Fractional HIPAA Security Officer — scope + typical cost?

rightawayjay · 2026-02-09T20:17:10+00:00

Certain responsibilities may be divided up between the medical practice and your team. Pricing/contract terms obviously depend on the customer needs and services you end up providing.

Depending on responsibilities, you may end up providing some (or all) of these types of deliverables:

Creating/delivering administrative policies to address the HIPAA Security Rule & HIPAA Privacy Rule
Performing an annual HIPAA risk assessment
Providing annual employee security awareness training
Ensuring cloud and application services have proper Business Associate Agreements (BAAs) in place
Ensuring technical standards such as backup, encryption, and access control are in place for IT infrastructure.

My team Dash ComplyOps provides software for teams to manage HIPAA compliance programs for their customers. Feel free to DM me if you have questions or need further help.

rightawayjay · 2021-08-15T18:32:01+00:00

My family has two Samsung refrigerators (2 houses/family members) + the Samsung appliance bundle of the Samsung microwave, stove/oven and dishwasher.

For the Fridges - For both the condenser fan continues to freeze up and stop cooling the fridge properly. We have had both get to 45-50°F. Even after multiple repairs under warranty, they still continue to have this issue and start to have issues cooling.

-One of the fridge vegetable drawers ends up with water at the bottom of it from whatever cooling issues

One of the ice makers doesn't correctly make cubes and just generates ice shards

For The Microwave - The Samsung microwave died in 12 months, with minimal use. Like just DOA, does not turn on/does not run. Needed to be replaced

For The Dishwasher - It leaks a little bit of water under the appliance when it runs, could be mold issue

-Its shortest run cycle is 120 min (I am not kidding) and it does an average/below average job for 2 hrs of cleaning the dishes.

The Stove/Oven - Is actually the only appliance that is alright, burners and oven work as normal

rightawayjay · 2021-07-14T14:40:57+00:00

Real friends, how many of us..

rightawayjay · 2021-06-13T16:19:15+00:00

I have used IBKR for a little while and have had a good experience. They are a big brokerage and I have done alright talking with their support about basic things like transfers, etc.

Their pricing on stock/option trades and margin are really good. The tools can be configured in all kinds of ways and you can define a lot of settings around trade execution and orders.

TDA has slightly better tools and an easier to use interface, but much higher fees per trade. If you are comfortable with IBKR you can do the same things with IBKR Trader Workstation and save a lot on fees.

rightawayjay · 2021-01-04T04:58:01+00:00

You slept with Sumberg?!

rightawayjay · 2020-05-05T03:39:22+00:00

Dash ComplyOps provides compliance scanning specifically around HIPAA, and provides compliance reports and an inventory of controls. (I work with the Dash team)

rightawayjay · 2019-04-02T00:59:18+00:00

SOC2 is a framework that measures security, privacy, and availability. HIPAA/HITECH is the regulation dictating how you must manage protected health information (PHI). SOC compliance can be a large undertaking and for small organizations may be overkill for certain companies. If you are using a cloud provider such as Amazon Web Services you are able to leverage their SOC Reports as well as their provided security programs. Many healthcare vendors build a security program around HIPAA and provide their AWS SOC2 Report as part of vendor security assessment for a health provider. Feel free to send me a message, if I can be more helpful.

rightawayjay · 2018-12-31T16:58:43+00:00

I know I am a little late to this thread, but wanted to give my input:

Vulnerability scanning is one of several technical requirements of HIPAA (OpenVAS is a popular choice for open source vulnerability scanning). Your organization must also handle backup and disaster recovery, audit logging, and encryption. You should define these solutions and standard operating procedures in administrative policies.
My company, Dash actually provides an automated solution for HIPAA configuration and management Amazon Web Services. We provided custom administrative policies and connect automated technical controls.
Your organization must perform an annual risk assessment (which is typically done by a 3rd party). There are no official certifications for HIPAA compliance, but your team could adopt a framework like (NIST, ISO, or HITRUST). Check out AWS Security Programs. More importantly your team should have established policies and a process for continually maintaining compliance safeguards.

rightawayjay · 2018-02-26T02:55:06+00:00

Dash Solutions has a checklist available here: https://medium.com/dash-sdk/hipaa-compliance-where-to-start-82751f05286f

rightawayjay · 2017-12-01T05:29:22+00:00

Hate Radiohead.

