Client Outcomes

What the Work Actually Looks Like

Anonymized case studies from real engagements. Client details are omitted; the work, the gaps we found, and the outcomes are not.

Case Study — Healthcare & Professional Services

Regional Health Insurance Brokerage: HIPAA Business Associate Compliance & Security Program Build

Multi-state health insurance brokerage 35–50 employees Compliance Baseline engagement 9-week delivery
The Situation

A regional health insurance brokerage operating across three states managed employer-sponsored group health plans for small and mid-size businesses. As a Business Associate handling electronic protected health information on behalf of multiple carriers, the firm was subject to the HIPAA Security Rule — but had no security program to show for it.

A large carrier client notified the firm that an upcoming contract renewal would require documented evidence of a formal security risk assessment, a written information security program, and a named Security Official. The firm had 11 weeks before the renewal deadline. Their IT provider — who managed their email and endpoints — had never conducted a risk assessment or produced any compliance documentation.


What We Found

The initial risk assessment documented 14 control gaps across four categories:

  • Access management: Shared credentials across multiple staff members for carrier portal access. No formal access review process. No documented offboarding procedure for former employees or independent contractors.
  • Workforce training: No documented security awareness training had been conducted. Staff handling ePHI had not received phishing simulation or credential hygiene training.
  • Vendor oversight: Five technology vendors — including the CRM platform and a cloud document storage provider — were processing ePHI without a current Business Associate Agreement in place. Two BAAs that did exist lacked required breach notification provisions.
  • Incident response: No written incident response plan. No documented breach notification workflow aligned to the HIPAA 60-day HHS reporting requirement or state notification laws.

What We Built
  • Formal HIPAA Security Risk Assessment, documented to HHS standards, covering all ePHI flows across the firm’s systems, vendors, and physical locations
  • Written Information Security Program (WISP) covering access controls, device management, remote work policy, workforce training requirements, and audit logging
  • Named Security Official designation, documented in the WISP and communicated to the carrier as the firm’s accountable security contact
  • Business Associate Agreement review and remediation: corrected BAAs with all five vendors, including required breach notification provisions and subcontractor disclosure language
  • Written Incident Response Plan with a breach triage workflow, HHS notification timeline, and state-specific notification obligations for each operating state
  • Initial workforce security training session covering phishing recognition, credential hygiene, ePHI handling, and reportable incident identification
  • Annual review schedule and policy maintenance calendar, so the program does not go stale after the initial engagement closes

The Outcome

Security program delivered in 9 weeks. The carrier renewal was completed without conditions, remediation requirements, or findings. The firm now operates with a documented WISP, a named Security Official, current BAAs on file for all technology vendors, and an annual review cycle that keeps the program current.

The engagement was structured as a fixed-scope Compliance Baseline. The firm subsequently transitioned to an Ongoing Advisory retainer for quarterly program maintenance, policy updates, and security reporting.


Why It Matters

Most Business Associates believe their IT provider handles HIPAA compliance. What IT providers deliver — patching, backups, email filtering — is infrastructure management, not a security program. The HIPAA Security Rule requires documented policies, formal risk assessments, workforce training, and vendor oversight. None of those are infrastructure tasks. The absence of that documentation is the finding — and increasingly, it is what carrier partners, regulators, and sophisticated clients are checking before they will sign or renew a contract.

Case Study — Professional Services

Bookkeeping Firm: Unmonitored IT Environment & FTC Safeguards Compliance

Independent bookkeeping firm Under 20 employees Compliance Baseline + Ongoing Advisory
The Situation

A small bookkeeping firm had relied on the same IT provider for several years to manage their computers, email, and cloud storage. The IT relationship was functional — help desk tickets got resolved, backups ran overnight — but it was purely reactive. The IT provider had never set up security event logging, never reviewed access to client files, and had no alerting in place for anything short of a system failure.

The firm handled payroll records, bank account credentials, tax documents, and Social Security numbers for dozens of small business clients. Under the FTC Safeguards Rule, the firm qualified as a financial institution required to maintain a written information security program. They had none. The engagement began when a client asked to see their security documentation before renewing a bookkeeping contract — and the firm had nothing to show.


What We Found

The risk assessment surfaced gaps that the IT provider had no mandate to look for — because no one had ever asked them to:

  • No monitoring or alerting: No security event logging was active on any system. File access to client payroll and tax folders was not logged. There was no way to determine who had accessed what — or when — going back years.
  • Credential exposure: Two staff email accounts had appeared in third-party breach databases. Passwords had not been changed. Multi-factor authentication was not enabled on any system, including the cloud accounting platform.
  • Uncontrolled access: A former part-time bookkeeper who had left the firm eight months prior still had active credentials to the cloud storage environment containing client tax documents.
  • No written program: No FTC Safeguards-compliant written information security program existed. No security coordinator had been designated. No risk assessment had ever been performed.

What We Built
  • FTC Safeguards Rule risk assessment, documenting all identified gaps and their associated risk level
  • Written Information Security Program designating a qualified individual, setting access control standards, and establishing an annual review cycle
  • Access control remediation: revoked all former-employee credentials, implemented MFA across all systems, and established a formal offboarding checklist
  • Security event logging activated across cloud platforms, with alerting rules for after-hours access, failed login attempts, and bulk file downloads
  • Vendor review: confirmed that the IT provider’s contract included appropriate security and confidentiality provisions consistent with Safeguards Rule vendor oversight requirements
  • Ongoing monthly monitoring review: SPM Advisors reviews security logs, alert summaries, and access activity on a retained basis — providing the oversight the IT provider was never scoped to deliver

The Outcome

The firm provided the requesting client with a written summary of their security program within three weeks of the engagement start. The client renewed. The former employee’s active credentials were discovered and revoked before any confirmed access had occurred — though the gap had been open for eight months without detection.

