All Posts Next

HIPAA Compliance Checklist 2026

Posted: April 24, 2026 to Compliance.

Short answer: HIPAA requires every covered entity and business associate that handles protected health information to implement written policies, administrative, physical, and technical safeguards, and a breach-response program that meets 45 CFR Parts 160, 162, and 164. This 2026 checklist walks through the 38 Security Rule checkpoints the HHS Office for Civil Rights (OCR) audits against, the four governing rules, the Business Associate Agreement clauses, and the breach-notification timelines you must hit.

Use this as a working document. Score each item honestly, assign an owner, and build a remediation plan against the gaps. For the risk-analysis walk-through, read the HIPAA Security Risk Assessment pillar. For the full program view, see HIPAA Compliance.

HIPAA in 2026: Who It Applies To

HIPAA was enacted in 1996. The Privacy Rule took effect in 2003, the Security Rule in 2005. The Breach Notification Rule was added by HITECH in 2009 and absorbed into the 2013 Omnibus Rule, which also extended direct liability to business associates. In late 2024, HHS issued a proposed rulemaking to modernize the Security Rule with deadlines projected for 2026. The live rule set is what this checklist targets.

HIPAA applies to two groups. Covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with a standard transaction (billing, eligibility, referrals, claims). Business associates are vendors, contractors, and subcontractors that create, receive, maintain, or transmit PHI on behalf of a covered entity. Since the Omnibus Rule, business associates are directly liable for Security Rule violations and for breach notification.

If you handle protected health information in any form, paper chart, claims file, voicemail, or ePHI, HIPAA governs how you secure it, disclose it, track access to it, and respond when something goes wrong. OCR's 2026 enforcement posture continues to prioritize risk-analysis failures, access-control lapses, and breach-response deficiencies, the same themes that dominated the last decade of published resolution agreements.

The Four HIPAA Rules Explained

HIPAA is codified at 45 CFR Parts 160, 162, and 164. Four rules carry the operational weight.

1. The Privacy Rule (45 CFR 164.500 to 164.534)

The Privacy Rule governs use and disclosure of PHI in any form, paper or electronic. It sets the minimum-necessary standard, defines patient rights (access, amendment, accounting of disclosures, restriction requests, confidential communications), and lists permitted and required uses. Treatment, payment, and health care operations do not require patient authorization. Most other uses do, or must fit a narrow exception such as public health reporting or judicial process. Practices must designate a Privacy Officer, publish a Notice of Privacy Practices, train the workforce, and maintain written policies.

2. The Security Rule (45 CFR 164.302 to 164.318)

The Security Rule applies only to ePHI and sets standards in three categories: administrative, physical, and technical safeguards. Each standard has implementation specifications that are either "required" or "addressable." Addressable does not mean optional. It means you must implement the specification, implement a reasonable alternative, or document why neither is reasonable and appropriate. OCR expects that documentation. The Security Rule is where the 38-item checklist below comes from.

3. The Breach Notification Rule (45 CFR 164.400 to 164.414)

Since 2009, covered entities must notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. "Unsecured" means not encrypted to NIST standards and not destroyed. There is a rebuttable presumption that any impermissible use or disclosure is a breach unless a four-factor risk assessment demonstrates low probability of compromise. Business associates must notify the covered entity. Timelines are covered in the breach section below.

4. The Omnibus Rule (2013)

The Omnibus Rule was the HITECH Act's final implementation round. It extended direct Security Rule liability to business associates and subcontractors, strengthened the Breach Notification Rule, tightened marketing and fundraising restrictions, expanded the business-associate definition to include data-transmission services with routine PHI access, and increased penalty tiers. Every modern BAA template traces back to the Omnibus Rule.

Administrative Safeguards Checklist (§164.308)

The Security Rule's administrative safeguards are the governance layer. These 18 checkpoints map directly to the implementation specifications at §164.308 and the associated §164.316 documentation requirement. Score each item as Met, Partial, or Gap, and assign an owner.