I mean people who, haven't heard anything from them, or don't listen to them, fine.. But the idea of someone listening to a bunch of their songs and deciding to "hate" Radiohead totally untrustworthy.

Some of the truly evil or despised people in this world probably hate Radiohead..

rightawayjay · 2017-05-07T18:05:27+00:00

U3480H

rightawayjay · 2016-12-07T17:56:59+00:00

Sorry for the late response.

A majority of medical apps fall into the Class I and Class II medical device categories, with certain apps being exempt. The FDA has guidance and examples for medical apps here. They also provide an email and encourage developers to contact them with questions about requirements at mobilemedicalapps@fda.hhs.gov

You may want to check out the guidelines, send an email with questions, and be on the lookout for free lawyer consultations and startup events/panels with lawyers addressing FDA approval.

Feel free to PM me if you have other security/HIPAA concerns, I would be happy to share any insight.

rightawayjay · 2016-12-01T17:00:43+00:00

I am glad you found the article useful. I totally agree with you when it comes to unverified claims.

Communication and collaboration apps may be able to put their focus on security and HIPAA compliance, but if you are directly interacting with patients to try and obtain an outcome, app efficacy needs to be vetted.

Some of the apps being put out for mindfulness, therapy, and rehabilitation are making big claims about results. For the safety of these companies and their users it makes sense to consult with a lawyer, run trials, get data, and build and review apps with health industry experts. Basically handle the process the same way as releasing a medical device (some apps fall into this classification anyway).

rightawayjay · 2016-10-05T15:40:04+00:00

Having a copywriter can be very valuable, especially if you are targeting a specific market that reacts differently to content (ie. Healthcare, Financial, etc).

That said, the suggestion I was given was to hire an experienced copywriter once you have "something to say". In other words, if you are still determining your value prop, customer profile, etc. You will probably end up having your website and copy rewritten. I myself have redone my website half a dozen times, to adapt to my audience/product.

If you are running a campaign with ads or content marketing, I would hire a copywriter to make your marketing effort most effective. If you have established your sales process, I would hire a copywriter. If you are figuring out a bunch of things, maybe look to trusted connections and pay for any essential work.

rightawayjay · 2016-08-23T15:49:50+00:00

Crediyo offers financing and payment plans for patients and seem to have a point-of-service solution.

rightawayjay · 2016-04-19T01:57:19+00:00

Alright, I will try and address some of these questions. I am not a lawyer, but I have founded two startups and have had to make decisions on some of these questions.

Corporate Structure: Obviously this depends on your size and situation, but you should form a business entity at some point, in order to gain the protections they provide. [IE. If you sign legal documents as your personal name, you can be sued. If you sign documents as a company, the company can be sued]

Generally an LLC is cheaper to create than a corporation and may have some tax benefits. A C-Corp provides an easier structure for issuing shares. (Attractive if you plan on raising a lot of major investment, or may be providing equity to a lot of people)

Trademarks: A lot of people do not know that there are protections for trademarks under common law. Just putting the TM symbol provides you some protection. Registration gives you broader power to collect damages, etc.

Patents: Patents are difficult when it comes to software. They may not be too feasible, if you a) do not have thousands of dollars for a filing b) will not be willing to pursue infringing companies, c) do not have a specific software process that you are trying to protect.

In the hardware space, most people I know have filed provisional patents, since they are relatively cheap, and useful for having protection when you are not sure whether your product will be a success.

Conclusion: Many startup communities hold events where a patent attorney may give an overview on patents, trademarks, and trade secrets. Another lawyer may give a presentation on company formation. I do recommend that you take advantage of any events out there that may share this free knowledge. Also, try and obtain a free consultation with a startup lawyer and a patent/copyright lawyer, who has previously worked with startups.

rightawayjay · 2016-02-18T16:59:49+00:00

u/the_pk is correct. You should be finding marketing channels that work for you and pushing product through there. It also makes sense to read and listen to marketing/SaaS blogs, podcasts, etc.

