Former HHS Enforcement Authority

Defensible HIPAA Compliance
Built by an Insider

We know exactly what regulators look for — because we spent decades on the enforcement side. Risk assessments, custom policies, workforce training, and breach response. HIPAA is all we do.

40+ Years Experience Thousands of Assessments 100% Remote — Nationwide

Book Your Free 15-Min Assessment

No obligation. We'll tell you if you don't need us.

15 minutes with Jay. No sales pitch. Your data is never shared.

40+

Years HIPAA & law enforcement

200+

Organizations served

2013

Founded — nationwide practice

50

States served nationwide

Most organizations aren't as compliant as they think.

You know HIPAA compliance matters. But between running a practice, managing staff, and keeping patients happy, it keeps getting pushed to next quarter.

Here's what we find in nearly every organization we assess:

No comprehensive policies and procedures.

9 out of 10 organizations that say "we have policies" don't actually meet compliance requirements.

No proper risk assessment.

71% of small-to-mid-sized providers have never conducted one. The ones who have often confuse a checklist with the "accurate and thorough" assessment OCR requires.

"Our IT guy handles it."

IT security is the tip of the iceberg. Most of HIPAA is administrative — policies, training, risk assessment, incident response, documentation. Your IT company isn't doing any of that.

Everything's fine — until it isn't.

750+ open breach investigations on the HHS portal right now. Two healthcare data breaches happen every day. And over 55% of OCR penalties target small practices.

You're not a compliance expert. You shouldn't have to be.

Not sure whether HIPAA even applies to you? We'll tell you in the first 5 minutes of a call.

"75% of 2025 enforcement penalties cited failure to conduct a risk analysis — the single most penalized deficiency in HIPAA history."

What changes when you have a defensible program

"Defensible" isn't a marketing buzzword. It's the word that matters when OCR investigates.

It means if you have a breach — and most experts say it's when, not if — there's very little they can pick apart. In roughly 85% of cases, a comprehensive defensible program means you receive technical guidance, not penalties or a corrective action plan.

Comprehensive policies & procedures

Customized to your organization, not downloaded templates. Written by our policy team based on your specific operations.

Current, documented risk assessment

The kind OCR actually accepts. 200+ questions, conducted with you, not sent to you as a link.

Trained workforce

Documented annual training for every employee who touches PHI. Not a 10-minute video everyone clicks through.

Audit confidence

The documentation, the policies, the assessment, the training records. All current. All defensible. If OCR calls, you answer the phone calmly.

Book My Free Assessment

Find out where you stand. 15 minutes, no obligation.

The investigator is now on your side.

Jay Hodes

Jay Hodes

President — Colington Consulting

Former Asst. Inspector General, HHS

Jay served as Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services — the agency that enforces HIPAA. He's been on both sides: the enforcement side and the compliance side.

He knows what regulators look for because he was one.

With 40+ years of combined experience in risk assessments, regulatory compliance, and federal law enforcement management, Jay has personally conducted thousands of assessments — from solo practices to multi-state enterprises with 120 locations and 12,000 employees.

He's not going to sell you something you don't need. He recently told a company they didn't need HIPAA compliance at all — they weren't a covered entity or business associate. If you don't need it, he'll tell you straight.

Fmr. Asst. Inspector General, HHS
Fmr. HIPAA Compliance Officer, Fairfax County
80+ published articles on HIPAA
Expert witness for litigation
Keynote speaker, HCCA & others
Featured in industry publications

"My job is to keep your practice out of trouble. If you can do this yourself, I'll tell you. If you can't, I'll show you exactly what you need."

Four steps to a defensible compliance program.

1

Free Assessment Call (15 minutes)

Tell us about your organization — size, locations, current compliance state. Jay will give you an honest assessment of where you stand. If you don't need our services, he'll tell you.

2

Questionnaire + Policy Draft (~2 weeks)

You complete a questionnaire (~5 pages). Our policy writer generates customized policies and procedures based on your answers. Not auto-generated. Not templates. Manually written for your specific organization.

