HIPAA Compliance Essentials for 2026
Use this as a practical roadmap for building a complete compliance program.
HIPAA Compliance Consulting
HIPAA Compliance for Small Practices
Work directly with a Certified HIPAA Professional who knows what OCR auditors look for. We close the gaps that lead to fines and make HIPAA compliance approachable for small teams.
Solo providers • small practices • vendors/MSPs • growing teams
Security Risk Analysis
Policies and Training
Vendor Contracts and Questionnaires
The Process
How It Works
Every engagement follows a repeatable, proven process. It starts with a Security Risk Assessment (SRA) to establish your baseline. From there, gaps are identified, fixes are prioritized, and policies are written. Staff training and administrative controls are then addressed in accordance with HIPAA's Security Rule, Privacy Rule, and Breach Notification Rule.
Assess and Analyze Automatically
Choose a Privacy Officer. Complete your Security Risk Assessment. Then get your Gap Analysis and Remediation Plan.
Adopt and Attest
Review and publish your policies. Then have staff read them, and sign off on them. Also, complete HIPAA 101 training, and cybersecurity training.
Audit and Execute
Manage Vendors (Third-Parties), sign Business Associate Agreements (BAAs), review vendor risk, and finish your site, device and IT audits.
Anonymous Incident Reporting
Every account includes a way that staff can report unauthorized disclosures of PHI (protected health information). Issues can be submitted anonymously and your Privacy Officer gets clear next steps.
NYC-Based • Nationally Available
Meet Chuck Weiselberg
Founder & CEO | Certified HIPAA Professional (CHP)
Since 2015, Chuck has helped organizations build practical HIPAA programs that hold up in the real world. He is based in New York and works with clients around the country. In ten years of consulting on HIPAA no client of his has ever been fined, or failed an audit.
This is because he makes complex rules easier to follow and leads with empathy, clarity, and steady guidance.
Schedule a Call with Chuck
What We Offer
Products
Get the HIPAA help you need in one place. Click any square below to learn more about how our product(s) work.
HIPAA Security Risk Assessment
A yearly review of risk to ePHI. It is the starting point for a strong HIPAA program.
Explore HIPAA Security Risk Assessment services →HIPAA Gap Analysis
A gap analysis shows where you fall short and what to fix first.
Review HIPAA Gap Analysis Resources →HIPAA Remediation Plans
Remediation Plans show how you will fix your gaps. It also shows auditors that you have a solid HIPAA plan.
See HIPAA remediation planning services →HIPAA Policy Templates
Use ready-made templates built for HIPAA policy requirements. You approve, then your staff reviews. No starting from scratch.
Access HIPAA Policy Template Services →Staff HIPAA Training
Meet the yearly staff training requirement with HIPAA 101 and cybersecurity training.
HIPAA Training for Staff →Physical Site Audit
A yearly on-site review of your physical safeguards, access controls, and workstation security.
Review Physical Safeguard Requirements →Device & IT Audits
A yearly check of your devices and IT setup. We review inventory, encryption, and key security settings.
Complete Device and IT Audits →Unauthorized Disclosure of PHI (Incidents)
Give staff a clear way to report incidents. Reports can be anonymous, and your compliance officer gets clear response steps.
Get Help with HIPAA Incident Response →
Client Reviews
Client Feedback
★★★★★
"One Guy Consulting is super easy to work with. I actually look forward to my implementation meetings for HIPAA."Samantha M.
★★★★★
"We've been working with One Guy Consulting for years and always been very pleased with the results."Katie M. — Local Guide
★★★★★
"One Guy Consulting is great at what they do! I was intimidated to start work on this project, but nothing was further from the truth! Chuck was so professional and welcoming. He was always happy to clarify questions I had. They really knew how to put me at ease. Thanks so much, One Guy Consulting! Special shout-out to Chuck for getting me across the finish line."Jennifer M.
Professional Endorsements
What Colleagues Say
Recommendations from professionals who have worked alongside Chuck.
"Charles is a master of automation, allowing him to operate with the output of a much larger team while working as a department of one."Omar Barazanji - Machine Learning / MLOps / Agentic AI Engineer
Reference
Key HIPAA Terms
OCR
The Office for Civil Rights is the federal agency within HHS responsible for enforcing HIPAA compliance and investigating breaches.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 establishes national standards for protecting patient health information.
