Anonymized case studies from real engagements. Client details are omitted; the work, the gaps we found, and the outcomes are not.
A regional health insurance brokerage operating across three states managed employer-sponsored group health plans for small and mid-size businesses. As a Business Associate handling electronic protected health information on behalf of multiple carriers, the firm was subject to the HIPAA Security Rule — but had no security program to show for it.
A large carrier client notified the firm that an upcoming contract renewal would require documented evidence of a formal security risk assessment, a written information security program, and a named Security Official. The firm had 11 weeks before the renewal deadline. Their IT provider — who managed their email and endpoints — had never conducted a risk assessment or produced any compliance documentation.
The initial risk assessment documented 14 control gaps across four categories:
Security program delivered in 9 weeks. The carrier renewal was completed without conditions, remediation requirements, or findings. The firm now operates with a documented WISP, a named Security Official, current BAAs on file for all technology vendors, and an annual review cycle that keeps the program current.
The engagement was structured as a fixed-scope Compliance Baseline. The firm subsequently transitioned to an Ongoing Advisory retainer for quarterly program maintenance, policy updates, and security reporting.
Most Business Associates believe their IT provider handles HIPAA compliance. What IT providers deliver — patching, backups, email filtering — is infrastructure management, not a security program. The HIPAA Security Rule requires documented policies, formal risk assessments, workforce training, and vendor oversight. None of those are infrastructure tasks. The absence of that documentation is the finding — and increasingly, it is what carrier partners, regulators, and sophisticated clients are checking before they will sign or renew a contract.
A small bookkeeping firm had relied on the same IT provider for several years to manage their computers, email, and cloud storage. The IT relationship was functional — help desk tickets got resolved, backups ran overnight — but it was purely reactive. The IT provider had never set up security event logging, never reviewed access to client files, and had no alerting in place for anything short of a system failure.
The firm handled payroll records, bank account credentials, tax documents, and Social Security numbers for dozens of small business clients. Under the FTC Safeguards Rule, the firm qualified as a financial institution required to maintain a written information security program. They had none. The engagement began when a client asked to see their security documentation before renewing a bookkeeping contract — and the firm had nothing to show.
The risk assessment surfaced gaps that the IT provider had no mandate to look for — because no one had ever asked them to:
The firm provided the requesting client with a written summary of their security program within three weeks of the engagement start. The client renewed. The former employee’s active credentials were discovered and revoked before any confirmed access had occurred — though the gap had been open for eight months without detection.
The firm now operates on a retained advisory basis with monthly log review, quarterly policy check-ins, and an annual risk assessment refresh. Their IT provider continues to handle infrastructure. SPM Advisors handles the security program and monitoring oversight that sits above it.
IT providers manage systems. They are not scoped — and generally not qualified — to manage security programs, conduct risk assessments, or maintain regulatory compliance documentation. The gap between what an IT provider delivers and what FTC Safeguards, HIPAA, or a sophisticated client contract actually requires is exactly where breaches and enforcement actions originate. Monitoring is not a feature of a managed IT contract. It is a separate discipline that requires a separate engagement.
A physician-owned medical spa offering injectable treatments, laser procedures, and medical-grade skincare operated with a practice management system, an EHR for medical record documentation, and a booking platform integrated with their website. The practice collected patient intake forms, treatment photos (before and after), and payment information — all of which constituted protected health information under HIPAA.
The practice had no documented security program. The physician owner had assumed that because the EHR vendor was HIPAA-compliant, the practice itself was covered. It is not how the Security Rule works — the covered entity obligation sits with the practice, not the software vendor. The engagement began after the practice received a patient complaint about how their treatment photos were being stored and shared for marketing purposes without an explicit authorization on file.
The patient complaint was addressed with a documented response and a corrected authorization process. No OCR complaint was filed. The practice now has a documented HIPAA security and privacy program, named officials on record, current BAAs with all vendors in scope, and a treatment photo workflow that is both compliant and workable for the marketing team.
Monthly monitoring has since identified one instance of a staff member accessing patient records outside their assigned treatment schedule — flagged, investigated, and documented as a non-incident with no breach. Without monitoring in place, that access would never have been reviewed. The practice owner now has documented evidence that they are actively managing the security program — which is exactly what OCR looks for in an investigation.
Medical spas occupy an unusual compliance position: they perform medical procedures, collect clinical records, and handle sensitive treatment images — but often operate with the administrative posture of a retail business. The assumption that a HIPAA-compliant EHR vendor transfers the covered entity’s obligations to the vendor is one of the most common and consequential misunderstandings in healthcare security. It does not. The practice owns the obligation. Ongoing monitoring is what closes the gap between an annual risk assessment and the next OCR inquiry — because a documented, active program is the difference between a corrective action plan and a civil money penalty.
Most organizations we work with started in the same place — no documentation, a deadline, and an IT provider who handled the wrong things. Let’s talk about what a baseline engagement would look like for you.
Request a Security Fit Call