The IT Plan

HIPAA Compliance · Digital Health & Healthcare

Your designated HIPAA Security & Privacy Officer —
without the full-time hire.

HIPAA isn't optional about this: every covered entity and business associate must formally designate a Security Officer (§164.308(a)(2)) and a Privacy Officer (§164.530(a)). At most startups, that designation lands on a founder or ops lead who has neither the time nor the background to hold it. We take the role — formally, in writing, with the work that comes with it.

"Our CTO is technically the Security Officer."


That sentence appears in almost every healthcare startup we assess — and it's the finding OCR flags first. A designation without documented risk analysis, current policies, workforce training records, and a tested breach-response process isn't compliance; it's a name in an org chart. When an audit, customer diligence review, or breach investigation arrives, the gap between designated and functioning is where penalties live.

The role, fully staffed.


Formal designation

Named in your policies as Security and/or Privacy Officer, with documented responsibility.

Security Risk Analysis

The annual SRA that HIPAA requires and OCR asks for first, with a prioritized remediation tracker.

Policies & procedures

Written, maintained, and mapped to the Security and Privacy Rules; not a template dump.

Workforce training

Onboarding and annual HIPAA training, delivered and logged.

BAA lifecycle

Business associate agreements inventoried, executed, and reviewed as vendors change.

Incident & breach response

A tested plan, and the officer who runs it if the day comes, including breach-notification obligations.

Audit & diligence readiness

When OCR, a customer, or an acquirer asks, the evidence already exists.

Two ways to engage.


Included in IT Leadership

The officer designation is a line item of our IT Leadership role ($6.5k–$12k/mo) — strategy, governance, and compliance leadership with HIPAA officer duties built in.

Standalone, assessment-first

Not ready for a monthly role? Start with a HIPAA assessment ($7.5k–$18k, scope-dependent): full SRA, gap analysis, remediation roadmap. Many clients convert the roadmap into an ongoing officer engagement; either way you leave with the document OCR asks for.

Fifteen years in healthcare IT. Zero breaches.


We've built and run IT programs for digital health and care-delivery companies from first hire to acquisition — 100% audit pass rate, zero reportable breaches across the client base. We work inside your systems with named accountability, not as an outside auditor who leaves a PDF and a retainer invoice.

Frequently asked


Is a HIPAA Security Officer legally required?

Yes. 45 CFR §164.308(a)(2) requires every covered entity and business associate to identify a security official responsible for developing and implementing required policies. §164.530(a) requires a designated privacy official. These aren't recommendations — they're audit line items.

Can the officer role be outsourced?

Yes. HIPAA requires that a specific, named person hold the responsibility — it doesn't require that person to be an employee. Outsourced officers are common at startups; what matters is documented designation, authority, and that the work (risk analysis, training, policies) actually happens.

Can one person be both Security and Privacy Officer?

Yes, and at startup scale that's typical. The two roles have different scopes — the Security Rule covers ePHI safeguards; the Privacy Rule covers uses and disclosures — but nothing prohibits one qualified person from holding both.

What does OCR actually ask for in an investigation?

The Security Risk Analysis is first, nearly always. Then: policies and procedures, training records, BAAs, and evidence of remediation. Investigations commonly follow a breach report or complaint — which is why the response plan matters as much as the paperwork.

We already have a compliance platform (Vanta, Drata, etc.). Do we still need this?

Platforms collect evidence; they don't hold responsibility. Automation is genuinely useful — we work alongside it — but the designated-officer requirement, the judgment calls in a risk analysis, and breach response all need a human with their name on the line.

Let's see if we're a match.


30-minute discovery call. We'll come prepared with a few questions.