  • [ ] 1. Risk Analysis (required, §164.308(a)(1)(ii)(A)) - Current, accurate, thorough assessment of risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit. Most-cited failure in OCR resolution agreements.
  • [ ] 2. Risk Management (required, §164.308(a)(1)(ii)(B)) - Implement security measures sufficient to reduce risks to a reasonable and appropriate level. Track remediation in a risk register.
  • [ ] 3. Sanction Policy (required, §164.308(a)(1)(ii)(C)) - Written sanctions against workforce members who violate security policies. HR and Compliance co-own this.
  • [ ] 4. Information System Activity Review (required, §164.308(a)(1)(ii)(D)) - Regular review of audit logs, access reports, and incident tracking. Document cadence and findings.
  • [ ] 5. Assigned Security Responsibility (required, §164.308(a)(2)) - Name a Security Officer in writing. One accountable role. Small orgs may combine with Privacy Officer.
  • [ ] 6. Authorization and/or Supervision (addressable, §164.308(a)(3)(ii)(A)) - Procedures for authorizing and supervising workforce members who work with ePHI.
  • [ ] 7. Workforce Clearance Procedure (addressable, §164.308(a)(3)(ii)(B)) - Background checks and role-based access determination before granting credentials.
  • [ ] 8. Termination Procedures (addressable, §164.308(a)(3)(ii)(C)) - Same-day revocation of credentials, physical, remote, and application access when a workforce member leaves. Tie to HR offboarding.
  • [ ] 9. Isolating Health Care Clearinghouse Functions (§164.308(a)(4)(ii)(A)) - Applies only to clearinghouses inside a larger organization. Segregate the ePHI environment.
  • [ ] 10. Access Authorization (addressable, §164.308(a)(4)(ii)(B)) - Policies for granting ePHI access. Role-based access control satisfies this.
  • [ ] 11. Access Establishment and Modification (addressable, §164.308(a)(4)(ii)(C)) - Document who modifies access rights and how changes are logged.
  • [ ] 12. Security Awareness and Training (required, §164.308(a)(5)) - Program for all workforce members, including management: security updates, malware, log-in monitoring, password management.
  • [ ] 13. Security Incident Procedures (required, §164.308(a)(6)) - Identify and respond to suspected or known incidents. Mitigate harm. Document outcome.
  • [ ] 14. Contingency Plan (required, §164.308(a)(7)) - Backup, disaster recovery, emergency-mode operation, testing procedures, and data criticality analysis. Test at least annually.
  • [ ] 15. Evaluation (required, §164.308(a)(8)) - Periodic technical and nontechnical evaluation in response to environmental or operational change. Annual is the defensible floor.
  • [ ] 16. Business Associate Contracts (required, §164.308(b)(1)) - Written arrangement with every business associate satisfying §164.314(a). No BAA, no data transfer.
  • [ ] 17. Documentation Retention (required, §164.316(b)(2)) - Retain policies, procedures, and required documentation for six years from creation or last-in-effect date, whichever is later.
  • [ ] 18. Policy Review and Update (required, §164.316(b)(2)(iii)) - Review periodically and update for environmental or operational change. Date-stamp every revision.

Physical Safeguards Checklist (§164.310)

Physical safeguards are the controls you can touch. They map to §164.310 and cover facility access, workstation use, workstation security, and device and media controls. Score each of the 10 checkpoints.

