HIPAA Security Risk Analysis
Gap Analysis and Remediation Plan
Concierge Care, LLC - 14 Locations and Management
Prepared by: Mark Marley, HIPAA Compliance Consultant, Growth Systems, LLC
Date: October 3, 2025
Assessment Period: June - October 2025
Executive Summary
This Security Risk Analysis identifies critical compliance gaps affecting Concierge Care's HIPAA security posture. The assessment reveals significant deficiencies in vendor management, technical safeguards, and administrative controls that require immediate attention to ensure regulatory compliance and protect patient health information.
This assessment is still in progress and this SRA is a snapshot of the current HIPAA posture.
Overall Risk Level
HIGH
Elevated regulatory exposure due to systematic vendor service failures, inadequate technical controls, and insufficient documentation of security safeguards.
Immediate Action Required
Immediate remediation is required to achieve acceptable compliance levels and reduce potential penalties ranging from $60,000 to $1.19 million based on recent Florida enforcement actions.
Critical Findings Summary
Business Associate (VP Systems) systematic service failures and contract breaches
Inadequate mobile device management for PHI access
Insufficient network segmentation and access controls
Physical security inconsistencies across locations
Missing encryption verification and audit logging capabilities
Positive Progress
Concierge Care has demonstrated strong commitment to HIPAA compliance by completing substantial remediation of administrative safeguards during the assessment period. All required policies, procedures, and training programs have been implemented. The remaining gaps are primarily technical and physical safeguards that require vendor cooperation or infrastructure modernization.
The remaining gaps are primarily technical and physical safeguards that require vendor cooperation or infrastructure modernization.
Risk Assessment Methodology
This assessment utilized a comprehensive evaluation framework examining administrative, physical, and technical safeguards required under the HIPAA Security Rule. Risk levels were determined through analysis of current controls, threat likelihood, and potential impact on PHI confidentiality, integrity, and availability.
High Risk
Immediate remediation required (regulatory violation likely)
Medium Risk
Remediation within 90 days (compliance gap identified)
Low Risk
Enhancement recommended (best practice improvement)
Assessment Sources
  • Abyde HIPAA portal responses and documentation
  • Vendor service agreements and performance analysis
  • System configuration reviews and security assessments
  • Staff interviews and operational procedure evaluation
  • Interviews and surveys of the IT provider, VP Systems
Recent Florida HIPAA Enforcement Actions
The following recent enforcement actions by HHS Office for Civil Rights (OCR) against Florida healthcare organizations demonstrate the financial consequences of compliance gaps similar to those identified in this assessment:
$1.19M
Florida Pain Management Clinic
December 2024 - Maximum penalty for systematic compliance failures
$800K
BayCare Health System
May 2025 - Access control and monitoring violations
$60K
Memorial Healthcare System
January 2025 - Patient access rights violation
Florida Pain Management Clinic Case Analysis
$1.19 Million Penalty - December 2024
Violations Found:
  • Failure to conduct required security risk assessments
  • Failure to implement system activity review procedures
  • Inadequate access controls and safeguards
  • Insufficient documentation of security measures
Relevance to Concierge Care: This case directly parallels the current situation. The clinic failed to conduct comprehensive risk assessments, implement adequate access controls, and maintain proper system monitoring—the same gaps identified with VP Systems' service delivery. The $1.19 million penalty represents the upper range of exposure for systematic compliance failures.
Key Lesson: OCR imposed maximum penalties because the violations were systematic and demonstrated a pattern of neglect rather than isolated incidents. The combination of missing risk assessments, inadequate access controls, and poor documentation resulted in willful neglect findings.
BayCare Health System Case Analysis
$800,000 Settlement - May 2025
Violations Found:
  • Failing to implement proper access authorization policies
  • Failing to reduce risks and vulnerabilities to reasonable and appropriate levels
  • Failure to regularly review information system activity
  • Inadequate audit controls and monitoring
Relevance to Concierge Care: BayCare's violations mirror the access control deficiencies, inadequate system monitoring, and audit trail gaps identified in this assessment. VP Systems' refusal to provide documentation of access controls and system monitoring creates similar exposure. The $800,000 settlement demonstrates OCR's enforcement priorities around access management and system oversight.
