011 – $2,190,294 | $2,190,294 |
* OCR's April 2019 Notice of Enforcement Discretion applies substantially lower calendar-year caps to Tiers 1–3. It has never been rescinded, and the Federal Register schedule does not reflect it.
And the multiplier: under §160.406, a continuing violation is a separate violation for every day it persists. An unencrypted server is not one violation. It is one violation per day, per requirement.
Proposed — Not Yet Law
What's Coming.
And What Isn't.
Status: PROPOSED. Not enforced.
HHS published a Notice of Proposed Rulemaking on January 6, 2025 (90 FR 800, RIN 0945-AA22). The comment period closed March 7, 2025 with roughly 4,745 comments. OCR's regulatory agenda targeted a final rule for May 2026 — that window passed with nothing published. More than 100 hospital systems and provider associations have formally asked HHS to withdraw the proposal.
You cannot be out of compliance with a proposed rule. Any vendor telling you otherwise is selling you something. If a final rule issues, covered entities get 180 days and business associates get an additional 60. We will tell you the day it lands.
That said — every one of these proposed controls is good security, and several map directly to the failure modes behind the largest healthcare breaches on record. We treat them as a forward-looking roadmap. Never as a compliance finding.
MFA Everywhere Proposed
Today, §164.312(d) requires only that you verify a person is who they claim to be. MFA is not mandated. But in any honest risk analysis, its absence on remote and privileged access is a high-rated finding.
Asset Inventory Proposed
Not separately required today — but you cannot perform an "accurate and thorough" risk analysis under §164.308(a)(1)(ii)(A) without one. Build it regardless.
ePHI Network Map Proposed
Same reasoning. OCR expects your risk analysis to cover all ePHI wherever it lives, including at every business associate.
72-Hour Restoration Proposed
Today §164.308(a)(7)(ii)(A)–(C) requires a backup plan, disaster recovery plan, and emergency mode operation plan — with no stated time limit. Set your own RTO and defend it.
Mandatory Encryption Proposed
Encryption is addressable today under §164.312(a)(2)(iv) and (e)(2)(ii). Implement it, or document why not and deploy an equivalent alternative.
Scans & Pen Testing Proposed
No current mandate. §164.308(a)(8) requires a periodic technical and nontechnical evaluation — the method is yours to choose and justify.
How We Work
Find. Fix. Prove.
In 2026 OCR formally expanded its enforcement initiative beyond §164.308(a)(1)(ii)(A) risk analysis to include §164.308(a)(1)(ii)(B) risk management. Finding a gap is no longer the deliverable. Closing it, with a date attached, is.
Find
An enterprise-wide Security Risk Analysis structured to all nine elements of OCR's guidance — asset inventory, data-flow map, threat and vulnerability catalog, likelihood, impact, and risk determination.
Fix
A CISM · CISA · CRISC certified practitioner works the register down — policies, safeguards, BAAs, training — instead of handing you a PDF that tells you to figure it out.
Prove
Remediation is logged and timestamped. When OCR asks how you resolved a finding from eight months ago, you have an answer with a date on it.
Engagements
Scoped To Your Organization
Every practice has a different ePHI footprint, vendor chain, and starting point. We scope after we look. Call (941) 385-4261 or book a free Compliance Reality Check.
Start Here
Compliance Reality Check
- We walk the 14-document crosswalk against what you actually have
- Identify which Required implementation specifications are missing
- Flag any business associate operating without a conformant BAA
- Straight answer on scope and effort — no pitch deck
Most Requested
HIPAA Foundation Assessment
- Security Risk Analysis structured to OCR's nine elements
- Complete ePHI asset inventory and data-flow map
- Risk register — ranked risks, treatment decisions, owners, due dates
- §164.306(d)(3) Addressable Decision Log — all 22 specifications, in writing
- BAA gap review against §164.314(a)(2)(i) and §164.504(e)
- Information Security Program + Risk Management, Sanction, and Audit & Activity Review policies
- 90-day prioritized remediation roadmap
- Executive readout and full evidence package
- Three months of DSP HIPAA Comply™ included
Build It Out
Policy & Procedure Library
- All 13 policies mapped to the 18 Security Rule standards
- Supporting procedures and standards — access provisioning, break-glass, log review, media sanitization, backup and restore
- Policy-to-control crosswalk delivered as your own evidence index
- Workforce acknowledgment forms and sanction schedule
- Breach four-factor assessment form per §164.402
- Annual review calendar tied to §164.316(b)(2)(iii)
DSP HIPAA Comply™ Platform
Compliance Is Not
A One-Time Project
The assessment gets you a defensible baseline. The platform keeps it alive: risk assessment wizard, risk register, Business Associate registry, incident tracker, training records, policy library, and audit-ready reporting — every control mapped to its 45 CFR citation, with Required and Addressable specifications tracked separately.
BAA included on every tier · No setup fees · Cancel anytime
Free Resource
The HIPAA
Policy-to-Control Crosswalk
The 14 documents every covered entity and business associate must be able to hand OCR, and the exact regulation each one satisfies. One page. Built on the Security Rule as amended by the 2013 Omnibus Final Rule, not the proposed 2025 update.
Prepared by a CISM · CISA · CRISC certified consultant. Built on 45 CFR Part 164, Subpart C, as amended by the HIPAA Omnibus Final Rule, 78 FR 5566 (Jan. 25, 2013). Not legal advice, and not a substitute for a Security Risk Analysis.
Get instant access
Enter your details and the crosswalk unlocks immediately.
We'll only use this to send occasional HIPAA rule-change reminders. No spam, unsubscribe anytime, and we never sell your information.
Count How Many Of The 14 You Have
Most practices stop at three. Book a free 30-minute Compliance Reality Check and we'll walk your gaps line by line — no obligation, no pitch deck.