Compliance and Risk Advisory - South Florida

Compliance and Risk Advisory for Palm Beach County and South Florida

HIPAA Security Risk Analyses, NIST CSF gap assessments, and incident response planning for Palm Beach County medical practices, law firms, and financial services businesses.

Compliance Is a Process, Not a Certification

HIPAA does not issue certificates. OCR investigates whether your organization has documented, tested, and maintained the required administrative, physical, and technical safeguards. When a breach occurs - or when a complaint is filed - the question is whether you can produce the evidence of a defensible compliance program. We help you build that program and keep it current.

Our compliance advisory work is grounded in NIST CSF alignment and HIPAA's Security Rule. For clients who need SOC 2 readiness support, we work alongside your auditor to map existing controls and close gaps before the formal audit engagement begins. We do not claim to conduct SOC 2 audits - that requires a licensed CPA firm - but we do the technical groundwork that makes audits faster and less expensive.

HIPAA Services for Palm Beach County Medical Practices

Palm Beach County has a high concentration of private medical practices - dermatology, orthopedics, mental health, primary care, and specialty groups - operating with small administrative teams and little dedicated IT support. Annual Security Risk Analyses are required under HIPAA, but most practices have never had one conducted properly.

We conduct structured Security Risk Analyses that follow HHS guidance, identify vulnerabilities in your administrative and technical controls, and produce a remediation plan ranked by risk level. BAA inventory management, workforce training documentation, and incident response planning are available as standalone services or as part of an ongoing compliance program.

Risk Assessment Workshops and Incident Response

Compliance readiness is not the same as being secure. We run tabletop exercises and risk assessment workshops that test how your organization would actually respond to a ransomware event, a breach, or an OCR inquiry. The output is a documented incident response playbook tailored to your workflows, regulatory obligations, and staff capacity.

  • Annual HIPAA Security Risk Analysis - HHS-compliant methodology, written report
  • NIST CSF gap assessment - current state versus target state, prioritized remediation
  • Business Associate Agreement inventory and vendor risk review
  • SOC 2 readiness preparation - control mapping and gap closure before audit
  • Incident response playbook development - ransomware, breach, and OCR inquiry scenarios
  • Tabletop exercises - quarterly or annual, with written after-action reports
  • FIPA compliance review - Florida Information Protection Act breach notification requirements

HIPAA Security Risk Analysis

Conducted following HHS OCR guidance. Covers administrative safeguards, physical safeguards, technical safeguards, and organizational requirements. Delivered as a written report with a risk-ranked remediation plan. Annual cadence recommended and required under HIPAA.

NIST CSF Gap Assessment

We map your current controls against the five NIST CSF functions - Identify, Protect, Detect, Respond, Recover - and score your maturity at each. The output is a prioritized roadmap that tells you where to invest first for the greatest risk reduction.

Business Associate Agreement Management

We inventory your vendors, identify which require BAAs under HIPAA, review existing agreements for key provisions, and flag gaps. For new vendor onboarding, we review BAA terms as part of your standard IT procurement process.

Incident Response Planning and Tabletop Exercises

A written incident response plan that your team has never practiced is not a plan. We build the playbook and run the exercise. Tabletop scenarios include ransomware, business email compromise, and OCR inquiry. Written after-action reports document what worked and what needs to change.

FAQ

Frequently Asked Questions

How often do we need a HIPAA Security Risk Analysis?

HHS guidance calls for a Security Risk Analysis to be conducted regularly, with 'regularly' interpreted to mean at least annually and after any significant change to your environment - new EHR system, office relocation, cloud migration, or workforce change. Most Palm Beach County practices we work with have never had one done at all. We start there.

Can you help us prepare for a SOC 2 audit?

Yes, through readiness preparation. SOC 2 audits are conducted by licensed CPA firms - we do not perform the audit itself. What we do is map your existing technical controls to the SOC 2 Trust Service Criteria, identify gaps, implement missing controls, and produce the documentation your auditor will need to review. This typically reduces audit time and cost significantly.

We had a ransomware incident. What do we need to document for HIPAA?

Under HIPAA, a ransomware infection is presumed to be a breach unless you can demonstrate a low probability that PHI was compromised - a four-factor analysis defined in the Breach Notification Rule. We help you work through that analysis, document your findings, notify the required parties if notification is required, and update your incident response plan to reflect what happened.

Do you work with EHR vendors like eClinicalWorks or AdvancedMD?

Yes. We have hands-on experience integrating and supporting eClinicalWorks, AdvancedMD, and NextGen in Palm Beach County medical practices. EHR vendor BAA review, user access management, and audit log configuration are included in our HIPAA compliance engagements for practices on these platforms.

Start With a HIPAA or NIST CSF Gap Assessment

Fixed scope, written report, and a prioritized remediation plan - delivered within five business days of the engagement kickoff.

Schedule a compliance review