The firm now operates on a retained advisory basis with monthly log review, quarterly policy check-ins, and an annual risk assessment refresh. Their IT provider continues to handle infrastructure. SPM Advisors handles the security program and monitoring oversight that sits above it.


Why It Matters

IT providers manage systems. They are not scoped — and generally not qualified — to manage security programs, conduct risk assessments, or maintain regulatory compliance documentation. The gap between what an IT provider delivers and what FTC Safeguards, HIPAA, or a sophisticated client contract actually requires is exactly where breaches and enforcement actions originate. Monitoring is not a feature of a managed IT contract. It is a separate discipline that requires a separate engagement.

Case Study — Healthcare / Medical Aesthetics

Medical Spa: HIPAA Compliance Program Build & Ongoing Security Monitoring

Single-location medical spa & aesthetic practice Physician-owned, 10–25 staff Compliance Baseline + Ongoing Advisory
The Situation

A physician-owned medical spa offering injectable treatments, laser procedures, and medical-grade skincare operated with a practice management system, an EHR for medical record documentation, and a booking platform integrated with their website. The practice collected patient intake forms, treatment photos (before and after), and payment information — all of which constituted protected health information under HIPAA.

The practice had no documented security program. The physician owner had assumed that because the EHR vendor was HIPAA-compliant, the practice itself was covered. It is not how the Security Rule works — the covered entity obligation sits with the practice, not the software vendor. The engagement began after the practice received a patient complaint about how their treatment photos were being stored and shared for marketing purposes without an explicit authorization on file.


What We Found
  • Treatment photo handling: Before-and-after photos were stored in a shared cloud folder accessible to all front-desk staff, with no access controls, no retention policy, and no documented authorization process for marketing use. Several photos had been posted to the practice’s Instagram account without specific patient authorization.
  • No Security Risk Assessment: No formal HIPAA Security Risk Assessment had ever been performed. The EHR vendor’s BAA was signed, but the practice had no documentation of any risk analysis, safeguard evaluation, or remediation plan.
  • Booking platform scope gap: The online booking platform collected patient names, contact information, and medical history intake responses — but was operating under a general terms-of-service agreement, not a Business Associate Agreement. Patient data in that platform was outside the BAA structure entirely.
  • No monitoring or access review: Staff access to the EHR had never been audited. A part-time aesthetician who had reduced her hours significantly still had full EHR access identical to the clinical staff. No alerting was configured for after-hours record access.
  • No named Security Official: The HIPAA Privacy Rule requires designation of a Privacy Official; the Security Rule requires a Security Official. Neither role had been formally designated or documented.

What We Built
  • Formal HIPAA Security Risk Assessment covering all ePHI flows: EHR, booking platform, treatment photo storage, payment system, and staff-owned devices used for work communication
  • Treatment photo policy and authorization workflow: separate written authorization form for marketing use, access controls limiting photo storage to clinical staff only, and a retention and deletion schedule
  • Business Associate Agreement executed with the booking platform vendor; practice notified of the existing gap and documentation placed on file
  • Written Information Security Program and Privacy Program documentation, including designation of the physician as both Privacy Official and Security Official with documented responsibilities
  • EHR access audit and role-based access remediation: access levels aligned to job function, part-time staff access corrected, and a quarterly access review schedule established
  • EHR audit log monitoring configured with alerting for after-hours access and record queries outside normal patient volume
  • Staff HIPAA training session covering treatment photo authorization, ePHI handling, breach identification, and social media policy
  • Ongoing monthly monitoring retainer: EHR audit log review, access control check, and policy maintenance — with annual risk assessment refresh

The Outcome

The patient complaint was addressed with a documented response and a corrected authorization process. No OCR complaint was filed. The practice now has a documented HIPAA security and privacy program, named officials on record, current BAAs with all vendors in scope, and a treatment photo workflow that is both compliant and workable for the marketing team.

Monthly monitoring has since identified one instance of a staff member accessing patient records outside their assigned treatment schedule — flagged, investigated, and documented as a non-incident with no breach. Without monitoring in place, that access would never have been reviewed. The practice owner now has documented evidence that they are actively managing the security program — which is exactly what OCR looks for in an investigation.


Why It Matters

Medical spas occupy an unusual compliance position: they perform medical procedures, collect clinical records, and handle sensitive treatment images — but often operate with the administrative posture of a retail business. The assumption that a HIPAA-compliant EHR vendor transfers the covered entity’s obligations to the vendor is one of the most common and consequential misunderstandings in healthcare security. It does not. The practice owns the obligation. Ongoing monitoring is what closes the gap between an annual risk assessment and the next OCR inquiry — because a documented, active program is the difference between a corrective action plan and a civil money penalty.

Your Organization Has a Similar Gap?

Most organizations we work with started in the same place — no documentation, a deadline, and an IT provider who handled the wrong things. Let’s talk about what a baseline engagement would look like for you.

Request a Security Fit Call