Getting Started

Navigate to and enter your e-mail address and password. Upon first login your password will be the word password in all lower case.
For AdministratorsYou may launch The Guard via the green button to the top-right of your main screen. Beneath the ‘Launch The Guard’ button are ‘System Messages’ and ‘Notifications and Alerts.’ This is important for news the System needs to deliver to you at-a-glance. You will also see ‘Assigned Tasks,’ ‘Important Documents’ and a field where you may ‘Report Incidents’ to your left.

For UsersYou will see ‘Assigned Tasks,’ ‘Important Documents’ and a field where you may ‘Report Incidents.’ For purposes of attesting to policies and procedures created by your Employer, please utilize the ‘Important Documents’ section and consult your Administrator with any further inquiries.

During your first meeting your Compliance Coach created the framework for your self-audits. After launching The Guard you would access these by hovering over ‘Auditing’ and selecting ‘Questionnaire.’ From there, select the audit you wish to continue work on by clicking it until it highlights black. With the audit highlighted black, click ‘View/Continue Selected Audit’ to continue answering the questions.
More often than not you have attempted to perform the work of someone aside from yourself by utilizing their login too many times and turned off Administrator access for your own login. You will need to have a unique User ID/password for each and every Employee because whenever this occurs you will be unable to launch The Guard. Should this occur, please contact us to remedy the matter for you.
If you are ever within the depths of the Guard and need to return to the Dashboard, please click the Home icon found next to your Organization’s name. It is easiest to switch sites from the Dashboard. Along the bottom you will see a dropdown containing your Site’s name. Click this dropdown, select the intended Site and hit ‘Set’. 

I was also told to complete manual audits for each site. How do I load these into the Guard? First, you will need to switch sites as explained above in order to access your additional locations. Once in the site, navigate to Tracking > Documents > HIPAA Manual Audits and upload the audits to that folder. This is really the only time when you will be adding any information into the(se) ‘secondary’ locations.

Hover over ‘Accounts’ and select ‘Vendors’ from the dropdown. Enter in all Vendor information, placing a pre-fix of BA in front of any Business Associate, and click ‘Create New Partner’ to save them.
Any questions which you cannot answer confidentally or are wholly confused by should be marked as a ‘No.’
If you have a procedure in place but not the policy that would be a circumstance to answer ‘No.’ Also, if you have both the policy and procedure in place but they are over 2 years old you would want to mark the answer as a ‘No.’
Any questions which warranted an answer of ‘Yes’ on the self-audits would also require a brief explanation within the ‘Auditor Notes’ field found mid-screen.
Upon reaching the last page of questions on any given audit you will be presented with an option to finalize the audit, which sets it in stone. So long as you have answered all of the questions honestly and to the best of your knowledge feel free to finalize the audits. Utilize the ‘Previous Question’ button if you wish to review any of the answers inputted prior to finalizing.
If you look to the top-right of your screen, you will see your name while logged into The Guard. Directly next to where it says ‘You are Signed in as YOUR NAME’ will be the word logout with a line beneath it. Click the word logout to exit The Guard. 


Business Associate and Vendor Management

A Business Associate is any person or Organization you pay money to and their job entails working directly with your patients’ PHI. They will directly handle protected health information as part of the reason for why you hired them. Examples include a Clearinghouse, a Billing Service, Collection Agencies, Off-Site Storage Companies, IT Services, EHR Platforms, Consultants and Shredding Companies. For establishments such as these you will require a Business Associate Agreement be put into place. 

A ‘regular’ Vendor who is not a Business Associate is someone who you pay money to for a specific task but that task does not involve working with PHI. However, they may see or hear it indirectly. The best example is a member of a Janitorial crew. They are not part of your direct Staff and will require a Confidentiality Agreement (please note that each individual who enters your facility will need to sign this agreement, as opposed to the Company they work for).

