Privacy Policy
Last Updated: January 23, 2026
One Guy Consulting ("we," "our," or "us") helps healthcare teams meet HIPAA rules. We take the privacy of your data seriously — both as a legal duty and as a sign of the standards we help our clients keep. This Privacy Policy explains how we collect, use, and protect your data when you visit oneguyconsulting.com or use our services.
Our Commitment to HIPAA-Aligned Privacy Practices
We offer HIPAA services like risk assessments, gap analysis, BAA management, and staff training. We hold ourselves to the same standards we help our clients reach. Our data practices align with the HIPAA Privacy Rule (45 CFR Part 164, Subpart E) and the Security Rule (45 CFR Part 164, Subpart C).
Key Terms
- Protected Health Information (PHI): Any health data tied to a specific person that is created, received, stored, or sent by a covered entity or business associate. This includes medical records, billing data, insurance details, and any data that names a patient and relates to their health, care, or payment. In digital form, it is called ePHI.
- Business Associate: A person or company that does work for a covered entity and touches PHI. Under 45 CFR § 164.502(e), every such relationship needs a written BAA that spells out each party's duties for keeping PHI safe.
- Covered Entity: A health plan, clearinghouse, or provider that sends health data in digital form. Covered entities fall under HIPAA directly and must make sure every vendor with PHI access has a valid BAA.
- Minimum Necessary Standard: A core HIPAA rule that says covered entities and business associates must limit how they use, share, and request PHI. They may only access the least amount needed to do the job, as defined in 45 CFR § 164.502(b).
How HIPAA Applies to Our Services
When One Guy Consulting works with healthcare groups, we may act as a Business Associate under HIPAA. In those cases, we sign a BAA with the client. This limits our access to PHI to only what we need to do the work. We follow the Minimum Necessary Standard on every project and keep admin, technical, and physical safeguards in line with the Security Rule.
Our portal — where clients run risk assessments, manage vendor BAAs, and track training — uses encryption in transit (TLS 1.2+) and at rest, role-based access controls, and audit logging.
Information We Collect
Personal Data You Provide
When you use our contact form, sign up for services, or interact with our compliance portal, you may provide:
- Contact Information: Name, email address, phone number, and organization name.
- Professional Information: Job title, org type (covered entity, business associate, or other), and your role.
- Service-Related Data: Data you share during projects, such as risk assessment answers, policy documents, and training records.
Automatically Collected Data
When you visit our website, we automatically collect:
- Usage Data: IP address, browser type, pages visited, time spent on pages, and referring URL.
- Cookies: We use cookies and similar tools to track site activity and improve your experience. You can set your cookie choices through the consent banner shown on your first visit.
How We Use Your Information
We use the information we collect to:
- Respond to your questions and give customer support
- Deliver the HIPAA services you request — risk assessments, gap analysis, policy setup, training, and BAA management
- Send you updates about our services, rule changes, and learning materials (with your consent)
- Improve our website, portal, and how we serve you
- Meet legal duties, including HIPAA rules where they apply
Information Sharing and Disclosure
We do not sell, trade, or rent your personal information. We may share it only in the following situations:
- Service Providers Under Contract: With trusted vendors who help us run our website, portal, or business — each bound by privacy duties and, where needed, a BAA.
- Legal Requirements: When required by law or legal process, or when needed to protect our rights, privacy, safety, or property.
- Business Transfers: As part of a merger, buyout, or asset sale, with notice to those affected.
Data Security Safeguards
We use admin, technical, and physical safeguards in line with the HIPAA Security Rule to protect your data. These include:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest across our portal and emails.
- Access Controls: Role-based access means only approved staff can view or change sensitive data.
- Audit Logging: We keep logs of access to key systems for review and incident checks.
- Staff Training: Our team gets regular HIPAA and security training.
No data sent online is fully secure, so we cannot promise total safety. But we review and improve our safeguards often to meet current best practices and legal standards.
Breach Notification
If a breach affects your personal data or PHI, we will notify those involved and the proper authorities as required by the HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) and any state breach notice laws that apply. We will send notices without delay and no later than 60 days after finding the breach.
Your Rights
Based on where you live and how you work with us, you may have these rights:
- Right of Access: Ask for a copy of the personal data we hold about you.
- Right to Correction: Ask us to fix wrong or missing data.
- Right to Deletion: Ask us to delete your personal data, unless the law requires us to keep it.
- Right to Opt-Out: Stop getting marketing emails at any time.
- HIPAA Rights: If you are a patient whose PHI we handle for a covered entity, you keep all rights under the HIPAA Privacy Rule. This includes the right to access, amend, and get a list of disclosures of your PHI.
To exercise any of these rights, contact us at hello@oneguyconsulting.com.
Data Retention
We keep personal data as long as we need it to serve the purposes in this policy, meet legal duties, and support active projects. HIPAA says covered entities and business associates must keep certain records for at least six years from the date they were created or last in effect, per 45 CFR § 164.530(j).
Third-Party Links
Our website may link to outside sites, such as HHS.gov and the Code of Federal Regulations. We are not in charge of how those sites handle privacy. We suggest you read their own privacy policies.
Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.
Changes to This Policy
We may update this Privacy Policy when our practices or the rules change. When we do, we will post the new version here and change the "Last Updated" date. Big changes will be sent to active clients by email.
Regulatory References
- HHS.gov — HIPAA Privacy Rule overview
- HHS.gov — HIPAA Security Rule laws and regulations
- HHS.gov — Breach Notification Rule
- 45 CFR Part 164 — Security and Privacy regulations (full text)
- HHS.gov — Business Associate guidance
Contact Us
If you have questions about this Privacy Policy or how we handle your information, contact us:
- Email: hello@oneguyconsulting.com
- Website: Contact section on oneguyconsulting.com