Address Your HIPAA Challenges Head On

The Office for Civil Rights (OCR) can open an investigation into a healthcare organization for a number of reasons including random audits, complaints from a patient/resident or a compliance breach. The costs of failing a HIPAA Compliance Audit can be high.

HIPAA compliance services from BlueOrange reduce the burden of ensuring adherence to the Common Security Framework (CSF) provided by the National Institute of Standards and Technology (NIST).

What Is the HIPAA Security Rule?

HIPAA’s enactment led to the publishing of two sets of standards — the Standards for Privacy of Individually Identifiable Health Information, more commonly known as the Privacy Rule, and the Security Standards for the Protection of Electronic Protected Health Information, known as the Security Rule.

The HIPAA Privacy Rule sets national standards for protecting health information, and the Security Rule addresses how organizations must meet these protection requirements, specifically regarding electronic protected health information (e-PHI). This includes instating both technical and non-technical security measures.

Failing to follow the requirements in the HIPAA Security Rule can lead to costly fines and security breaches that compromise patients’ personal information. Therefore, all relevant organizations that handle e-PHI, including covered entities and business associates, must adhere to HIPAA requirements by establishing necessary cybersecurity protocols.

What Is The NIST CSF Framework?

The NIST Framework for Improving Critical Infrastructure Cybersecurity, shortened simply to Cybersecurity Framework, is a set of guidelines private sector companies across industries can use to enhance their cybersecurity practices. This is a voluntary framework, meaning it isn’t designed as a legal standard that would lead to fines or penalties for non-compliance.

The HIPAA Security Rule is the official standard health organizations must follow, but the NIST CSF can help them meet these requirements, according to the U.S. Department of Health & Human Services. The CSF includes five functions along with specific categories encompassed in each function. The functions call organizations to identify, protect, detect, respond to and recover from cybersecurity risks.

The Importance of a HIPAA Risk Assessment


The HIPAA Security Rule requires that covered entities and business associates periodically assess their security policies and procedures to determine whether they are adhering to the Security Rule’s requirements. Failing to conduct a HIPAA security risk assessment (SRA), also referred to as a security risk analysis, is itself a violation of HIPAA requirements. Additionally, skipping an SRA can leave you unaware of vulnerabilities and potential breaches in HIPAA compliance in your current practices.

You can’t be sure your current policies and practices are in line with HIPAA’s requirements unless you undergo a detailed assessment. This is not an area where you want to rely on a general impression that you’re doing well.

Many HIPAA violations are categorized under the third or fourth of four penalty tiers, which involve “willful neglect” of HIPAA rules. Because it’s been so many years since HIPAA was enacted, and since the Security Rule was last updated in 2013, organizations should be aware of their obligations to safeguard PHI.

The most minor or unavoidable offenses warrant a fine of at least $100 per violation but can be up to $50,000 per violation depending on the magnitude of the problem. When an issue results from willful neglect, organizations can be fined a minimum of $10,000 or up to $50,000 per violation depending on whether there was an attempt to correct the violation.

Some organizations have been fined millions of dollars for their HIPAA violations. In 2018, Anthem, Inc. agreed to pay the OCR $16 million in a record-high settlement for a HIPAA violation.

Since conducting an SRA is a fundamental requirement of the HIPAA Security Rule, failing to conduct an SRA is a form of willful neglect that could warrant severe fines. More importantly, failing to protect your patients’ PHI can lead to a breach in trust that damages your organization’s reputation and makes it difficult for you to rebuild a relationship with the patients whose information you compromised.

HITRUST Authorized CSF Assessor

BlueOrange Compliance - HITRUST Designation Logo

We Are Practical , Easy To Understand, And Comprehensive


Every control receives a risk rating from low to very high. We also outline which NIST standard each control fails to comply with and we tailor a mitigation plan for each point of concern.


We conduct a large volume of automated and manual tests to expose potential risks and vulnerabilities. Our penetration testers and information security analysts are some of the most skilled in the industry so you can rest assured with the level of protection BlueOrange provides.


Once we’ve identified gaps in compliance, we create a plan with actionable recommendations. Choose from an annual plan, two-year HIPAA security maintenance or our three-year CSF Sustain and Adapt plan.


Ongoing guidance helps your organization make constant progress toward better HIPAA compliance and data security. We have several options to choose from to tailor the level of guidance and ongoing support to your organization’s needs.