For a Business Associate you will want to hover over ‘Accounts’ and select ‘Vendors’ in the drop down that shows. Be sure to place a pre-fix of BA in the ‘Vendor Name’ field, ahead of the Organization’s name. Upon populating all the information in the open fields click ‘Create New Partner’ to save this Business Associate within The Guard.

Any ‘regular’ Vendor who is not a Business Associate should be entered into The Guard as well. The only minor difference when entering these Vendors from a Business Associate is that for a regular Vendor you would not type BA as a pre-fix before populating their information and selecting ‘Create New Partner.’

In order to update Vendor information within The Guard you would first want to hover over ‘Accounts’ and select ‘Vendors’ from the drop down. Look toward the bottom of the screen where it says ‘Modify/View a Vendor’ and click the specific Vendor so their name shows highlighted black. With the Vendor highlighted black, click ‘View Selected Item’ to bring their information toward the top ‘Vendor Details’ field. Make the changes you wish and click ‘Update Partner’ to save the information.

Document, Employee and Training Management

As an Administrator of The Guard you will want each employee of your Organization to be at least a User of the system. Everyone will need to login eventually for the sake of attesting to the policies and procedures we will build along with you. In order to create new User you would first want to Launch The Guard, hover over ‘Administration’ and select ‘Users and Access Controls’ from the drop down. Beneath ‘Create a New User,’ enter in the employee’s full name, E-mail address and password (the word password in all lower case). Ignore the check boxes next to ‘Job’ and ‘Access Roles.’ Last, click ‘Save Information’ to create the unique User profile for that Individual.
First, ensure that the Individual has been at least set-up as a User. Only someone who is already an Administrator should be ‘promoting’ a User to Administrator status. To allow Administrative access to a present User of The Guard, you would first want to hover over ‘Administration’ and select ‘Users and Access Controls’ from the drop down. Click the name of the User below ‘Modify/View a User’ (toward the bottom of the screen). They will now show highlighted black and you will want to click ‘View Selected Item’ to the bottom-left in order to bring their information up-top. With their information showing up-top, click off each of the boxes next to ‘Access Roles’ and click ‘Update Information.’ This User has now been converted to an Administrator of The Guard. If this Individual is either the Privacy or Security Officer for the Facility be sure to label them as such next to ‘Job Role.’
Hover over ‘Tracking’ and select ‘Documents (Version Control).’ You are now in the Document Repository. When you click any given folder to the left it will turn green to indicate it is open. With the ‘HIPAA Manual Audits’ folder open, click Upload to the bottom-left and a yellow window will appear. ‘Local File’ will allow you to find where the file is saved on your computer. ‘Document Title’ should reflect the same as the document which is being uploaded. The ‘Enactment Date’ is the day the questionnaire was completed. The ‘Review Date’ would be one year after that date. Within ‘Description’ type the same thing as what you placed in the ‘Document Title’ field and click ‘Upload Document.’ Your questionnaires should now show beneath ‘Document Name,’ behind where the yellow window was previously.
First, hover over ‘Tracking’ and select ‘Documents Version Control’ from the drop down. To your left-hand side, select the folder labeled ‘Confidentiality Agreements’ by clicking it and ensuring it turns green. Now you will want to click ‘Upload’ to the bottom-left of your screen and a little yellow window pops up. Within the yellow window you will want to populate all fields and select ‘Upload Document’ to store it within The Guard.
First, hover over ‘Accounts’ and select ‘Vendors’ in the drop down that shows. From there, click the Business Associate who has returned their signed agreement from the ‘Modify/View a Vendor’ field found toward the bottom of the screen. They will show highlighted black and you can bring them up top by clicking ‘View Selected Item.’

With the Vendor information now showing up top, you will want to click on the tab found mid-screen that is labeled ‘Contracts.’ After selecting ‘Contracts,’ click ‘Upload New Document’ (it shows green in color) and a yellow window will show. From the ‘Local File’ field you’d click ‘Choose File’ to find where the Agreement is on your computer. The ‘Enactment Date’ is the day the agreement was signed off on. The ‘Review Date’ would be one year following. Within ‘Description’ you’d type a pre-fix of BA ahead of the name of the Organization and click ‘Upload Document.’ Last, be sure to click ‘Update Vendor’ to save this new information you have inserted into The Guard.