  • [ ] 1. Contingency Operations (addressable, §164.310(a)(2)(i)) - Procedures that allow facility access in support of data restoration during a disaster recovery or emergency mode event.
  • [ ] 2. Facility Security Plan (addressable, §164.310(a)(2)(ii)) - Policies and procedures to safeguard the facility and equipment from unauthorized physical access, tampering, and theft. Covers locks, alarms, cameras, and visitor management.
  • [ ] 3. Access Control and Validation (addressable, §164.310(a)(2)(iii)) - Procedures to control and validate a person's access to facilities based on their role, including visitor control and control of access to software programs for testing and revision.
  • [ ] 4. Maintenance Records (addressable, §164.310(a)(2)(iv)) - Documentation of repairs and modifications to the physical components of a facility that are related to security. Lock changes, door repairs, camera installations.
  • [ ] 5. Workstation Use (required, §164.310(b)) - Policies specifying the proper functions, the manner, and the physical attributes of the surroundings of a specific workstation that can access ePHI.
  • [ ] 6. Workstation Security (required, §164.310(c)) - Physical safeguards for all workstations that access ePHI. Screen privacy filters, auto-lock, cable locks, clean-desk policy.
  • [ ] 7. Disposal (required, §164.310(d)(2)(i)) - Policies for the final disposition of ePHI and the hardware or electronic media on which it is stored. NIST 800-88 media sanitization is the defensible reference.
  • [ ] 8. Media Re-use (required, §164.310(d)(2)(ii)) - Procedures for removal of ePHI from electronic media before the media are made available for re-use.
  • [ ] 9. Accountability (addressable, §164.310(d)(2)(iii)) - Maintain a record of the movements of hardware and electronic media and any person responsible for those movements.
  • [ ] 10. Data Backup and Storage (addressable, §164.310(d)(2)(iv)) - Create a retrievable, exact copy of ePHI before the movement of equipment.

Technical Safeguards Checklist (§164.312)

Technical safeguards are the controls your infrastructure team operates. Encryption, access control, audit logging, and transmission security all live here. There are 10 checkpoints, and this category is where most modernization spending lands in 2026.

  • [ ] 1. Unique User Identification (required, §164.312(a)(2)(i)) - Assign a unique name and/or number for identifying and tracking user identity. No shared accounts.
  • [ ] 2. Emergency Access Procedure (required, §164.312(a)(2)(ii)) - Procedures for obtaining necessary ePHI during an emergency. Break-glass accounts, documented and audited.
  • [ ] 3. Automatic Logoff (addressable, §164.312(a)(2)(iii)) - Electronic procedures that terminate an electronic session after a predetermined time of inactivity. 10 to 15 minutes is the common defensible setting for clinical workstations.
  • [ ] 4. Encryption and Decryption (addressable, §164.312(a)(2)(iv)) - Mechanism to encrypt and decrypt ePHI. Encryption at rest with AES-256 is the safe-harbor standard. The 2024 proposed rule signals a shift toward making this explicitly required.
  • [ ] 5. Audit Controls (required, §164.312(b)) - Hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI. Centralized logging, SIEM, and retention aligned with §164.316(b).
  • [ ] 6. Integrity - Mechanism to Authenticate ePHI (addressable, §164.312(c)(2)) - Electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner. File integrity monitoring, database checksums, digital signatures.
  • [ ] 7. Person or Entity Authentication (required, §164.312(d)) - Procedures to verify that a person or entity seeking access to ePHI is the one claimed. Multi-factor authentication is effectively the 2026 floor, and the proposed rule moves it from "addressable" practice to required for most remote access.
  • [ ] 8. Integrity Controls in Transmission (addressable, §164.312(e)(2)(i)) - Security measures to ensure that electronically transmitted ePHI is not improperly modified without detection until disposed of.
  • [ ] 9. Encryption in Transmission (addressable, §164.312(e)(2)(ii)) - Mechanism to encrypt ePHI whenever deemed appropriate. TLS 1.2 minimum, TLS 1.3 preferred. Email without TLS is not compliant and has driven several published resolution agreements.
  • [ ] 10. Transmission Security - Access Control (required, §164.312(e)(1)) - Technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. VPN, zero-trust network access, segmented networks for medical devices.