Keep your eye on compliance in real-time with our proprietary HIPAA compliance dashboard. Slice® from Blue Orange Compliance provides real-time tracking of organizational security and how you compare to your industry as a whole.

BlueOrange Compliance - Slice Dashboard Analysis Graphic

Our Impact In Numbers

Simplify Network Security For Clients Worldwide


Client Retention Rate


Clients in 47 States


OCR Audit Pass Rate


HIPAA SRAs Performed


What Customers Have to Say

BlueOrange Compliance - Miami Jewish Health Logo

“My biggest day-to day challenge is safeguarding data security, and BlueOrange’s ongoing project lead and insight has helped ensure our success.”

BlueOrange Compliance - Asbury Logo

“BlueOrange consultants apply in-depth expertise to their client’s specific situation, becoming an integral part of your HIPAA privacy breach and security team.”

BlueOrange Compliance - NMC Logo

“The BlueOrange Compliance report card tells me where to focus my time, there’s so much out there, I use the report to figure out where to put my energies.”

Bernardo Larralde

Director of Information Technology

Andrew H. Joseph

Compliance and Privacy Officer

Joel Benware 

Vice President of Information Systems and Compliance

Request a Free Consultation for HIPAA Compliance Today


We know HIPAA Compliance can be an inconvenience to your daily operations and a distraction from the important work of helping patients. Let us take this burden off your plate!

Blue Orange Compliance has a 98% client retention rate and a 100% OCR audit pass rate. Get a demo to see how smoothly your organization can implement our HIPAA solutions.

We’re here to help. Connect with Blue Orange Compliance to schedule a consultation for our HIPAA compliance audit services today!

Request a Free Consultation
BlueOrange Compliance - Slice Dashboard Graphic

Helpful Resources

What Is the Difference Between an Assessment and Analysis?

The terms security risk assessment and security risk analysis are often used interchangeably. The HIPAA Security Rule uses the term “risk analysis” in outlining the requirement for a thorough and accurate assessment of possible vulnerabilities and risks that may threaten the e-PHI an organization handles.

Government agencies also use the term “risk assessment” when referring to this requirement. For example, the Office of the National Coordinator for Health Information Technology (ONC) and the OCR created a guide to help organizations meet this analysis requirement and labeled it the Security Risk Assessment (SRA) Tool.

What Is the Difference Between an SRA and Gap Analysis?

Another term you may hear is a “HIPAA gap analysis.” This describes a service that is useful but generally does not meet HIPAA comprehensive risk analysis requirements.

As the name suggests, a gap analysis identifies where gaps exist between your current practices and HIPAA requirements to show instances of noncompliance. It may take the form of a HIPAA risk assessment checklist or rubric to show where shortcomings exist. Gap analyses are helpful starting points, but they tend to consist of high-level overviews rather than more comprehensive and detailed assessments. According to the OCR, gap analyses tend to fall short of the SRA requirement for this reason.

How Can You Maintain HIPAA Compliance Over the Long Term?

Conducting an SRA is just one requirement laid out in the HIPAA Security Rule. The standard that calls for risk analyses also calls for other measures as part of an ongoing process:


  • Risk management: Organizations must implement the security measures needed to minimize risks so they comply with HIPAA security standards.
  • Sanction policy: Organizations must have rules in place for ensuring all their staff members comply with security policies and procedures, including penalties for noncompliance.
  • Information system activity review: Organizations must also regularly review records, such as audit logs and access reports, to monitor information system activity.

All of these requirements can help organizations maintain compliance long-term. Developing procedures in line with the NIST CSF can also help organizations consistently safeguard sensitive data.

What Is the Difference Between Internal and External Audits?

Internal audits are SRAs an organization conducts in-house to evaluate their own compliance. External audits involve bringing in a third-party vendor, such as BlueOrange Compliance, to conduct the assessment.

External SRAs can be uniquely valuable since professional audit and compliance solutions include expertise and specialized tools that you may not have within your organization. When you want to do your due diligence to ensure you’re HIPAA compliant, an unbiased expert can be the solution you need to identify issues and recommend solutions.

Related Products

HITRUST Practical Solutions

Achieve your HITRUST Certification

Penetration Testing

Perform a required annual penetration test