Key Lesson: Even large, well-resourced health systems face substantial penalties for access control and monitoring failures. The settlement amount reflects OCR's view that these technical safeguards are fundamental requirements, not optional enhancements.
Memorial Health System Case Analysis
$60,000 Settlement - January 2025
Violations Found:
  • HIPAA Right of Access violation
  • Failure to provide timely access to patient records
  • Inadequate documentation of access request handling
  • Inadequate audit controls and monitoring

Relevance to Concierge Care: While this case focused on patient access rights rather than technical safeguars, it demonstrates that even single-category violations result in substantial penalties. The $60,000 settlement represents the lower bound of enforcement exposure and shows that OCR actively investigates and penalizes Florida healthcare providers.
Key Lesson: OCR enforcement is active in Florida, and even narrow violations result in significant financial penalties. Comprehensive compliance gaps across multiple categories (as identified in this assessment) create substantially higher exposure.
Penalty Exposure Analysis for Concierge Care
Based on these recent Florida enforcement actions, Concierge Care faces potential penalties across multiple violation categories:
Estimated Total Exposure: $60,000 - $1,190,000
Factors Affecting Penalty Determination
OCR considers multiple factors when determining penalty amounts:
Aggravating Factors (Increase Penalties)
  • Systematic nature of violations: Multiple gap categories across administrative, physical, and technical safeguards
  • Duration of non-compliance: Some gaps (VP Systems failures) have persisted for extended periods
  • Vendor management failures: Reliance on non-compliant Business Associate creates shared liability
  • Knowledge of violations: Documented awareness of gaps without timely remediation increases willful neglect risk
Mitigating Factors (Reduce Penalties)
  • Proactive compliance efforts: Completed administrative safeguards demonstrate good faith commitment
  • Prompt remediation: Immediate action upon gap identification shows organizational responsibility
  • Limited resources: Small organization size and budget constraints may influence penalty calculation
  • No patient harm: Absence of actual PHI breaches or patient impact reduces severity assessment
Willful Neglect Threshold
The critical question for penalty determination is whether violations constitute "willful neglect":

Willful Neglect Definition: Conscious, intentional failure or reckless indifference to the obligation to comply with HIPAA requirements.
Current Status: Concierge Care is approaching the willful neglect threshold due to:
  1. Documented knowledge of gaps: This risk assessment identifies specific violations
  1. Continued operation of non-compliant systems: Call recording system operates with known HIPAA violations
  1. Delayed vendor remediation: VP Systems failures documented but contract continues
  1. Technical safeguard gaps: Awareness of MDM requirements without implementation
Critical Timeline: OCR typically expects covered entities to demonstrate remediation efforts within 30-60 days of gap identification. Failure to initiate immediate corrective action after receiving this assessment could convert current violations from "reasonable cause" to "willful neglect," increasing penalties from $60,000-$200,000 range to $1,000,000-$1,500,000 range.
Recommended Risk Mitigation Strategy
To minimize penalty exposure and avoid willful neglect findings:
01
Immediate Action (Within 7 Days)
  • Document receipt and review of this risk assessment
  • Establish remediation timeline with specific milestones
  • Initiate immediate actions (vendor evaluation, call recording cessation, MFA implementation)
02
Short-Term Remediation (Within 30 Days)
  • Complete all immediate priority actions identified in remediation matrix
  • Document all remediation efforts with dates, responsible parties, and completion status
  • Demonstrate good faith compliance efforts through tangible progress
03
Ongoing Documentation (Continuous)
  • Maintain detailed records of all remediation activities
  • Document barriers to compliance and mitigation efforts
  • Create audit trail showing organizational commitment to compliance
Key Principle: The difference between $60,000 and $1,190,000 in penalties is not the presence of gaps (all organizations have some gaps), but rather the organizational response to gap identification. Immediate, documented remediation efforts demonstrate good faith and substantially reduce penalty exposure even if full compliance takes time to achieve.