Security Risk Analysis
An annual assessment conducted to determine if present safeguards match current threat concerns. Based on NIST SP 800-39 risk management framework.
Security Rule
The HIPAA Security Rule establishes safeguards for protecting electronic Protected Health Information (ePHI), covering administrative, physical, and technical controls.
Privacy Rule
The HIPAA Privacy Rule governs the use and disclosure of Protected Health Information (PHI), including patient authorizations and permitted disclosures.
Breach Notification Rule
The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unsecured protected health information.
FAQ
Frequently Asked Questions
You likely need to follow HIPAA if you create, receive, store, or share Protected Health Information (PHI). That includes covered entities like healthcare providers and health plans, plus vendors that handle PHI for them as business associates. If you are a vendor, a Business Associate Agreement (BAA) should be in place before PHI is shared.
Any group that handles Protected Health Information (PHI) must follow HIPAA. That includes providers, health plans, and business associates like IT vendors, billing companies, and cloud providers.
A typical HIPAA compliance process takes about 1–2 months. The timeline depends on organization size, number of locations, and how many staff need training.
An SRA is a yearly HIPAA risk review. It finds risks to electronic PHI and helps you decide what to fix first.
HIPAA violations can lead to fines from $100 to $50,000 per violation, up to $1.5 million per year. In serious cases, they can also lead to criminal charges and loss of trust.
Yes. HIPAA compliance is ongoing. We help with yearly SRA updates, policy reviews, staff refreshers, and day-to-day questions.
A HIPAA gap analysis shows where you do not yet meet the rule.
A HIPAA remediation plan shows what needs to be fixed and the steps to fix it.
No, we provide policy templates tuned to HIPAA requirements and help tailor them to your organization.
Each staff member should complete policy attestation, HIPAA 101 training, and cybersecurity awareness training each year.
No. One Guy Consulting is not a law firm and does not give legal advice. You should talk to an attorney before making major legal or business decisions.
Self-Guided is a plan for experienced compliance professionals who need a reliable, cloud-based platform to serve as their source of truth and centralize their work within one solution. The Full-Scope is a plan for small and scaling teams who are tackling HIPAA compliance for the first time, or coming from another HIPAA compliance platform, and need assistance within this entirely new GUI to get their plan up and running.
HIPAA compliance costs vary by organization size, number of locations, and scope of services needed. A complete program typically covers risk assessments, gap analysis, policies, training, vendor management, and audits. See our HIPAA compliance cost breakdown for a detailed look at what drives pricing across the industry.
One Guy Consulting does not handle PHI as part of our service, but we are happy to sign a BAA with your organization if you would like one in place.
Onboarding follows four steps: (1) Choose a Privacy Officer and complete your Security Risk Assessment to get your Gap Analysis and Remediation Plan, (2) Review and publish your policies, then have staff complete attestation, HIPAA 101 training, and cybersecurity training, (3) Manage vendors, sign Business Associate Agreements, review vendor risk, and finish your site, device, and IT audits, (4) Set up anonymous incident reporting so staff can report PHI issues and your Privacy Officer gets clear next steps. Most organizations complete the process in 1–2 months.
Featured HIPAA Resources
What Is HIPAA? The Complete Beginner’s Guide
Understand what HIPAA requires, who it applies to, and why it matters for your organization.
Protected Health Information (PHI): What Counts and What Doesn’t
Learn what qualifies as PHI, the 18 HIPAA identifiers, and how to handle it properly.
HIPAA Breach Notification Rule: Compliance Requirements
Know your obligations when a breach occurs—timelines, reporting steps, and penalty risks.
Business Associate vs Covered Entity: Key Differences
Understand role boundaries so contracts, obligations, and audits stay clean.
Patient Rights Under HIPAA: A Provider’s Guide
Understand the access, amendment, and disclosure rights your patients are entitled to.
Industries Served
Specialties We Serve
Dental Practices
Mental Health Providers
Medical Clinics
Pharmacies
IT Vendors & MSPs
Healthcare Startups
EHR Companies
Hospitals
Billing Companies
Skilled Nursing
And any/all other healthcare providers or business associates that handle PHI.
Discuss your HIPAA requirements
If you are not sure what to tackle first, reach out and we will help you map the next step.