Auditing, Assessments and Remediation

Upon completing your Self-Audits deficiencies, also known as gaps, will automatically populate based on your answers. These gaps are where you are lacking policies and procedures within your Organization in order to be compliant.
Hover over the ‘Auditing’ tab and select ‘Remediation Plans’ from the drop down. There will be two tabs mid-screen labeled ‘Notes’ and ‘Gaps.’ Click ‘Gaps.’ Beneath ‘Unassigned/Open Gap Items,’ click and highlight the very first item and click Sel >. DON’T click ‘All >>.’ That’s cheating. We would need to do them one at-a-time, entering in who it is ‘Assigned To,’ their E-mail Address, the start date and end date as explained to you by your Compliance Coach. Finally, click ‘Save Remediation Plan’ for each and every Gap item before moving to the next. DON’T click ‘Mark Complete/Gaps Resolved’ just yet. You have now built the framework for the plan that will resolve your Organization’s deficiencies.
Upon completing your self-audits deficiencies, also known as gaps, will automatically populate based on your answers. In order to fix these gaps, or remediate them, we will create a plan with you to address where your organization has deviated from what the HIPAA rule requires. Remediation is the act of remedying the deficiencies found within your organization.

Incident Management

Anyone is permitted to report an incident. This is why it is easily accessible from the main screen. To the bottom-left is a field specifically marked ‘Report an Incident.’ You have the option to title the incident, label the type of incident it was via the ‘Incident Type’ tab, give a short description of the incident next to the ‘Incident Description’ field, and date the incident as well as when it was actually discovered. After inputting all of this information, click ‘Submit Incident’ to report it.
Depending on the severity of the incident various goals will require implementation. There is no stock answer to provide in this circumstance, so we welcome you to bring incidents to our attention as they happen. That way our Subject Matter Expert can talk you through the matter and bring you back toward being compliant through a remediation plan specifically tailored to your situation.

Illustrating Compliance

First, set-up 2 file folders on your computer’s desktop. Title one ‘Privacy’ and the other ‘Security.’ This is where you will download the 16 templates for Security policies and the 21 templates for Privacy policies to. You will do this so you may change their layout to reflect your Organization’s information.
Let’s use Security policies in order to provide an example – Hover over ‘Tracking’ and select ‘Documents (Version Control).’ Within the Document Repository you will find that The Guard defaults so that the Security policy folder is the one which is open. Click the first policy up-top so it turns black to indicate it is highlighted. To download it to your computer, select ‘View Selected File’ and move it from your download folder to your new Security file folder on your desktop.
Read the top section and delete it. If you would like an Attorney to review this section, please feel free. Input your Organization’s name where it says ‘Organization.’ The Issue Date and Effective Date should be the same and are to reflect the 1st of the following month from the one in which you are in. Within ‘Responsible for Review’ be sure to input the full name of the person who controls policies within your Organization. ‘Scheduled Review Date’ is 2 years in most states, aside from NY, CA, TX, MA, MI, and FL where it is one year.

Now, you will need to read each individual policy throughly. You may come across sections which you find confusing, want clarification on, or have concerns which you’d like addressed. For sections such as these please highlight them red so that they can be explained to you, or clarified further. 

Sign at the bottom along with your Job Title. Last, remove the directions beneath ‘Authorized By,’ since they are just instructions. Keep the files on your computer for the time being. Do not attempt to upload them back into The Guard just yet.