Critical Gap #1: Business Associate Management Failures
HIGH RISK
Finding: VP Systems (Primary IT Vendor) demonstrates systematic service failures and contract breaches affecting HIPAA compliance.
Specific Issues:
  • Refusal to provide required security documentation despite BAA Section 8(a) obligations requiring access to policies, procedures, and records
  • Inconsistent service delivery compared to contracted obligations under MSA
  • False attestations in compliance portal followed by service denial when documentation was requested
  • Document fraud and professional misconduct by vendor leadership, including fabrication of prior BAA and false fraud accusations
  • Inadequate HIPAA knowledge demonstrated through fundamental compliance errors
VP Systems Additional Failures
  • Breach notification failure: VP Systems identified PHI in service tickets as a deficiency in their own SRA but failed to notify Concierge Care of this breach, failed to quantify the number of affected records, failed to explain how PHI entered the ticketing system, and failed to enable corrective action
  • Incomplete asset management: VP Systems has failed to provide a current, detailed asset inventory despite multiple requests, preventing accurate security assessments
  • Copier/printer security gaps: VP Systems cannot provide documentation on copier hard drive encryption, secure destruction policies, or current security status of multifunction devices that may store PHI
  • Inadequate audit log retention: Firewall logs are only retained for 30 days, falling short of HIPAA requirements for sufficient retention to support incident investigation and compliance audits
  • Failure to address communication platform sprawl: Multiple unmanaged communication platforms (text messaging, 3CX Messenger, email, Wellsky messaging) create inconsistent security controls and audit gaps across locations
VP Systems Immediate Actions Required
Regulatory Impact: Direct violation of § 164.308(a)(4) - Business Associate oversight requirements. Potential penalties $50,000-$1.5M per violation category.
Evaluate Termination of VP Systems Contract
Based on extensive evidence of material breach, professional misconduct, and gross negligence documented in this report
Investigate PHI in Service Tickets Breach
Demand immediate disclosure regarding scope, timeline, and affected records of PHI exposure in ticketing system
Obtain Complete Asset Inventory
Require comprehensive, current asset inventory including all devices with security status documentation
Conduct Comprehensive Security Assessment
Independent security assessment of all VP-managed systems to identify full extent of security gaps
Critical Gap #2: Mobile Device Management Deficiencies
HIGH RISK
Finding: Inadequate controls for personal devices accessing PHI through email and applications.
Specific Issues:
  • No Mobile Device Management (MDM) implementation despite HIPAA requirements
  • 36+ users accessing PHI on unmanaged personal devices
  • Lack of device encryption verification and remote wipe capabilities
  • Insufficient application controls and data segregation
  • Missing device compliance monitoring and policy enforcement
Regulatory Impact: Violation of § 164.312(a)(1) - Access Control requirements and § 164.312(e)(1) - Transmission Security. Enhanced penalties for willful neglect.
Mobile Device Management Remediation Plan
01
Implement Comprehensive BYOD Policy
Establish clear policies for personal device use with MDM enforcement requirements
02
Deploy Microsoft Intune or Equivalent MDM Solution
Implement enterprise-grade mobile device management with full compliance monitoring
03
Require Device Encryption and Security Baseline Compliance
Enforce encryption standards and security configurations across all managed devices
04
Establish Device Registration and Monitoring Procedures
Create systematic device enrollment and ongoing compliance verification processes
Critical Gap #3: Network Security and Access Control Gaps
HIGH RISK
Finding: Inadequate network segmentation and access controls create unauthorized PHI exposure.
