Prepaid annually. 2-year loyalty pricing available.
Self-Guided
$675/yr
$2,000/yr Save 66%
- Security Risk Assessment
- Gap Analysis & Remediation Plans
- Policy & Procedure Templates
- Staff Training & Progress Tracking
- IT & Physical Site Audits
- Vendor Management & Digital BAAs
- Incident Management System
Full-Scope Most Popular
$1,300/yr
$4,000/yr Save 67%
- Everything in Self-Guided, plus:
- 4 Hours 1:1 with Chuck
- Personalized Implementation
- Incident Response Guidance
- CMS Audit Response Support
Compare Plans
| Self-Guided | Full-Scope | |
|---|---|---|
| Security Risk Assessment | ||
| Gap Analysis & Remediation Plans | ||
| Policy & Procedure Templates | ||
| Staff Training (HIPAA 101, CyberSecurity, Policy Attestation, FWA, Bloodborne Pathogen, Sexual Harassment) | ||
| Training Progress Tracking & Reminders | ||
| IT Inventory, Network & Physical Site Audits | ||
| Vendor Management & Digital BAA Execution | ||
| Incident Management & Anonymous Reporting | ||
| Full-Scope Extras | ||
| 4 Hours 1:1 Personalized Implementation | ||
| Incident Response Guidance | ||
| CMS Audit Response Support | ||
Key Terms
HIPAA Compliance Definitions
These terms appear throughout the HIPAA rules and in every OGC workflow. They help clarify which requirements each service addresses.
Security Risk Assessment (SRA)
A review of threats and weak points in how you protect electronic health data (ePHI). Required under 45 CFR § 164.308(a)(1), the SRA is the base of every HIPAA program and the first item OCR asks for in an audit.
Protected Health Information (PHI)
Any health data tied to a specific person — including medical records, billing data, and insurance details — that is created, received, stored, or sent by a covered entity or business associate. When it is in digital form, it is called ePHI.
Business Associate Agreement (BAA)
A required written contract between a covered entity and any vendor that touches PHI on its behalf. The BAA spells out allowed uses of PHI, required safeguards, and breach notice duties under 45 CFR § 164.502(e).
Gap Analysis
A check of your current admin, technical, and physical safeguards against the HIPAA Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule (Subpart E). Shows what is strong, what is missing, and what poses the most risk if left unfixed.
What's Included
What Each Service Covers and Why It Matters
Every service in both OGC plans ties to a HIPAA rule. Below you will find the CFR section each service covers, so you can check your audit readiness.
Guided risk analysis through the OGC portal. It finds threats, weak points, and current safeguards. Then it builds your documented risk analysis — the requirement under 45 CFR §164.308(a)(1)(ii)(A) that OCR checks first in every investigation.
Gap Analysis & Remediation Plans
Built from your SRA results. It compares your current controls to Security Rule and Privacy Rule standards, finds gaps, and creates a ranked fix plan. You will know what to fix and in what order. Under 45 CFR §164.308(a)(1)(ii)(B), covered entities must reduce risks and weak points. The fix plan is your proof of meeting this rule.
HIPAA policies covering the Privacy Rule, Security Rule, and Breach Notification Rule. Each policy is shaped to your org's size, type, and workflow, then posted to your branded portal. Written policies are required under 45 CFR §164.316. Covered entities must keep them on file for six years from the date they are created or last updated.
Staff Training & Progress Tracking
Role-based training (HIPAA 101, Cybersecurity, Policy Attestation, FWA, Bloodborne Pathogen, Sexual Harassment) with progress tracking and sign-off records. Meets the staff training rule under 45 CFR §164.308(a)(5). The Privacy Rule also requires training under 45 CFR §164.530(b). OGC covers both.
Vendor Management & Digital BAAs
Vendor list with risk ratings, BAA creation and tracking, and due diligence records for each vendor. Meets the business associate contract rule under 45 CFR § 164.502(e).
Incident Management & Anonymous Reporting
Tools to log, review, and respond to security events and possible breaches. Supports the Breach Notification Rule (45 CFR §§ 164.400–414), which requires you to notify affected people and HHS within 60 days of finding a breach of unsecured PHI.
Regulatory References
Authoritative Sources
Common Questions
Frequently Asked Questions
Common questions about HIPAA costs, rules, and what each plan includes.
What HIPAA requirements drive the cost of compliance?
HIPAA costs come from required tasks under the Security Rule (45 CFR Part 164, Subpart C) and Privacy Rule (Subpart E). At a minimum you must complete: a Security Risk Assessment under §164.308(a)(1)(ii)(A), written policies, staff training under §164.308(a)(5), physical and technical safeguards, and BAAs for every vendor that touches PHI under §164.502(e). Skip any of these and you risk fines from HHS.
Is a Security Risk Assessment required every year?
Yes. HHS says a Security Risk Assessment is not a one-time task. Under 45 CFR §164.308(a)(1)(ii)(A), covered entities must review risks and weak points on an ongoing basis. OCR expects a fresh SRA when systems, staff, or workflows change — and at least once a year. OGC supports ongoing risk analysis, not a once-a-year checkbox.
Why do HIPAA compliance costs vary so much between vendors?
Costs vary because the Security Rule sets goals but lets each entity decide how to meet them based on size and needs (45 CFR §164.306(b)). Many vendors charge per user, per module, or for consulting by the hour. OGC charges one flat yearly rate for all required tasks — risk assessment, gap analysis, policy templates, staff training, vendor BAA tracking, and incident management — with no per-user fees or surprise add-ons.
What happens if a covered entity does not have a Business Associate Agreement with a vendor?
Not having a BAA with a vendor that handles PHI breaks 45 CFR §164.502(e) and §164.504(e). OCR does issue fines for missing BAAs. Fines range from $100 to $50,000 per event based on fault, with a yearly cap of $1.9 million per category. OGC includes digital BAA creation, tracking, and vendor risk ratings so no vendor goes undocumented.
Does HIPAA require staff training, and what must it cover?
Yes. The Security Rule requires a training program for all staff under 45 CFR §164.308(a)(5). The Privacy Rule under §164.530(b) also requires training on your policies. Topics must include PHI handling, passwords, phishing, and breach reporting. OGC offers role-based training modules — HIPAA 101, Cybersecurity, Policy Attestation, FWA, Bloodborne Pathogen, and Sexual Harassment — with progress tracking and sign-off records for audit readiness.
Related Reading