In order to generate reports in regards to staff training you would first want to hover over the tab labeled ‘Reporting’ and select ‘Employee Policy/Procedure Crosswalk’ from the drop down. You may filter the type of report you generate by changing the fields next to ‘Acknowledgment.’ Select ‘All Types,’ ‘Did NOT Understand the Document,’ ‘Did NOT Read the Document,’ or ‘Understood the Document’ and click ‘Generate Report’ to view a run down of what you requested from the system.
The title of Privacy/Security Officer does not exactly need to be your specific job role within your Organization. If it is, please mark this section accordingly. Otherwise, you would want to designate whomever is tasked with the compliance work as a Security or Privacy Officer because A) this is who an Auditor will want to speak with upon entering your facility and B) The Guard utilizes these ‘Job Roles’ in order to send out alerts for specific circumstances.
Upon completing your Implementation sessions you will receive your Seal of Compliance, broadcasting to the world that you have completed our rigorous process and achieved compliance.
You may review work done and various different actions performed by utilizing the ‘System Logs’ found within The Guard. To access ‘System Logs,’ first hover over ‘Administration’ and select ‘System Logs’ from the drop down.

Utilities and Miscellaneous

You are able to change your password directly from the Main Screen. In the very top-right, beneath your name, you will find the words ‘Change Password’ in green. Click ‘Change Password’ and you will be prompted to enter the present password. Then, you will enter your new, preferred password two times for confirmation and select ‘Update Information’ in order to save this new password.
While we don’t offer encryption services directly, we do have many partners in the field who we can refer you to. Just inquire and it will be our pleasure to place you in touch.
Everyone will ultimately move to the Advanced Implementation stages, but in order to accurately teach you how compliance works from the ground up the Basic Implementation stages are present to show you the ropes. Special circumstances sometimes do apply, so please refer to your Compliance Coach if you are at all confused about where in the process you and your organization stand.
We have an ‘Industry Glossary’ available to you which covers HIPAA Basics. Click HERE to access it. The Department of Health and Human Services is an excellent reference. Their web site is There is also the Office of Civil Rights and the Centers for Medicare and Medicaid Services. Their websites are found at and, respectively.

General Policy FAQs

You will want to, upon instruction from your Compliance Coach, upload your finalized policies back into The Guard. To do this, please hover over ‘Tracking’ and select ‘Documents (Version Control)’ from the dropdown which shows. From there, think of everything beneath the mid-line on your left-hand side as being finalized, done, finito, ready to go. This means your policies will only ever be posted to the Security/Privacy Policies folders beneath the mid-line. With this in mind, click on the Security/Privacy folder you wish to upload towards one time so it turns green. Now, if you look 2-3 inches below the green folder, you will see a grey key labeled Upload. When you click this, a yellow upload window will appear. You will find the finalized policy from where it sits on your computer via the Choose File key. For the Title, enter a qualifier of an S or a P, along with the number of the policy which you are uploading. Follow that qualifier up with the title of the policy document being uploaded. For example, ‘S 1.0 Assigned Security Responsibility’. Copy/Paste what you had entered into the Title field down to the Description so they match. For the Enactment Date you will enter the same information as the Effective Date reflected on the policy itself. The Review Date is one year following the Enactment Date. This time, you WILL want to check the box which says ‘Check if you want this Document readable by all Users’. Finally, hit ‘Upload Document’, the yellow window will disappear and you will see the name of the document posted beneath Document Name within the Guard’s Document Repository.

In lieu of deletion of your first years’ set of policies, we are going to archive them in case we need to produce information in the future. We will tuck the previous years’ edition behind the ‘new’ edition. NOTE – When uploading policies back into the Guard NEVER upload over a template. This will effectively cause you to lose your blank copy of the policy document. First, navigate to your third tab in for ‘Tracking’ and select ‘Documents (Version Control)’ in the drop down which shows. This brings you to our Document Repository. Let’s say you are uploading the new edition of Security 1.0 Assigned Security Responsibility. Click on the name of your previous years’ edition so it highlights black. Now, look down to the very bottom below the title of the document and you will notice Upload New Version (the button has a purple icon on it). Click that button and find your ‘new’ edition via Choose File. The Enactment Date is the same as the Effective Date listed on the policy. The Review Date is one year following the Effective Date. Be sure to check the box that makes the document readable by all users. Ignore the Modifications field and hit Upload Document. The title will assume the one that was there previously. You’ll know you did it correctly when you see that there is now one more version than was there previously. Also, the fresh dates will show in place of the old ones. 

