Why Us?

We know the law and we know the web.

We help companies safely and securely do business on the web.

HIPAA Jumpstart

HIPAA JumpstartCover

Our HIPAA Jumpstart engagement focuses on setting the tone and direction of your HIPAA Compliance Initiative so that you meet the most requirements in the shortest period of time. This service reviews your Expresso® Subscription Plan and helps guide your named Privacy Officer or Security Officer (could be the same person) so you can jump-start your HIPAA compliance initiative ("HCI"). Unlike our Cybersecurity Audit where we come onsite and review the visible demonstrable evidence of your HCI, the Jumpstart™ engagement sessions are conducted using GoToMeeting at your convenience.

HIPAA Jumpstart  “…Through the process of risk management, leaders must consider risk to U.S. interests from  adversaries using cyberspace to their advantage and from our own efforts to employ the global nature of cyberspace to achieve objectives in military, intelligence, and business operations… “

“…For operational plans development, the combination of threats, vulnerabilities, and impacts must be evaluated in order to identify important trends and decide where effort should be applied to eliminate or reduce threat capabilities; eliminate or reduce vulnerabilities; and assess, coordinate, and deconflict all cyberspace operations…”

“…Leaders at all levels are accountable for ensuring readiness and security to the same degree as in any other domain…"


What does it cover?

  1. Discusses your policies, procedures, and tracking mechanisms pertinent to all of the HIPAA Rules' requirements (i.e. Security Rule, Privacy Rule, and Breach Notification Rule) as they pertain to regulatory compliance and/or industry best practices. These steps ensure that from a legal perspective the Organization could, at a minimum, survive a security audit by a regulatory agency. Moreover, these steps protect an Organization’s Operational Environment in a manner that preserves the Organization’s brand and good will.
    • Ensure that Organization has a named Security Officer and a name Privacy Officer.
    • Discuss Risk Management Program.
    • Discuss/perform baseline Risk Assessment using Expresso®.
    • Discuss Sanction Policy.
    • Discuss Tracking of Security Incident and Plan collateral regarding same.
    • Discuss Information System Logging Capabilities and Responsibility
    • Discuss policies and processes for workforce clearance.
    • Discuss policies and processes for workforce termination.
    • Discuss policies and processes for establishing access to Information.
    • Discuss policies and processes for reminding your workforce of Security issues.
    • Discuss  policies and processes for protecting against malicious software.
    • Discuss policies and processes pursuant to data backups and disaster recovery plan.
    • Discuss policies and processes pursuant to the encryption of Information.
    • Discuss policies and processes pursuant to authentication.
    • Discuss policies and processes pursuant to the physical security of facility, plant and equipment.
    • Discuss policies and processes pursuant to the destruction of Information (i.e. disposal).
    • Discuss Privacy Rule violations.
    • Discuss Privacy Rule's Patient's Bill of Rights
    • Discuss Privacy Rule's Administrative Requirements
    • Discuss Breach Notification Rule's Preparedness Requirements
  2. Prepare for Risk Assessment by training staff and gathering the necessary information Expresso® requires to conduct its baseline Risk Assessment (this does not presuppose that it is the Organization’s baseline Risk Assessment).
    • Conduct Expresso® overview training.
    • Identify applications (where available) from which the Expresso® Security Objects table will be populated.  This is the table within Expresso® that Security Controls (“Controls”) are applied to. In general, the Security Object table requires the following types of information:
      • Assets
      • Personnel
      • Applications
      • Databases
      • Networks
      • Hardware (Servers, PCs, laptops, phones, pads, etc.).
    • Create csv files (where applicable) to import into the Security Objects table.
    • Assist the client in identifying Threat/Vulnerability pairs pertinent to the Organization’s Operational Environment.
    • Assist the client in determining the business Impact (I) that would result from a Threat (T) exploiting a specific Vulnerability (V).
    • Assist the client in calculating the Risk (R) related to a specific Threat/Vulnerability pair calculated as a function of the probability that a Threat (T) will exploit a specific Vulnerability (V) times the Impact (I) to the Organization (i.e. R = T x V x I).
    • Assist the client in identifying a subset of Risks that will be attacked during this Risk Assessment (i.e. assuming resource/budget constraints do not allow for attacking ALL Risks identified).
    • Assist the client in identifying Controls that reduce identified Risks to levels that are “reasonable and appropriate”.
    • Assist the client in producing Risk Assessment reports that can be used to report to internal stakeholders (and external stakeholders if required). These reports will also “feed” the Remediation Plan.
  3. Define the Remediation Plan to actually implement the Controls that will reduce identified Risks to levels that are “reasonable and appropriate” using our Jumpstart™ Scorecards.

What does it cost?

The cost of our Fixed Fee package is $2,500.00 USD and time boxed at fifteen (15) hours.

What are the deliverables?

As stated above, the deliverables (in part) are: (1) the policies and procedures enumerated above fully discussed and understood within your organization;  (2)  a complete and actionable Risk Assessment implemented with the assistance of Expresso®; and (3) a Remediation Plan based on our Scorecards.

Why should an organization audit their Operational Environment?

Think of it as a kind of insurance policy. It is now widely understood that a significant breach of protected Information will cause large scale financial and reputational damage to your Organization (think Target). Our Cybersecurity Audit helps you reduce identified Risks to levels that are "reasonable and appropriate" for an Organization of your size and complexity.

What parts of your Organization are reviewed?

Our HIPAA Jumpstart reviews one Profit & Loss center within your Organization.

What is not covered?

Our HIPAA Jumpstart produces a Remediation Plan as one of its deliverables. However, actual remediation can be an open-ended project whose cost is NOT included in the Fixed Fee offering.


Contact us today