Specific Issues:
  • Shared WiFi network between staff and visitors (ConciergeCare/He@lthc@re)
  • No guest network isolation from PHI-containing systems
  • Insufficient network monitoring and access logging
  • Inadequate VPN controls and user authentication
  • Missing advanced network security and threat detection capabilities
  • Legacy network infrastructure without modern security controls
Regulatory Impact: Violation of § 164.312(a)(1) - Access Control and § 164.310(a)(1) - Facility Access Controls.
Network Security Remediation Plan
Implement Separate Guest WiFi Network
Deploy completely isolated guest network with no access to PHI-containing systems
Deploy Cork Network Security Solution
Implement advanced threat protection with comprehensive monitoring and detection capabilities
Evaluate VPN Elimination
Transition to cloud-based secure access through Office 365 to reduce complexity and improve security
Establish Comprehensive Network Monitoring
Implement network access control (NAC) solution with detailed logging and alerting
Critical Gap #4: Audit and Monitoring Deficiencies
MEDIUM RISK
Finding: Insufficient audit controls and system activity monitoring for PHI access.
Specific Issues:
  • Inadequate audit log generation and review procedures
  • Missing automated monitoring for suspicious PHI access
  • Insufficient documentation of system activity reviews
  • Lack of comprehensive incident detection and response capabilities
  • Inadequate vendor monitoring and oversight procedures
Regulatory Impact: Violation of § 164.312(b) - Audit Controls and § 164.308(a)(1)(ii)(D) - Information System Activity Review.
Implement SIEM Solution
Deploy Security Information and Event Management system for comprehensive monitoring
Establish Automated Audit Log Review
Create automated alerting and review procedures for suspicious activities
Deploy User Behavior Analytics
Implement monitoring for unusual PHI access patterns and potential insider threats
Critical Gap #5: Physical Security and Facility Access Control Failures
HIGH RISK
Finding: Inconsistent physical security controls across locations create unauthorized access risks and fail to meet HIPAA Physical Safeguards requirements.
Specific Issues:
  • Inconsistent alarm systems: Some locations have alarm systems while most do not, creating uneven protection of PHI-containing areas
  • Shared alarm codes: Locations with alarms share codes among all staff, eliminating individual accountability and audit trails
  • No alarm code management: No documented alarm code changes or periodic testing, allowing indefinite access for terminated employees
  • Fire safety system gaps: Discrepancies in fire safety systems across locations with some unable to identify the date of most recent fire marshal inspection
  • Key management failures: Most locations issue physical keys to employees with limited or no logging of key returns upon termination
Physical Security Remediation Plan
Regulatory Impact: Violation of § 164.310(a)(1) - Facility Access Controls, § 164.310(a)(2)(iii) - Access Control and Validation Procedures, and § 164.310(d)(1) - Facility Security Plan.
Standardize Alarm Systems
Deploy alarm systems at all locations with PHI access
Implement Individual Alarm Codes
Assign unique codes to each employee with access logging and immediate revocation upon termination
Establish Key Management System
Implement key tracking system with sign-out/sign-in logs and mandatory return verification upon termination
Create Comprehensive Termination Checklist
Include physical key return, alarm code revocation, system access removal, and hardware recovery
Conduct Quarterly Access Audits
Compare active employees against facility access lists, alarm codes, and system accounts
Critical Gap #6: Encryption and Data Protection Gaps
MEDIUM RISK
Finding: Unverified encryption implementation and inadequate data protection controls.
Specific Issues:
  • No verification of BitLocker encryption on managed devices
  • Insufficient encryption key management and documentation
  • Inadequate backup encryption and security verification
  • Missing data loss prevention (DLP) controls
  • Unverified encryption for PHI transmission and storage
Regulatory Impact: Potential violation of § 164.312(a)(2)(iv) - Encryption and § 164.312(e)(2)(ii) - Transmission Security.
