The Compliance Gaps
Your Software Does Not Cover.

What Your Software Does Not Do

• Written HIPAA Risk Analysis. Required by HIPAA Security Rule. OCR's #1 enforcement target in 2025. Your PMS does not produce one.
• Notice of Privacy Practices. Required by HIPAA Privacy Rule to be posted on your website. Most practice NPPs are outdated or missing required elements.
• Business Associate Agreements. Required with every vendor that touches patient data. Your PMS signed its own. The dozen other vendors did not.
• Tracking Pixels on Patient Portals. Meta Pixel and Google Analytics on authenticated pages can transmit PHI. Multiple hospital systems have settled class actions over this.
• Written Breach Response Plan. Required by HIPAA Breach Notification Rule. Sixty-day notification deadline. Most practices have a template they downloaded but never tested.
• Workforce Training Documentation. Required. Not what your PMS vendor sends. What you can show OCR during an investigation.
• Patient Testimonials and Social Media. A $182,000 OCR settlement in 2025 resolved a website testimonial posted without HIPAA authorization. Common practice, common risk.
• Right of Access Compliance. Patients must receive records within 30 days. OCR has brought 54 enforcement actions on this specific requirement.

What We Deliver

• A documented HIPAA Risk Analysis specific to your practice, tools, and workflows.
• A current, compliant Notice of Privacy Practices in both print and website versions.
• A full vendor inventory with BAA status tracked for every vendor that touches PHI.
• A website and patient portal privacy audit, including tracking technology review.
• A written breach response plan customized for your practice.
• Workforce training materials and attendance documentation.
• Plain-language translation of every requirement into steps your team can actually follow.
• Ongoing advisory if you want a partner rather than a one-time project.

What Already Applies To You

• Delaware Personal Data Privacy Act. No revenue threshold. If you process data from 35,000 Delaware consumers, you are covered.
• Colorado Privacy Act. $20,000 per violation. No cure period since January 2025. The most expensive state privacy law in the country.
• California CCPA and CPRA. If you have California customers and cross revenue or data thresholds, it applies, regardless of where your business is located.
• FTC Act and UDAP. No threshold. Applies to any business that makes claims about privacy or security. The FTC fined Cerebral $7 million in 2024 over data handling.
• CAN-SPAM and TCPA. No threshold. Cover any business sending marketing emails or text messages. Class actions have become common.
• COPPA. No threshold. Applies to any site that collects data from children under 13, or knows it is collecting from them.
• Sector Laws (GLBA, FERPA, etc.). No threshold. Apply to any business in financial services, education, and other regulated sectors.
• Cyber Insurance Attestations. Carriers increasingly require documented compliance as a condition of coverage or renewal.

What We Deliver

• A clear determination of which state and federal privacy laws actually apply to you, based on where your customers are and what data you handle.
• A website privacy policy that matches how your business actually operates, not a generic template.
• A cookie consent banner configured correctly for the states where you do business.
• A vendor inventory and Data Processing Addendum review for every service that touches customer data.
• A consumer rights process for access, deletion, and opt-out requests under applicable laws.
• A breach response plan and notification procedure sized to your business.
• Cyber insurance attestation support if your carrier has asked for documented compliance.
• Ongoing advisory for growth-stage businesses that need a privacy partner without the cost of hiring.