Aligned with the Standards of the HHS, AMA, and ADA

Yes, completely. We understand that discussing potential gaps in your current HIPAA compliance can feel sensitive or stressful. Our role is to protect your practice or organization, not to judge or report it.

To ensure absolute privacy and peace of mind, all sensitive compliance reviews and initial consultations can be handled directly and confidentially with our company president. As a former federal regulator and HIPAA Compliance Officer for a large county government, our president knows exactly how government auditors operate, what they look for, and how complex organizations function in the real world.

We do not report to any federal or state agencies. Our sole priority is to use that insider regulatory expertise to find and fix your vulnerabilities in a safe, entirely judgment-free environment.

To formally demonstrate compliance if audited or subjected to a federal breach investigation, an organization cannot simply claim to be compliant—you must prove it through tangible documentation.

According to guidelines supported by the AMA HIPAA privacy and security resources, an organization must:

• Maintain Written Policies: Have up-to-date, customized policies and procedures that form a comprehensive HIPAA risk management plan.
• Conduct Security Reviews: Provide documented proof of regular HIPAA risk assessments.
• Train the Workforce: Provide mandatory, annual HIPAA security awareness training for the entire workforce.
• Designate Oversight: Regardless of your organization's size, you must appoint a designated HIPAA security and privacy official to manage the compliance program.

Many organizations and small businesses believe that HIPAA regulatory compliance is a costly luxury. This misconception is one of the main reasons some organizations fail to implement a comprehensive program to guard against regulatory noncompliance.

In reality, implementing proactive HIPAA compliance measures is highly cost-effective, especially when compared to the strict civil monetary penalties and permanent reputational damage caused by a data breach.

Our team customizes compliance packages to meet your specific operational size and budget constraints. To determine your exact pricing, we utilize an initial questionnaire to evaluate what compliance metrics are currently in place. This ensures you only pay for the specific frameworks your organization actually needs.

Regardless of the size of the practice, dental offices are legally required to follow all HIPAA Security and Privacy Rule requirements. As outlined in the ADA HIPAA 20 Questions guide, dentists must actively manage patient privacy, physical office security, and electronic data transmissions.

To maintain a baseline that satisfies federal regulators, a dental practice must:

• Conduct Risk Assessments: Formally identify potential vulnerabilities and risks to protected health information (PHI) maintained by the organization.
• Implement Custom Policies: Develop and implement HIPAA policies and procedures as part of an active risk management plan.
• Train Staff Annually: Conduct annual HIPAA Security Awareness and Privacy Training for all members of the workforce, including dentists.
• Secure BAAs: Ensure signed Business Associate Agreements are active for all vendors that have any access to patient health information and records.

Yes. Government regulators do not exempt solo practitioners, small clinics, or startups from compliance simply because they lack an enterprise IT budget. Federal law requires the same level of data protection whether you are a major hospital system or a local neighborhood clinic.

While organizations like the AMA and ADA provide toolkits to help small practices understand these rules, executing them internally can be overwhelming without specialized staff. At Colington Consulting, we step in to act as your external compliance partner—handling the risk assessments, drafting your custom policies, and running your staff training so you can focus entirely on patient care.

The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) typically initiate HIPAA investigations due to three specific triggers:

1. Self-Reported Data Breaches: Any breach affecting 500 or more individuals must be reported immediately, automatically triggering a federal investigation. Smaller breaches are logged annually but can still prompt a review.
2. Patient or Employee Complaints: Written complaints filed by patients, disgruntled employees, or competitors regarding privacy mishandling.
3. Random Audits: The OCR conducts periodic, random compliance audits across both covered entities and business associates to ensure industry standards are being maintained.

Yes, Colington Consulting is a premier HIPAA compliance firm proudly based in Burke, Fairfax County, Virginia. While we serve clients nationwide, we specialize in providing hands-on, localized compliance strategies, on-site risk reviews, and tailored consulting for healthcare providers, dental practices, and business associates throughout Virginia and the greater Washington D.C. metropolitan area.  

A Covered Entity is any provider of medical, dental, or other healthcare services or supplies that transmits any protected health information in electronic form. This includes pharmacies, health plans, and healthcare clearinghouses that perform electronic health care billing functions.

