Table of Contents
- Beware of 'One-Size-Fits-All' Promises
- Why HIPAA Cannot Be a One-Time Fix
- Red Flags in Fixed-Cost HIPAA Offers
- What Real HIPAA Compliance Looks Like
- Work with a Compliance Partner Who Shows You the Work
- Frequently Asked Questions
- 1. How often does OCR actually audit healthcare organizations, and what triggers an investigation?
- 2. What should a legitimate HIPAA compliance program actually cost, roughly?
- 3. If we already signed with a flat-fee compliance vendor, how do we assess whether their program is actually adequate?
- 4. Does using a cloud EHR or practice management system transfer any HIPAA liability to the vendor?
- 5. What's the difference between a HIPAA risk analysis and a general IT security assessment?
- 6. How do business associate agreements actually protect our organization, and what makes one inadequate?
Beware of 'One-Size-Fits-All' Promises
A vendor approaches your medical practice or healthcare organization with an offer: complete HIPAA compliance for a flat monthly fee. The pitch is straightforward — pay once, check the box, move on. For busy healthcare administrators managing dozens of operational priorities, this sounds attractive.
The problem is that HIPAA compliance doesn't work that way, and vendors who sell it as a fixed-cost product are either misrepresenting what compliance requires or providing a program so shallow it won't protect you when OCR investigates. In 2024, OCR levied a $240,000 civil monetary penalty against Providence Medical Institute for failing to restrict access to electronic protected health information and lacking a business associate agreement — controls that any legitimate compliance program would have addressed. In 2023, L.A. Care Health Plan paid $1.3 million to settle findings that included risk analysis failures and inadequate security controls. These aren't edge cases; they reflect what OCR actually finds when it investigates.
Why HIPAA Cannot Be a One-Time Fix
HIPAA compliance is a continuous operational requirement, not a certification you earn and hold. The HIPAA Security Rule mandates ongoing risk analysis — not an assessment you conduct once and file away. As your organization's technology environment changes, as staff turn over, as threat actors develop new attack methods, your risk profile changes with it. OCR's current enforcement initiative specifically targets risk analysis failures, and it has resulted in multiple fines in 2024 and 2025 against organizations that conducted inadequate or outdated assessments.
Legitimate HIPAA compliance programs require:
-
-
Regular security risk analyses that reflect your current environment
-
Updated policies and procedures as regulations and your operations evolve
-
Ongoing staff training — not a one-time module at onboarding
-
Continuous monitoring for security incidents and access anomalies
-
Business associate agreements (BAAs) with every vendor that handles protected health information, reviewed when those relationships change
-
A vendor charging a flat fee for all of this is either cutting corners on every item or charging you for work they're not actually doing. Either way, you bear the liability when OCR investigates.
Red Flags in Fixed-Cost HIPAA Offers
When evaluating any HIPAA compliance vendor, watch for these warning signs:
-
-
Lifetime or permanent compliance guarantees. No vendor can promise that completing their program makes you permanently compliant. HIPAA requirements evolve — OCR proposed significant Security Rule updates in December 2024 — and your compliance posture must evolve with them.
-
No assessment of your specific environment. A vendor who quotes a fixed price before understanding your organization's size, systems, data flows, and existing controls cannot be building a program that fits your risk profile. Generic programs leave gaps specific to your situation unaddressed.
-
Vague or absent service agreements. Legitimate compliance providers give you detailed contracts specifying what they will do, how often, and what constitutes successful delivery. If the contract is broad and the deliverables are undefined, the program is likely hollow.
-
No ongoing monitoring component. If the vendor's program ends at policy document delivery, it isn't a compliance program — it's paperwork. Real compliance requires detecting and responding to security incidents, which means ongoing monitoring.
-
What Real HIPAA Compliance Looks Like
A credible HIPAA compliance engagement starts with a thorough risk analysis of your current environment — identifying where protected health information lives, who can access it, what controls are in place, and where the gaps are. From there, it produces a remediation plan prioritized by risk level, not a generic checklist.
Ongoing compliance then requires:
-
-
Annual (at minimum) risk analyses, updated when significant changes occur
-
Security incident tracking and response procedures
-
Staff training updated to reflect current threats — not a recycled module from three years ago
-
BAA management — executed agreements with all vendors handling PHI, with documentation that those agreements are current
-
Documentation demonstrating that you identified risks, addressed them, and monitored the results — the paper trail OCR looks for when investigating
-
The organizations that fare worst in OCR investigations are those that believed their compliance vendor had handled everything. The ones that fare best have documented evidence that they took the requirements seriously and addressed gaps as they found them.
Work with a Compliance Partner Who Shows You the Work
Stratify IT provides HIPAA compliance services built around your organization's specific risk profile — starting with a risk analysis, developing a remediation plan with defined priorities, implementing required security controls, and maintaining the ongoing monitoring and documentation that demonstrates compliance over time.
Contact us to discuss where your organization stands, or explore our compliance services to see how we structure HIPAA engagements that hold up under scrutiny.
Stratify IT — HIPAA compliance that documents the work, not just the checkbox.
Frequently Asked Questions
OCR investigations are typically triggered by breach reports, patient complaints, or news coverage β not random audits. That said, OCR has run two rounds of Phase 2 desk audits and continues targeted enforcement initiatives. Any breach affecting 500 or more individuals requires notification to OCR and gets added to their public 'Wall of Shame,' which effectively puts your organization on their radar. Smaller organizations are not exempt; OCR has fined solo practices and small clinics.
It depends heavily on organization size, the number of locations, how much PHI you handle, and your existing IT infrastructure. A small practice might spend $10,000β$25,000 annually on a credible program including risk analysis, policy management, workforce training, and incident response planning. Larger health systems spend considerably more. If a vendor quotes you a flat $299 or $499 per month with no scoping conversation, that's the red flag β real compliance work requires knowing your environment first.
Request documentation of your most recent risk analysis β a real one, not a checklist. It should identify specific threats to your systems, assess likelihood and impact, and produce a prioritized remediation plan. Then check whether you have current, signed business associate agreements with every vendor touching PHI. If either of those is missing or vague, your program has gaps OCR would likely find. You don't need to fire the vendor immediately, but you need to know what's actually been done.
No. A business associate agreement with your EHR vendor establishes their responsibilities, but your organization remains liable for its own compliance obligations β including risk analysis, workforce training, access controls, and incident response. If a breach occurs because your staff reused passwords or you never configured audit logging, that's on you regardless of what the vendor's BAA says. The BAA allocates responsibility; it doesn't transfer your accountability to someone else.
A general IT security assessment evaluates your infrastructure against frameworks like NIST or CIS Controls. A HIPAA risk analysis has a specific legal definition under 45 CFR 164.308(a)(1) β it must identify risks to the confidentiality, integrity, and availability of ePHI specifically, assess the probability and magnitude of those risks, and inform your security management process. Many vendors conflate the two. OCR has explicitly said that a vulnerability scan or penetration test alone does not satisfy the risk analysis requirement.
A BAA establishes that the vendor acknowledges their role in handling PHI and accepts certain regulatory obligations. But a poorly drafted BAA β one that's vague about breach notification timelines, doesn't specify permissible uses of PHI, or was signed years ago and never updated β offers thin protection. OCR has cited BAA failures in enforcement actions, including the Providence case mentioned in this article. The existence of a BAA matters, but so does its substance and whether it reflects your current relationship with the vendor.