Terms of Service
Last Updated: January 23, 2026
Welcome to One Guy Consulting. By using our website or services, you agree to these Terms of Service. Please read them carefully.
These terms govern the HIPAA compliance consulting relationship between One Guy Consulting and your organization.
Key Terms.
The following definitions apply throughout these Terms of Service:
- Covered Entity: A health plan, healthcare clearinghouse, or healthcare provider that sends health data in digital form. Covered entities are directly regulated under HIPAA. They must follow the Privacy Rule (45 CFR Part 164, Subpart E) and the Security Rule (45 CFR Part 164, Subpart C).
- Business Associate: A person or group that works for a covered entity and has access to Protected Health Information (PHI). Under 45 CFR § 164.502(e), each business associate role requires a written Business Associate Agreement (BAA).
- Protected Health Information (PHI): Health data linked to a person, such as medical records, billing data, and insurance details. PHI may be created, received, kept, or sent by a covered entity or business associate. Electronic PHI (ePHI) means PHI stored or sent in digital form.
- Security Risk Assessment (SRA): A review of threats and weak points that affect ePHI. It is required under 45 CFR § 164.308(a)(1). The SRA is the base of a HIPAA compliance program. It is also the first item the HHS Office for Civil Rights (OCR) asks for during a review.
1. Scope of HIPAA Compliance Services
One Guy Consulting provides HIPAA compliance consulting to covered entities and business associates. These services may include:
- Security Risk Assessments (SRAs): Guided risk review through our compliance portal. This supports the rule under 45 CFR § 164.308(a)(1)(ii)(A) to assess risks and weak points that affect ePHI.
- HIPAA Gap Analysis: Review of your current admin, technical, and physical safeguards against the HIPAA Security Rule. This includes a ranked plan to fix any gaps.
- Policy Development and Deployment: Custom HIPAA policies for the Privacy Rule, Security Rule, and Breach Notice Rule. We publish them to your branded compliance portal.
- Workforce Training: Role-based HIPAA training modules with tracking and proof of completion. This supports the training rule under 45 CFR § 164.308(a)(5).
- Business Associate Agreement (BAA) Management: Vendor inventory, BAA creation, tracking, and due diligence records. These items support 45 CFR § 164.502(e).
- Ongoing Compliance Program Support: Annual SRA updates, training renewal tracking, incident response tools, and policy updates when rules change.
The exact scope of services for your group will be defined in your service agreement.
2. Consulting Nature of Services
Our services are advisory. We provide HIPAA compliance guidance based on rules from the U.S. Department of Health and Human Services (HHS).
We do not promise specific outcomes. This includes:
- Passing audits or reviews by the HHS Office for Civil Rights (OCR).
- Avoiding fines under the HIPAA Enforcement Rule.
- Full protection from data breaches or wrongful sharing of PHI.
Under HIPAA, your group remains in charge of compliance. This applies whether you are a covered entity or business associate. Our role is to guide, teach, and support your compliance program.
3. Client Responsibilities
Good HIPAA compliance requires active work from your team. You agree to:
- Accurate Information: Provide truthful and complete details about your practices, systems, staff, and vendors. This includes details tied to PHI handling.
- Timely Responses: Respond to requests for details within agreed timelines. This is key during SRAs and gap analysis work.
- Implementation: Put in place the policies, steps, and safeguards we suggest, as fitting for your size and risk profile. This is in line with the Security Rule's flexible approach (45 CFR § 164.306(b)).
- Named Privacy Officer: Appoint a Privacy Officer as required by 45 CFR § 164.530(a)(1). This person serves as the main contact for compliance work and portal access.
- Privacy: Keep our proprietary materials, templates, training content, and methods private.
4. Business Associate Obligations
When One Guy Consulting accesses or handles PHI for a client, we act as a Business Associate under HIPAA. In those cases:
- We will sign a Business Associate Agreement (BAA) before accessing PHI, as required by 45 CFR § 164.502(e).
- We will limit PHI access to the least amount needed for the task. This follows the Minimum Necessary Standard (45 CFR § 164.502(b)).
- We will use admin, technical, and physical safeguards to protect PHI. These may include encryption, role-based access controls, and audit logging.
- We will report any security event or breach of unsecured PHI under the Breach Notice Rule (45 CFR §§ 164.400-414).
5. Confidentiality and Data Protection
We treat all client data as private. We apply safeguards in line with the HIPAA Security Rule.
We will not share client data with third parties unless:
- Required by law, regulation, or legal process.
- Needed to deliver the agreed services, such as through partners bound by BAAs and privacy duties.
- Authorized by the client in writing.
We expect the same privacy for our methods, templates, portal technology, and compliance materials.
6. Intellectual Property
All materials, templates, training content, portal software, and methods we provide remain the property of One Guy Consulting.
You receive a limited, non-exclusive, non-transferable license. You may use these materials only for your group's internal HIPAA compliance needs. You may not resell, share, sublicense, or give them to third parties.
7. Payment Terms
Payment terms will be listed in your service agreement. Unless otherwise agreed, invoices are due within 30 days of receipt.
We may suspend portal access and services for overdue accounts with 10 days' written notice.
8. Limitation of Liability.
To the fullest extent allowed by law, One Guy Consulting is not liable for indirect, minor, special, resulting, or punitive damages.
This limit applies to damages tied to our services.
This includes lost profits, lost data, lost business chances, and fines imposed by OCR or other enforcement bodies.
Our total liability for any claim will not exceed the fees you paid for the services tied to the claim. This limit covers fees paid during the 12 months before the event.
9. Indemnification
You agree to protect and hold harmless One Guy Consulting, its officers, and contractors from certain claims, damages, losses, or costs. This includes fair legal fees arising from:
- Your failure to put in place the compliance measures or safeguards we suggest.
- Misuse of our materials, templates, or portal beyond the licensed scope.
- Breach of these Terms of Service.
- Your group's failure to follow HIPAA rules apart from our advisory services.
10. Termination
Either party may end the service relationship with 30 days' written notice. When ended:
- You remain responsible for payment for work already performed.
- Portal access will be turned off at the end of the notice period.
- Privacy and property duties survive after the end date.
- Business Associate duties under any signed BAA continue as required by HIPAA. This includes the return or disposal of PHI upon request.
11. Document Retention
HIPAA requires covered entities and business associates to keep certain compliance records for at least six years. The period starts from the date of creation or the date it was last in effect, whichever is later.
This rule appears in 45 CFR § 164.530(j). We keep engagement records in line with this rule and the standards of our field.
12. Governing Law
These Terms are governed by the laws of the State of New York, without regard to conflict of law rules.
HIPAA applies on its own as a federal law. It overrides any state rules that conflict with PHI protection.
13. Changes to Terms
We may update these Terms from time to time to reflect changes in our practices or legal rules. We will send key changes to active clients by email.
If you continue using our services after a change, you accept the updated Terms.
Regulatory References
- HHS.gov - HIPAA for Professionals overview.
- HHS.gov - HIPAA Security Rule laws and regulations.
- HHS.gov - Business Associate guidance.
- HHS.gov - Breach Notification Rule.
- HHS.gov - HIPAA Enforcement overview.
- 45 CFR Part 164 - Security and Privacy regulations.
14. Contact
For questions about these Terms of Service or our HIPAA compliance work, contact us:
- Email: hello@oneguyconsulting.com.
- Website: Contact section on oneguyconsulting.com.