Breach Notification Checklist

The Breach Notification Rule has strict timelines. Miss them and OCR will pursue the missed-notification violation separately from whatever caused the breach in the first place.

  • [ ] Individual Notification - Notify each affected individual without unreasonable delay and in no case later than 60 calendar days after discovery of the breach. Written notice by first-class mail, or by email if the individual has agreed to electronic notice.
  • [ ] Media Notification - For a breach affecting more than 500 residents of a State or jurisdiction, notify prominent media outlets serving that area without unreasonable delay and in no case later than 60 calendar days after discovery.
  • [ ] HHS Notification - Large Breaches - For any breach affecting 500 or more individuals, notify the Secretary of HHS contemporaneously with the individual notice through the OCR breach portal.
  • [ ] HHS Notification - Small Breaches - For breaches affecting fewer than 500 individuals, maintain a log and submit it to HHS annually, not later than 60 days after the end of the calendar year.
  • [ ] Business Associate to Covered Entity - Business associates must notify the covered entity without unreasonable delay and in no case later than 60 calendar days after discovery. Your BAA can and should require a shorter window.
  • [ ] Four-Factor Risk Assessment Documentation - Document the nature and extent of the PHI involved, the unauthorized person who used or received the PHI, whether the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated. This is your rebuttable-presumption defense.
  • [ ] Substitute Notice - If contact information for 10 or more individuals is insufficient or out of date, post a conspicuous notice on your website home page for 90 days or provide notice in major print or broadcast media.
  • [ ] Breach Content Requirements - Each notice must include a brief description of what happened, the types of PHI involved, steps individuals should take to protect themselves, what the covered entity is doing, and contact procedures. Template your letter in advance.

Business Associate Agreement (BAA) Checklist

A BAA is the contract that lets a business associate handle PHI on your behalf. §164.504(e) and §164.314(a) set the required content. Every BAA you sign, whether you are the covered entity or the business associate, must include each of these clauses.

  • [ ] Permitted and Required Uses and Disclosures - Define exactly what the business associate may do with the PHI and what the business associate must do.
  • [ ] No Use or Disclosure Beyond Agreement or Law - Prohibit uses or disclosures not permitted by the contract or required by law.
  • [ ] Appropriate Safeguards - Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure, including Security Rule compliance for ePHI.
  • [ ] Breach and Incident Reporting - Require reporting of any use or disclosure not provided for by the contract, including breaches of unsecured PHI, within a specified timeframe shorter than the statutory 60-day window.
  • [ ] Flow-Down to Subcontractors - Require the business associate to ensure that any subcontractors that create, receive, maintain, or transmit PHI agree to the same restrictions via a written agreement.
  • [ ] Individual Rights Support - Provide access to PHI, make amendments, and provide an accounting of disclosures as required by the Privacy Rule.
  • [ ] Availability of Records for Audit - Make internal practices, books, and records relating to the use and disclosure of PHI available to the Secretary of HHS.
  • [ ] Return or Destruction at Termination - At termination, return or destroy all PHI and extend protections for any PHI that cannot feasibly be returned or destroyed.
  • [ ] Termination for Material Breach - Allow the covered entity to terminate for a material breach that the business associate fails to cure.

HIPAA Security Risk Analysis: How to Run One

The risk analysis required by §164.308(a)(1)(ii)(A) is the root of every other Security Rule decision you make. OCR cites the absence or inadequacy of a risk analysis in the majority of Security Rule enforcement actions. For a deeper procedural walkthrough, see the HIPAA Security Risk Assessment pillar. Here is the condensed method.