3

Expert-Led Assessment

Jay conducts the full security risk assessment with you — 200+ questions, answered together in real-time. If you don't understand a question, he explains it on the spot. Unlike a software tool where you're stuck if you can't answer.

4

Training + Ongoing Support

Annual workforce training for every employee who touches PHI. Continuous policy updates as regulations change. Audit-ready documentation maintained year over year.

Most organizations are audit-ready within a few weeks to a couple of months. If there's urgency — like a breach situation — we can expedite and get you stood up within a couple of weeks.

Book My Free Assessment

Step 1 starts here. 15 minutes, no obligation.

Full-service HIPAA compliance — not a software login.

Risk Management Plans

Custom-written policies addressing every requirement of the HIPAA Security Rule

Security Risk Assessments

200+ question assessments conducted directly by Jay — threats, vulnerabilities, high-risk findings

Policies & Procedures

Manually customized by our policy writer. Not templates. Not AI-generated.

Workforce Training

Required annual training for all staff — documented and compliant

Facility Security Surveys

Physical safeguards evaluation — alarm systems, servers, encryption, access control. Remote-capable.

Breach Response

Breach notification, documentation, corrective action planning

Business Associate Compliance

Letters of attestation, BA agreement guidance, full compliance programs for tech companies

Contingency & Disaster Recovery

Plans you hope you never need, but regulators require you to have

From solo practices to 120-location enterprises.

Healthcare Providers

  • Multi-location medical practices
  • Skilled nursing & rehabilitation
  • Hospice & behavioral health
  • Hospital-based practices
  • Dental, chiropractic & therapy
  • Pharmacies & optical practices
  • Public agencies & health depts

Business Associates

  • Health tech & SaaS platforms
  • Medical billing companies
  • Healthcare data analytics
  • Digital health platforms
  • Healthcare call centers
  • AI-enabled health solutions
  • Any company handling PHI

Not sure if you're a Business Associate?

Most companies that touch health data qualify — and don't know it. A SaaS company that sends messages for a doctor's office? Business Associate. A billing company that processes claims? Business Associate. We'll tell you in the first 5 minutes of a call.

Questions we hear on every first call.

Every engagement starts with a Statement of Work tailored to your organization's size, number of locations, and services needed. The free assessment call gives you a clear picture of what you need and what it costs — before any commitment. No surprises.

There's no size exemption in the regulations. Over 55% of OCR penalties target small practices. OCR's Risk Analysis Initiative specifically targets organizations that have never conducted a risk assessment — which disproportionately includes smaller practices.

Good — let us take a look. Nine times out of ten, what organizations have doesn't actually meet compliance requirements. If yours are solid, Jay will tell you. If they need work, we'll start fresh and incorporate anything useful from what you have.

Compliance software sends you a link with 200+ questions. If you don't understand a question — and most people won't if they're new to compliance — you're stuck. You'll end up booking consulting time with them anyway. We do the assessments together, in real-time, and Jay explains every question in context.

The questionnaire takes a few days to complete. Our policy writer generates the initial draft in about two weeks. Then we schedule the assessments and training. Total timeline: a few weeks to a couple of months depending on your organization's size. If there's urgency — like a breach situation — we can expedite.

The average healthcare breach costs $7.42 million. Even a small OCR penalty ($5,000) comes with a two-year corrective action plan that costs far more to implement than the penalty itself. Penalties are tiered by negligence — if you knew you had to do something and didn't, you're at the highest level. A defensible compliance program is the difference between technical guidance and six-figure fines.

Find out where you stand.

15 minutes with Jay. No obligation. No sales pitch. If you don't need our services, he'll tell you.

What happens next: You'll pick a time on the next page. Jay calls you for a 15-minute assessment of where your organization stands.

Prefer to call? 844.740.7100

Book My Free Assessment