Security Policy FAQs

Someone within your Organization must be assigned the role of Security Officer. This is not official until it is written. For that reason, you assign someone via their name and job title. In their personnel file, the Security Officer’s job responsibilities should be updated to reflect they are entrusted with this position aside from day to day work activities. 

The easiest way to keep track of people’s access is, upon change to an employee’s role, send an email to them. Congratulate them on their new promotion and inform them they now have “X” responsibilities and rights within your systems. Same goes for a demotion. Write the employee and tell them that they now have “X” responsibilities and rights within your systems due to their actions. Make sure to not delete this email and you now have your paper trail of evidence to confidently say you have adhered to this policy. 

This will be an internal change you NEED to make. Sharing one password is not allowed and highly insecure. Most importantly, it is not compliant. If it comes down to it, make sure you speak with your IT team to develop a plan as to how everyone will have their own unique login. If there’s only one password, how can you track User Access?

It is in your best interests to have SOME sort of alarm system. We cannot stress enough that installing an alarm system is HEAVILY recommended. We are not asking you to install the platinum package from some company that wants to charge you $5,000 a month. At a minimum we recommend that the alarm system alert the police. A device such as this can be purchased for a nominal amount at a Department store. This way if someone hurls a brick through your window in the middle of the night and steals a ton of PHI, you have a legally defensible argument for why this happened. In short, you did all you could.  

There’s a few ways to go about this. The easiest way is to tilt your computer screen so it is not visible to passers-by. If your office space limits you from doing this there are alternatives. You can always buy what is called a polarized screen cover. I’m sure you’ve seen these at Doctor’s appointments of your own. It is a cover that only allows you to see what is on the screen if you are positioned directly in front of it, making passers-by a non-issue. 

The Device and Media controls policy requires another log, which your Compliance Coach will send to you. This log is meant to track whenever a device that stores ePHI stops working or breaks within your practice. If, for example, a laptop, a workstation, a CD-ROM, or a backup tape no longer works, you’re required to track and document how you go about destroying the device.

The ability to check in on logins, login failures, multiple attempts, etc. is available within your EHR. You will be provided an audit log by your Compliance Coach, which you can you use to easily track these red flag items that may indicate a security breach. 

Via your subscription to Compliancy Group’s tool The Guard you always have a mechanism for reporting perceived HIPAA violations anonymously, as required by law. If a major incident occurs, please contact your Compliance Coach so we may discuss this with you. For simple breaches, please log the incident in the Incident Manager and be sure to report this to HHS at the beginning of every calendar year. 

Yes, the transmission security policy states that any PHI that is leaving your practice electronically must be encrypted. Whether you’re emailing PHI or you are connecting to another system that stores PHI, the connection or method of transmission must be encrypted.

Not having anti-virus these days is just silly. This policy mandates that Organization shall ensure that all computers owned, leased, and/or operated by the covered components install and maintain anti-virus software. In addition, make sure that you have auto-update on to keep your anti-viruses definitions current. 

Patients need access to their records no matter what. This policy lays out what to do in the event of an emergency, so the appropriate steps are taken to restore data and get back up and running. If you require a templated IT Disaster Recovery Plan, one can be found in the Guard. Please navigate to Tracking > Documents > New HIPAA Docs. 

You must perform what is called your Technical Due Diligence along with your vendor. You need to vet them to ensure they are compliant and know how to properly handle the PHI which you send them. This can all be done directly within the Guard. You will send a survey to your BA’s who you share ePHI. The system will score the survey automatically for you. If the majority of answers fall into the ‘Yes’ category, this BA is fine to work with. If the majority of answers fall into the ‘No’ category, you will want to consider replacing this vendor. 

