Readiness Process

Sprint Timeline

The engagement follows structured phases, each building on the outputs of the previous one.

1

Intake

2–6 days
  • NDA & stakeholder map
  • Document request
  • Scoping interviews
  • System boundary draft
2

Assessment

9 days
  • TSC selection
  • Type 1/Type 2 recommendation
  • Control walkthroughs
  • Evidence sampling
3

Outputs

9 days
  • Controls matrix & gap register
  • Policy/document backlog
  • Evidence calendar
  • Executive readout & roadmap
4

Follow-on

Variable
  • Remediation implementation
  • Type 2 observation period

Phase Details

1. Intake & Scoping Week 1

We start by understanding your ePHI environment, existing safeguards, and business associate relationships.

  • ePHI inventory and data flow mapping — identify where electronic protected health information is created, received, maintained, and transmitted
  • Current safeguards documentation review — assess existing policies, procedures, and technical controls
  • Business associate identification — catalog all vendors and subcontractors that handle ePHI
  • Risk analysis methodology selection — determine the approach for your comprehensive risk analysis

2. Assessment Week 2–3

We evaluate your current safeguards posture across all three Security Rule categories.

  • Administrative safeguards evaluation — review policies, training, incident procedures, contingency plans, and BAAs
  • Physical safeguards walkthrough — assess facility access, workstation security, and device controls
  • Technical controls assessment — evaluate access controls, audit logging, encryption, authentication, and transmission security
  • BAA completeness review — verify that all business associate agreements are current, complete, and properly executed

3. Outputs Week 3–4

We deliver the artifacts that define your path to HIPAA Security Rule compliance.

  • Risk analysis report — comprehensive threat and vulnerability assessment with risk ratings
  • Safeguards gap register — every safeguard mapped to Security Rule standards, with gaps ranked by risk
  • BAA templates and tracker — standardized BAA language and a tracking system for all business associate relationships
  • Remediation roadmap with risk ranking — prioritized plan to close gaps based on risk severity and implementation complexity

4. Follow-on Ongoing

After the readiness sprint, maintaining compliance requires ongoing attention to your security program.

  • Annual risk analysis updates — refresh the risk analysis to account for new threats, vulnerabilities, and system changes
  • Workforce security training — regular training programs with documented completion and comprehension
  • Contingency plan testing — periodic testing of backup, disaster recovery, and emergency mode operation plans

Sprint Deliverables

Every readiness sprint produces these minimum deliverables:

ePHI inventory and data flow map
Risk analysis report
Administrative safeguards assessment
Physical safeguards assessment
Technical controls assessment
BAA tracker and templates
Gap register with risk ranking
Remediation roadmap

Start Your Readiness Sprint

Most companies complete the readiness sprint in 3–4 weeks. The result is a clear, actionable plan to achieve HIPAA Security Rule compliance.

Get in Touch