  1. Scope the analysis. Enumerate every system, application, device, paper store, and third-party vendor that creates, receives, maintains, or transmits ePHI. Include remote workers, telehealth platforms, wearables that sync to your EHR, and printers with persistent storage.
  2. Identify threats and vulnerabilities. Use NIST SP 800-30 or OCR's published Security Risk Assessment Tool as a framework. Document threat sources (natural, human, environmental) and vulnerabilities for each asset.
  3. Assess current security measures. Inventory the controls already in place, the implementation specifications you have satisfied, and the addressable specifications you have documented decisions about.
  4. Determine likelihood and impact. Rate each threat-vulnerability pair. Document the rationale. OCR will challenge unsupported low-likelihood ratings.
  5. Determine residual risk. After controls are applied, what is left? This drives the risk-management program.
  6. Finalize documentation. The risk analysis document itself. Include methodology, scope, findings, residual risk acceptance decisions, and date. Version-control it.
  7. Review periodically. At minimum annually, and whenever significant operational or environmental change occurs: new EHR, new clinic, cloud migration, ransomware event, acquisition, major staffing change.

Common Gaps in 2026

Based on publicly available OCR guidance and the pattern of published resolution agreements, these gaps continue to surface. Treat the list as a sanity check against your own program.

  • Risk analysis absent or scoped too narrowly. The risk analysis covers the EHR but skips fax servers, legacy applications, third-party portals, or remote workforce endpoints. OCR's position is that the analysis must be enterprise-wide.
  • Encryption gaps on portable media and backups. Laptops, external drives, USB storage, and older backup tapes frequently fall outside the encryption inventory. The breach-notification safe harbor only applies if the PHI was encrypted to NIST standards at the time of loss.
  • Weak or missing multi-factor authentication for remote access. The 2024 proposed rule signals that MFA is moving from practice expectation to explicit requirement. Many programs still rely on single-factor for email-based PHI access or for VPN.
  • Access reviews not performed or not documented. Workforce members retain access to EHR modules they no longer need. Termination triggers an account deactivation but not a role review. §164.308(a)(4) is one of the most commonly audited.
  • Business Associate Agreements stale or missing. A new vendor is onboarded without a BAA. An existing BAA was signed in 2010 and does not reflect Omnibus Rule changes. Subcontractor flow-down clauses are missing.
  • Audit logs generated but not reviewed. Logging is turned on, but no one looks at it, there is no SIEM, and suspicious access goes undetected for months.
  • Contingency plan never tested. The backup job runs. The restore has never been tested. Ransomware exposes the gap at the worst possible moment.
  • Sanction policy exists on paper but is not applied. An incident occurs. The workforce member is not sanctioned consistent with policy. OCR sees the gap in a subsequent audit.
  • Training documented as annual, but role-specific content is thin. Clinical staff get the same deck as billing and IT. OCR expects tailored training for roles with heightened access.
  • Incident response plan assumes a simple breach. Ransomware is not just a breach. It is an availability event, a potential impermissible disclosure, and a regulatory-reporting question all at once. The response plan must cover all three.

Frequently Asked Questions

Is encryption required under HIPAA?

Under the current Security Rule, encryption of ePHI is "addressable," meaning you must implement it, implement a reasonable alternative, or document why neither is reasonable and appropriate. In practice, encryption is the safe harbor for both the Security Rule and the Breach Notification Rule: encrypted ePHI that is lost or stolen is generally not considered a breach. The 2024 proposed rulemaking would move encryption from addressable to required. Treat encryption as required today.

Do text messages need HIPAA compliance?

Standard SMS and iMessage or Android messaging do not meet HIPAA's transmission security requirements. If your workforce sends PHI by text, use a secure-messaging platform with a signed BAA, end-to-end encryption, auditing, and remote wipe. Alternatively, keep PHI inside authenticated patient portals.

What is the HIPAA fine for a small business?

Civil monetary penalties are tiered by culpability: no knowledge, reasonable cause, willful neglect corrected, and willful neglect not corrected. HHS adjusts dollar amounts annually for inflation. Published recent tiers range from roughly $137 per violation at the lowest tier to a roughly $2,134,831 annual maximum per violation category at the highest, per HHS's January 2024 adjustment. Small-practice resolutions have ranged from tens of thousands to several million dollars depending on scope and culpability. Check the current OCR civil money penalty page for the exact amounts in the year of enforcement.

