HIPAA.
Security Rule readiness, signed and renewable.
We prep your practice for HIPAA Security Rule and Privacy Rule obligations — Risk Analysis, workforce sanction policy, incident response, contingency plan, encryption attestation, BAA inventory. A practitioner signs the quarterly readiness reports your auditor and your malpractice carrier read.
One Aegis relationship. Every client's Security Rule.
Healthcare-services firms running compliance for multiple covered entities can consolidate every client engagement under one Aegis relationship. One billing line. One audit chain per client. Each engagement isolated by hard tenant boundaries so a misclick never leaks PHI across customers.
The dedicated agency console is live today. Agency admins invite customers directly from /agency/invite-customer; the practitioner you work with signs every client's quarterly report under your firm's co-branded cover.
- ▸One umbrella billing relationship — your agency, not each client, pays Key 102. Per-client costs are routed through your existing client invoicing.
- ▸Per-client engagement isolation — every covered entity gets its own engagement with its own evidence vault, audit chain, and signed quarterly reports. RLS at the database layer; no cross-contamination.
- ▸Co-branded reports — your firm + Key 102 on every deliverable. The signing practitioner's name appears alongside your firm's name on the cover.
- ▸Practitioner continuity — same practitioner across your portfolio. No re-introducing the relationship every client.
Hourly consultant bills, replaced by a fixed monthly engagement.
A typical HIPAA Security Rule readiness engagement runs 80 to 200 consultant hours billed at industry-typical rates ($200 to $400/hr). Multi-site practices and engagements with significant remediation push higher. The cycle repeats every annual review.
Tammie walks the SRA in the Mission Brief. Your practitioner reviews quarterly. Same vault, audit chain, and signed quarterly reports the higher tiers use. Roughly 70 to 90 percent off the hourly model for practices that fit the self-attestation profile.
For multi-site practices, larger SRAs, or engagements that need hands-on practitioner work, Managed and Audit Co-Pilot tiers bundle the practitioner hours into a fixed monthly rate. See Aegis tiers →
Comparison numbers reflect industry-typical hourly engagements. Your actual savings depend on your scope and the engagement depth you need. We don't quote savings without scoping your environment first.
Every artifact the Security Rule asks for.
The §164.308(a)(1)(ii)(A) anchor — your annual SRA, on a methodology your auditor recognizes (NIST SP 800-66 Rev 2 + ONC SRA Tool). We map every system that touches ePHI.
Workforce sanction policy, training program, incident response plan, contingency / BCP-DR, access control policy. Drafted to your actual environment, not template-filled.
§164.312(b) audit logging program. §164.312(a)(2)(iv) + §164.312(e)(2)(ii) at-rest and in-transit encryption attestation. Both signed by your practitioner.
Reconciled BAA inventory against active vendor relationships. Privacy Rule artifacts including Notice of Privacy Practices review and patient-rights workflow.
The same backbone every Key 102 engagement runs on.
Every quarterly readiness report is signed by a named practitioner — name on the page, not an AI byline. HIPAA Security Officer sign-off restores as the role is staffed.
Every file fingerprinted at upload. If a byte changes, we can prove it.
Every action chains to the previous one. Nobody can rewrite history without breaking the chain.
Reports are sealed by an independent timestamping authority. Your auditor can verify the date themselves.
Get your Security Rule done.
Start with the Mission Brief or schedule a 30-minute call. You'll leave with a real timeline, a fixed-price plan, and an honest read on whether Self-Service fits your scope or you need a deeper engagement.