Implement Encryption Verification
Deploy comprehensive encryption verification and reporting systems
Deploy Centralized Key Management
Establish enterprise encryption key management and documentation
Establish Encrypted Backup Verification
Implement procedures to verify backup encryption and security
Implement Data Loss Prevention
Deploy DLP monitoring to prevent unauthorized PHI transmission
Critical Gap #7: Call Recording System HIPAA Violations
HIGH RISK
Finding: Current call recording system stores PHI without required HIPAA safeguards, creating both regulatory violations and state law compliance issues.
Background: Concierge Care records approximately 85-90 incoming calls per day for quality assurance and marketing purposes. Many of these calls contain Protected Health Information (PHI), including patient names, health conditions, care needs, medications, and treatment discussions. Under HIPAA, audio recordings containing PHI constitute electronic Protected Health Information (ePHI) and are subject to the Privacy Rule and Security Rule requirements.
Call Recording System HIPAA Violations
Specific HIPAA Violations:
  • No Business Associate Agreement: CallRail Basic (current system) explicitly disclaims HIPAA responsibility and does not provide a Business Associate Agreement, violating § 164.308(b)(1) requirement for BAAs with vendors storing ePHI
  • No Encryption: Recordings containing PHI are stored without encryption at rest on CallRail servers, violating § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii) encryption requirements
  • No Access Controls: No documented access controls, unique user IDs, or role-based permissions for who can access recorded PHI, violating § 164.312(a)(1) access control requirements
  • No Audit Trails: No audit logs showing who accessed, downloaded, or listened to recordings containing PHI, violating § 164.312(b) audit control requirements
  • No Retention/Destruction Policy: Recordings accumulate indefinitely without documented retention schedule or secure destruction procedures, violating § 164.530(j) documentation requirements
Call Recording Compliant Solution and Decision
Compliant Solution Recommended (June 2025): A comprehensive compliant call recording solution was designed and recommended:
  • Platform: CallRail HIPAA-compliant version with Business Associate Agreement
  • Consent Workflow: Explicit two-party consent mechanism with opt-in/opt-out capability and documented proof of consent for each call
  • Encryption: All recordings encrypted at rest and in transit
  • Access Controls: Role-based access with unique user IDs and authentication
  • Cost: Approximately $8,000 annually
  • Result: Full HIPAA compliance and Florida two-party consent law compliance
Decision Made (August 2025): Leadership chose to continue with CallRail Basic (non-HIPAA version) based on recommendation from Brad Cowart, approval from Concierge Care's attorney, cost considerations, and concerns about business impact.
Call Recording Current System Status and Penalty Exposure
Current System Status:
  • Platform: CallRail Basic (non-HIPAA version)
  • Consent Mechanism: Simple disclaimer only ("this call may be recorded")
  • Encryption: None at rest; recordings stored in plain form on CallRail servers
  • Access Controls: Not documented or restricted
  • Audit Trails: None
  • BAA: CallRail Basic explicitly disclaims HIPAA responsibility
  • Result: Direct HIPAA violations; approximately 31,000+ calls recorded annually without required safeguards
Penalty Exposure: Because a compliant solution was specifically recommended and leadership chose to implement a non-compliant system with full knowledge of the violations, this qualifies as willful neglect under HIPAA enforcement guidelines:
  • Willful neglect (not corrected): $50,000 per violation, up to $1.5 million annually per violation category
  • Estimated annual exposure: With 31,000+ recorded calls containing PHI and multiple violation categories, potential HIPAA penalties could reach $1.5 million+ annually
Critical Gap #8: Email and Collaboration Infrastructure Gaps
HIGH RISK
Finding: Current email and file sharing infrastructure lacks comprehensive HIPAA compliance and modern security controls.
Specific Issues:
  • On-premises Exchange server without advanced threat protection
  • Inadequate email encryption and data loss prevention capabilities
  • Missing a secure collaboration platform for PHI-containing documents
  • Insufficient email archiving and retention compliance
  • Lack of advanced security features for email-based PHI transmission
  • Unable to apply conditional access for remote email authentication
  • Concierge Care is paying for former staff email accounts each month
  • Email system does not provide conditional access policies to prevent unauthorized use
  • Email encryption is currently limited to only a small number of users
  • Email is missing required multi-factor authentication
Regulatory Impact: Potential violation of § 164.312(e)(1) - Transmission Security and § 164.312(c)(1) - Integrity controls for PHI communications.