Does HIPAA apply to my cloud vendor?

Yes, if the vendor creates, receives, maintains, or transmits PHI on your behalf. HHS has clarified this applies even when the vendor does not routinely view the PHI. Sign a BAA with infrastructure providers, SaaS platforms, backup services, email hosting, and archival vendors before sending any PHI.

How often do I need a HIPAA risk analysis?

The Security Rule requires it to be current, accurate, and thorough. OCR treats annual as the defensible floor, and expects an updated analysis whenever significant change occurs: new EHR, new location, cloud migration, merger or acquisition, major workforce change, ransomware or other security incident. Date-stamp every revision.

Is email HIPAA compliant?

Standard email is not HIPAA compliant. For PHI in email, use a provider with a signed BAA (Microsoft 365 and Google Workspace both offer BAAs for certain plans), enforce TLS, use portal-based secure email for external sends, and require authentication for access. Document the control decisions in your Security Rule rationale.

What is the difference between HIPAA and HITECH?

HIPAA is the 1996 statute and its rules. HITECH is the 2009 law that strengthened HIPAA by creating the Breach Notification Rule, increasing penalties, extending direct liability to business associates, and accelerating EHR adoption. The 2013 Omnibus Rule implemented most HITECH changes. "HIPAA" today generally means the combined HIPAA plus HITECH plus Omnibus framework.

Do I need a Privacy Officer and a Security Officer?

Yes. The Privacy Rule requires a Privacy Officer (§164.530(a)(1)). The Security Rule requires a Security Officer (§164.308(a)(2)). In a small organization the same person can hold both roles. Document the designation in writing and update when people change roles.

What counts as a HIPAA breach?

A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy. There is a rebuttable presumption that any impermissible use or disclosure is a breach unless a documented four-factor risk assessment shows low probability of compromise. Encrypted PHI is generally not "unsecured," so loss of encrypted PHI is generally not a reportable breach.

Are business associates directly liable for HIPAA violations?

Yes, since the 2013 Omnibus Rule. Business associates are directly liable for Security Rule violations, for impermissible uses and disclosures that violate their BAA or applicable Privacy Rule provisions, and for breach notification to the covered entity. OCR has pursued business associates directly in multiple published resolution agreements.

Work With Petronella Technology Group on Your HIPAA Program

Petronella Technology Group has run HIPAA Security Risk Assessments for covered entities and business associates since 2002. Engagements include the full 38-checkpoint review, the §164.316 documentation package, a written risk register with remediation priorities, and a walkthrough with your Privacy Officer and Security Officer. Craig Petronella leads the program as a CMMC Registered Practitioner (CMMC-RP) and Digital Forensic Examiner (DFE #604180). Petronella Technology Group is a CMMC-AB Registered Provider Organization, RPO #1449. Our address is 5540 Centerview Dr., Suite 200, Raleigh, NC 27606. Call (919) 348-4912 or visit the HIPAA Security Risk Assessment page to start a scoping conversation. For the full HIPAA program view, see the HIPAA Compliance hub.

This article is educational, not legal advice. Regulatory interpretations and penalty tiers change. Confirm current requirements against 45 CFR Parts 160, 162, and 164, the HHS OCR HIPAA pages, and your legal counsel before acting on any checklist item.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

CMMC Level 2 Checklist: 14 Controls Most Primes Fail CMMC Level 2 Checklist: 14 Controls Most Primes Fail HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs NIST Compliance Checklist: Complete Framework Guide for 2026 NIST Compliance Checklist: Complete Framework Guide for 2026 FedRAMP Compliance Checklist: Authorization Guide FedRAMP Compliance Checklist: Authorization Guide

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS - we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
All Posts Next
Free cybersecurity consultation available Schedule Now