Scope

  • Annual ePHI risk assessment and quarterly security review cadence
  • HIPAA Security Rule compliance monitoring, documentation upkeep, and policy review
  • Business associate oversight, workforce awareness support, and incident response advisory
  • Virtual security officer guidance, executive reporting, and roadmap planning

Objectives

  • Maintain ongoing HIPAA Security Rule compliance support between major assessments.
  • Perform an annual ePHI risk assessment covering administrative, physical, and technical safeguards.
  • Maintain and periodically update a practical risk register and remediation roadmap.
  • Review remediation progress, incidents, major technology changes, vendor changes, and workforce changes on a recurring basis.
  • Track documentation, policy review cycles, control validation efforts, and safeguard maturity at a practical level.
  • Support business associate inventory review, agreement tracking, and vendor risk discussions.
  • Provide annual HIPAA security awareness support, incident reporting guidance, and phishing awareness education.
  • Provide leadership with recurring advisory support, compliance consultation, and security roadmap planning.
  • Produce recurring program artifacts such as assessment reports, risk updates, policy review documentation, training records, and executive reporting.
Pricing

Program tiers

Compare the ongoing support tiers to see which level of recurring HIPAA security guidance fits your pace, structure, and oversight needs.

Most popular

Essential

Foundational HIPAA Security Rule support for organizations that need recurring oversight without a retained advisory model.

Starting at$499/ month
  • Annual ePHI Risk Assessment
  • Annual Policy Review
  • Quarterly Check-ins
  • Compliance Dashboard
Most popular

Premium

Embedded advisory support for organizations that need executive reporting, strategic planning, and deeper retained guidance.

Starting at$5,000+/ month
  • Everything in Professional
  • Dedicated vISO Hours
  • Vendor Security Reviews
  • Incident Response Advisory
  • Board/Leadership Reporting
  • Strategic Security Roadmap
Full details

Expand the full service description

Open the full program write-up for the complete breakdown of scope, cadence, deliverables, responsibilities, and exclusions.

Managed HIPAA Security Program

Overview

The Managed HIPAA Security Program provides ongoing cybersecurity and HIPAA Security Rule support for healthcare organizations that need continuous guidance, risk management, and compliance oversight. The program is designed to supplement existing IT providers while helping organizations maintain compliance, reduce risk, and improve their overall security posture.

The service combines periodic reviews, compliance management, security advisory services, and risk monitoring into a predictable monthly engagement.


Program Objectives

The Managed HIPAA Security Program helps organizations:

  • Maintain HIPAA Security Rule compliance
  • Reduce the likelihood of data breaches and ransomware incidents
  • Demonstrate due diligence during audits and investigations
  • Identify and address emerging security risks
  • Maintain current security documentation
  • Provide leadership with visibility into cybersecurity risks
  • Establish a repeatable security governance process

Scope of Services

1. Annual ePHI Risk Assessment

Conduct a comprehensive annual assessment of risks to electronic Protected Health Information (ePHI).

Activities include:

  • Review of administrative safeguards
  • Review of technical safeguards
  • Review of physical safeguards
  • Risk identification and analysis
  • Likelihood and impact scoring
  • Risk register development
  • Executive summary report
  • Remediation roadmap

Deliverables:

  • Annual Risk Assessment Report
  • Risk Register
  • Executive Summary
  • Remediation Plan

2. Quarterly Security Reviews

Conduct quarterly reviews to evaluate security posture and compliance progress.

Activities include:

  • Review remediation status
  • Review security incidents
  • Review major technology changes
  • Review vendor additions or changes
  • Review workforce changes
  • Update risk register as necessary

Deliverables:

  • Quarterly Security Review Report
  • Updated Risk Register

3. HIPAA Security Rule Compliance Monitoring

Provide ongoing oversight of Security Rule requirements.

Activities include:

  • Policy review schedule management
  • Documentation review
  • Compliance gap identification
  • Security control validation
  • Safeguard maturity tracking

Deliverables:

  • Compliance Status Dashboard
  • Gap Tracking Report

4. Security Policy Management

Review and maintain required security documentation.

Typical policies include:

  • Information Security Policy
  • Access Control Policy
  • Password Policy
  • Incident Response Policy
  • Workforce Security Policy
  • Business Associate Management Policy
  • Data Retention Policy
  • Mobile Device Policy

Deliverables:

  • Policy Library
  • Annual Policy Review Documentation

5. Business Associate Oversight

Assist with vendor and Business Associate management.

Activities include:

  • Vendor inventory review
  • Business Associate Agreement tracking
  • Security questionnaire review
  • Vendor risk discussions

Deliverables:

  • Business Associate Inventory
  • Vendor Risk Register

6. Security Awareness Program

Provide workforce security awareness support.

Activities include:

  • Annual HIPAA Security training
  • Security awareness materials
  • Phishing awareness guidance
  • Incident reporting education

Deliverables:

  • Training Records
  • Security Awareness Materials

7. Incident Response Advisory

Provide guidance during security incidents.

Activities include:

  • Initial incident consultation
  • Breach assessment support
  • Documentation guidance
  • Coordination recommendations

Deliverables:

  • Incident Documentation Templates
  • Advisory Support During Events

Note: Digital forensics, legal services, breach notification services, and incident recovery are outside the scope of this engagement.


8. Virtual Security Officer (vISO) Services

Provide access to an experienced security advisor.

Activities include:

  • Monthly leadership meetings
  • Security strategy guidance
  • Compliance consultation
  • Security roadmap planning
  • Budget planning recommendations

Deliverables:

  • Monthly Executive Security Report
  • Security Roadmap

Customer Responsibilities

Customer will:

  • Designate a primary point of contact
  • Provide access to requested documentation
  • Maintain an IT support provider or internal IT function
  • Implement approved remediation activities
  • Notify SBY-TECH of significant environmental changes

Out of Scope

The following services are not included:

  • Managed IT services
  • Security Operations Center (SOC)
  • Endpoint monitoring
  • Vulnerability scanning
  • Penetration testing
  • Digital forensics
  • Legal or regulatory representation
  • Cyber insurance claim support
  • System administration activities
  • Technical remediation implementation

These services may be provided under separate agreements.


Service Cadence

Activity Frequency
ePHI Risk Assessment Annually
Security Review Meetings Quarterly
Executive Meetings Monthly
Policy Reviews Annually
Security Training Annually
Risk Register Updates Quarterly
Compliance Reporting Quarterly

Program Deliverables

At the end of each year, the customer will maintain:

  • Current ePHI Risk Assessment
  • Updated Risk Register
  • Security Improvement Roadmap
  • Policy Library
  • Business Associate Inventory
  • Security Training Records
  • Quarterly Compliance Reports
  • Executive Security Dashboard

These artifacts collectively support HIPAA Security Rule compliance efforts while providing management with ongoing visibility into organizational security risks.