Yes, compliance is a dynamic effort which requires a healthy amount of attention. In order to stay within compliance, it is the Organization’s responsibility to periodically ensure the security standards and specifications which were implemented are actually working. You will achieve this through random audits of physical environment security, workstation security, test of physical, technical and administrative controls, among others.  

Compliancy Group provides all policies and training necessary to achieve compliance in this respect through our Cyber Security training, HIPAA 101 training, Incident Management and periodic review of policies to ensure the confidentiality, integrity and availability of your Organization’s PHI stays intact. 

It is a staff members responsibility to safeguard a patient’s PHI to the best of their ability. Workers who violate policies and procedures as established by your Organization are subject to disciplinary actions up to, and including, immediate dismissal from employment or service. It is your responsibility to ensure your staff has been trained so that they are aware of these policies and procedures, to avoid having to actually use the Sanctions policy.

Not quite. We have all the policies which you may possibly need in order to be HIPAA compliant. What this policy is stating is that you must have policies and procedures – This is what you are developing as you read this document (which satisfies this portion of the rule for you).

This would be correct. No footprint can be left which may have the ability to potentially tie back PHI to an individual. 

Privacy Policy FAQs

Absolutely! You must have an authorization and disclosure form signed by the patient to be able to disclose PHI in most cases. You need to track these types of releases because a patient can request for an accounting of disclosures of every use of PHI that was not considered TPO. If you have followed the policy, all you’ll have to do is print the Authorization and Disclosure forms from your EHR.

Yes, under the law, patients have a right to obtain a copy of their records and the right for you to allow them to view their records at a workstation free of charge. If the patient notices erroneous information, they have the right to request a change in writing. 

Not only must you identify them, you must ensure that you have a business associate agreement in place with all of them.

The flat rate for merely clicking a button and printing out a record from your EHR would be $6.50. This does not mean you are only able to charge $6.50, though. If you must drive to your paper storage facility, dig through files, and mail the record you may charge for these expenses. You need to be able to justify them. That’s the key. Keep a tracking sheet of your gas costs, labor costs and postage in order to charge what is appropriate for what is being requested. 

No matter what way you may choose to communicate with your patients, be it fax, email, or telephone, you must take the proper precautions and implement the correct safeguards to ensure confidentiality of PHI. If you fax, you will triple check the number you send it to. If the forum is an email, you must encrypt. If you utilize the telephone, verify the person you are speaking to is the intended recipient of the PHI. 

This is acceptable. You need to ensure that the patient has provided you a written authorization form to use their PHI. Also, you must give the patient the opportunity to opt-out of fundraising efforts if they do not wish to continue them further down the line. 

Unfortunately not. You have to talk directly to the patient who made the request. This is because the patient must have the right to request confidential communications in relation to their PHI. 

Yes, you are correct. A formal reporting mechanism is required in order to be compliant. If someone believes they have witnessed a violation they MUST have the opportunity to report the event anonymously. You have this ability within the Guard directly on the Main Screen under Report an Incident. This replaces the traditional notion of a hotline. Now everyone can access this Incident Manager anywhere they have internet access.  

Yes, this is best practice. It will help you from fraudsters who try to supply their relatives insurance information, for example, when they have no insurance of their own. Consult your Privacy Officer before making any disclosure if uncertain whether or not sufficient verification has been obtained.

Let’s say you receive a subpoena from the Courts for records containing PHI – You must follow the subpoena and you also must try to contact the patient and tell them that you will be releasing their information. If you can’t get in contact with the patient, you must still release the information. If you do contact them, and they tell you do not release the information, you must inform them you still are going to release the information, as required by law.

You can do marketing for your practice. If you choose to use PHI in your marketing, you must get an authorization and disclosure forms signed by the patient saying that you can use their photo, PHI, and testimonial in your marketing efforts (i.e. your website, a flyer, or whatever you want to use It on).