Note: If your organization files any insurance claims electronically, including requests for reimbursement from CMS for Medicare and Medicaid services, you are automatically considered a covered entity.

A Business Associate is a person or business that creates, receives, maintains, stores, or transmits PHI while performing a function or activity for a covered entity.

Under federal law, a Business Associate Agreement (BAA) is a mandatory contract between a covered entity and a designated business associate. The agreement requires that any protected health information maintained by the business associate must be protected in accordance with HIPAA regulations. A BAA must explicitly define how a business associate will report and respond to a data breach, including breaches caused by their subcontractors.

Common examples of business associates include:

• IT services and cloud storage providers.
• Some Health Developers 
• Medical billing and coding companies.
• Website hosting companies that maintain patient health questionnaires or intake forms.
• Legal, accounting, consulting, management, or financial services with access to patient data.
• Some AI health related platforms or vendors.

Yes, we manage the entire lifecycle for you. Under HIPAA guidelines, any vendor—including IT providers, billing companies, and newer AI-powered clinical tools (such as transcription or dictation software)—must be thoroughly vetted prior to being granted any access to your Protected Health Information (PHI) or ePHI.

Because auditing these entities is incredibly time-consuming, our Third-Party HIPAA Governance service takes the entire burden off your plate. We directly handle:

• Pre-Service Vendor Risk Assessments: Auditing third parties before you onboard them to ensure they maintain the strict security standards required to protect your practice.
• AI Tool Compliance: Reviewing the data-handling and privacy policies of AI platforms to ensure they do not improperly expose or store your ePHI.
• BAA Management: Verifying and executing legally sound Business Associate Agreements before any vendor access is permitted.

The HITECH Act (2009) and the final HIPAA Omnibus Rule drastically strengthened the government's ability to enforce privacy laws, expanded consumer rights, and increased penalties.

• Direct Liability: Business associates and third-party vendors are now held directly legally and financially liable for data breaches, just like covered entities.
• Stricter Penalties: A tiered penalty structure was introduced, significantly increasing the financial cost of noncompliance and willful neglect.
• Patient Rights: Patients gained the right to receive a copy of their medical records in an electronic form. Furthermore, when individuals pay by cash for healthcare services, they can instruct their provider not to share information about their treatment with their health plan.
• Marketing Restrictions: The rule sets strict limits on how information is used and disclosed for marketing and fundraising purposes, completely prohibiting the sale of an individual's health information without explicit permission.

Protected Health Information (PHI) is individually identifiable health information that is transmitted or maintained in any medium—including paper records, oral communications, or digital files. Electronic Protected Health Information (ePHI) refers specifically to PHI that is produced, saved, transferred, or received in an electronic form.

There are 18 specific types of identifiers that classify data as PHI, including:

• Patient names and geographical data.
• Social Security numbers and medical record numbers.
• Email addresses, phone numbers, and IP addresses.
• Full-face photographic images or biometric identifiers.

A data breach is the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner not permitted under the HIPAA Privacy or Security Rules, which compromises the security or privacy of the information.

A breach can be a release of unsecured PHI to an unauthorized entity or an insecure environment, whether intentional or unintentional. This includes cyberattacks (like ransomware), lost or stolen unencrypted laptops, or improper instances of unauthorized access or disclosure by internal personnel.

Yes, in almost all cases. While HIPAA itself legally mandates a Security Risk Assessment (SRA) for all Covered Entities and Business Associates, cybersecurity insurance underwriters have independently made it a strict requirement for coverage.

Because healthcare data is a prime target for cybercriminals, insurance providers now treat a recent, comprehensive risk assessment as a baseline requirement. When applying for or renewing a policy, you will likely be required to provide proof of:

• A completed, up-to-date Security Risk Assessment.
• An active Risk Management Plan showing how you are mitigating discovered vulnerabilities.
• Evidence of ongoing employee security awareness training.

Failing to provide a thorough assessment can result in denied coverage, drastically increased premiums, or the denial of a claim if a breach occurs and you are found to be non-compliant.