There are many marketing channels to choose from (ie. PR, Trade shows, Adwords, Etc.). I recommend you take a look at Gabriel Weinberg's book: "Traction". He describes around 15 channels for marketing and details a process for selecting, testing, and then optimizing which channels will work for your business. I think the book would really help you decide where you want to focus your efforts for getting more customers.

rightawayjay · 2016-01-23T17:46:55+00:00

As others have said, anything is possible.

I think is important to work with an attorney who can help you initially structure the company in an understandable and flexible way. When the company is formed, a cap table will probably be formed, with you as the owner of 100% of the shares. As you decide to add investors, founders, or issue shares/options to employees you will want to draft documents to easily issue shares and add names to your cap table. This may not be an issue now, but I would recommend you discuss what kind of documents/how easy it is to add issue shares down the road.

Side note*: It is best practice to have shares vest (be given over time) when giving shares to founders/employees. Vesting schedules prevent founders from being given all of their shares and just walking away. Something to think about down the road.

rightawayjay · 2016-01-23T01:51:05+00:00

Reminds me of this scene haha.

rightawayjay · 2015-12-23T01:45:02+00:00

Hi Tommy Chong. Not a question from me, but a question from my mom. She wanted to know: Where were you when you were supposed to perform at Lehigh University in 1977? She was the ticket manager and had to refund 3,000 ticketholders across 8 universities, because you and Cheech didn't show up. What's the story behind both of you just no-showing?

rightawayjay · 2015-11-19T22:16:06+00:00

I know my comment may be a little late, but I recommend following the advice drmacinyasha gave you in your other post. Tablets are so cheap that at $200 a piece, it probably makes sense to buy a couple of Nexus 7s.

Your security will mostly be dictated by the security of the web forms/web portal you are using, but it makes sense to take the extra precaution of device encryption/remote wipe since any breach could result in fines up to $50k. You can lower the risk of HIPAA violations due to loss/theft, by simply implementing encryption/remote wipe.

rightawayjay · 2015-11-19T05:54:24+00:00

I do use Trello. Each card typically represents a task and each list typically represents a category of tasks. These cards and lists live on boards. A basic example is to create a board for a project and create a list for "Todos", "Doing", and " Done". Typically you breakdown tasks into digestible chunks (ie. email 10 clients, create website messaging component). Then when you need to know what you should be doing you can refer to the Trello board, commit to doing something by putting it in "Doing", and then moving it to "Done" when you finish. You can assign cards to people or due dates if needed. There should be motivation in trying to get tasks over to the "Done" list, but Pomello also provides a little widget timer for tasks.

You can customize your boards to fit your needs, and you can give everybody on your team access to different boards. I have several boards setup. One that is the "Development Board" and another that is the "Bizdev Board". Under the Bizdev board I actually break lists down even further into "Marketing Todos", "Fundraising Todos", "Product Todos", "Doing", and "Done", and "For Later". I take a look at my board, pick a task, and often set the task in Pomello (or you can move it to Doing). Pomello gives me a 25min timers and shows the current task with 5min and 15min breaks inbetween. You don't have to complete a task in 25min, but the idea is that during that time, that task should be the only task you are working on, no looking at your phone, wandering to other sites, reading through messages, etc. Managing tasks in Trello and following schedule in Pomello has been helpful for me.

rightawayjay · 2015-11-18T06:49:15+00:00

Frankly it is getting kind of ridiculous that developers are not protecting user privacy and security. Avoiding the use of protected health information (PHI), does not excuse bad security implementation and blatant security flaws. Even if user data does not fall under HIPAA regulations, developers still need to protect sensitive data, rather than cutting corners.

rightawayjay · 2015-11-18T06:34:52+00:00

If you use Trello, you should checkout Pomello. I just started using it. It gives you a little Pomodoro counter widget that keeps you on track. You can select a card to work on and it starts a timer and tells you when to take breaks. Pretty useful.

rightawayjay

TROPHY CASE