It’s not so much that you are limited in the records sent. It’s more that you need to ensure the PHI which you are sending, for example, to a Specialist is exclusive to the reason for why the patient is seeing the Specialist in the first place. To explain further, let’s say you are treating someone who needs leg surgery. Two years prior this same person had arm surgery. Since the information regarding the arm surgery has no impact upon the leg surgery, you would only send information to the Specialist in regards to the leg, since that is the matter at hand. 

In many states, lawful marriage is the only circumstance that is statutorily recognized, as a general matter, as grounds for emancipation of a minor. Once emancipated, the minor obtains the legal capacity of an adult. The burden should be placed on the minor to show emancipation. If doubt exists regarding emancipation, parental consent should be secured in addition to the consent of the minor.

Yes, if the patient pays out of pocket for their services and requests their insurance not be made aware, you are obliged to accommodate this request. If the patient says no, you cannot send or release their information.

You absolutely do. This policy goes hand in hand with Privacy 2.0. A Patient has the right to view or get a copy of their medical record, and your organization has 30 days to provide it.

You cannot ever release a patient’s psychotherapy notes unless under court order or by Authorization and Disclosure form signed and approved by the Psychotherapist or Doctor.

You may not use or disclose PHI without an authorization that is valid. When you obtain or receive a valid authorization for its use or disclosure of PHI, such use or disclosure must be consistent with the authorization.

Yes, one situation which may occur is Use and Disclosure to avert a serious threat to health or safety. If someone is ill with a highly contagious disease that threatens the general population, you may disclose health information if it will prevent or lessen this serious or imminent threat to the person or population. 

The reason there are two policies related to this one was for the sake of comprehension and ease. We realize that this can be a large topic to discuss in one document, so for that reason we tie the two together with this statement on ‘General Rules’.

Yes, correct. An employee filing a claim for Workers Compensation due to an on-the-job injury consents to certain conditions. One of those conditions is, at the employer’s request, they will submit to an examination to determine the validity of their claim. This information is then available, with certain restrictions, to the employee, employer, Department of Workforce Development, or representative of any of these to assist in resolving the claim. Since Worker’s Compensation is paying for the claim, no release is needed from the patient for them to see PHI. 

In the case in which there is insufficient or out-of-date contact information for 10 or more individuals affected, then the substitute notice shall be in the form of either a conspicuous posting for a period of 90 days on the home page of the organization’s website or a conspicuous notice in a major print or broadcast media in the organization’s geographic area(s) where the individuals affected by the breach likely reside. The notice shall include a toll-free number that remains active or at least 90 days where an individual can learn whether his or her PHI may be included in the breach. This is in the event of a Meaningful Breach (500+ people affected in the same state)

Yes, employees uncertain about the application or interpretation of any legal requirements should refer the matter to their supervisor, who, if necessary, should seek appropriate legal advice.

You are required to describe, in plain language, your privacy practices, including an individual’s rights related to his or her PHI. This Notice of Privacy Practices must be made available to patients and be posted throughout your facilities and on your website. You must also make a good faith effort to obtain a written acknowledgement from the individual that he or she has received the Notice.

Most definitely. Employees should be aware that it is never acceptable to post to social media websites any information regarding patients, their condition, or their treatment plan, and be aware that sanctions up to and including termination may occur in breach of this policy.

This would be the Privacy Officer. They are responsible for the development and implementation of the policies and procedures of your Organization related to securing and confidentially maintaining PHI. This policy is specifically where you name your Privacy Officer.  


Contact Us

Clients are always welcome to contact us with inquiries via our HIPAA Hotline, reached at 855-85-HIPAA. 
You may also reach us directly from The Guard by submitting a Support Ticket. To do this you would hover over the ‘Utilities’ tab and select ‘Support’ from the dropdown.
For Support, please feel free to E-mail,, or

For Sales, please feel free to E-mail,, or

For Billing, please feel free to E-mail

Whatever your concern is we will be happy to address it for you!

Please address any inquiries sent via US Mail to:

Compliancy Group

52 Broadway Unit 210

Greenlawn, NY 11740

Please feel free to fax us at 631 731 1643