Email Infrastructure Remediation Plan
Migrate to Office 365 with HIPAA Business Associate Agreement
Transition to cloud-based email with comprehensive HIPAA compliance features
Implement SharePoint for Secure Document Collaboration
Deploy secure platform for PHI-containing document sharing and collaboration
Deploy Advanced Threat Protection and Email Encryption
Implement comprehensive email security with encryption and threat detection
Establish Comprehensive Email Retention and Archiving
Implement HIPAA-compliant email retention policies and legal hold capabilities
Critical Gap #9: Vendor Oversight and Documentation Failures
MEDIUM RISK
Finding: Inadequate vendor management and security documentation requirements.
Specific Issues:
  • Insufficient vendor security assessments and ongoing monitoring
  • Missing comprehensive Business Associate Agreement enforcement
  • Inadequate vendor incident notification and response procedures
  • Insufficient documentation of vendor security controls and capabilities
  • Missing vendor performance monitoring and compliance verification
  • Missing Confidentiality Agreements for other vendors that may see PHI
Wellsky (EHR/Scheduling Vendor) Compliance Gaps:
  • Wellsky's HITRUST certification does not appear to be accurate
  • Wellsky failed to provide timely security documentation despite multiple requests
  • Wellsky does not require a password for caregivers to access PHI
  • Wellsky does not support multi-factor authentication
Critical Gap #10: Workforce Security Training and Authentication Deficiencies
HIGH RISK
Finding: Staff lack essential security awareness training, incident response procedures, and technical safeguards including multi-factor authentication and password management systems.
Security Awareness Training Gaps:
  • No security awareness training program: Staff have not received training on identifying and responding to security threats such as phishing, social engineering, malware, or ransomware attacks
  • No phishing simulation or testing: No program to test staff ability to recognize and report phishing attempts, which are the leading cause of healthcare data breaches
  • No ongoing security education: No regular security updates, newsletters, or refresher training to maintain security awareness
  • No role-based security training: Staff in high-risk roles (billing, HR, clinical) have not received specialized training on protecting PHI in their specific functions
Workforce Security Technical Safeguards Deficiencies
Technical Safeguards Deficiencies:
  • No multi-factor authentication (MFA/2FA): Email systems, EHR access, and other systems containing PHI lack two-factor authentication, allowing unauthorized access if passwords are compromised
  • No password management system: Staff lack enterprise password managers, leading to weak passwords, password reuse across systems, and insecure password storage
  • No password complexity enforcement: Systems may lack adequate password policies requiring length, complexity, and regular rotation
  • No single sign-on (SSO): Multiple system logins increase password fatigue and security risks
Threat Landscape: Healthcare organizations face significant security threats that exploit these gaps:
  • Phishing Attacks: 90% of healthcare data breaches begin with phishing emails
  • Ransomware: Healthcare sector is #1 target for ransomware attacks
  • Credential Compromise: 81% of data breaches involve weak or stolen passwords
Workforce Security Remediation Plan
Estimated Breach Cost: For Concierge Care with approximately 5,000-10,000 patient records: Potential breach cost: $1.5 -3 million
1
Phase 1: Immediate Security Awareness Training (30 days)
  • Deploy security awareness training platform (KnowBe4, Microsoft, or similar)
  • Assign baseline security awareness training to all staff
  • Establish incident response procedures
  • Implement phishing simulation program
2
Phase 2: Multi-Factor Authentication Implementation (60 days)
  • Enable MFA on all Office 365/Exchange email accounts
  • Enable MFA on EHR and critical systems
  • Deploy MFA for VPN and remote access
3
Phase 3: Password Management System
(90 days)
  • Deploy enterprise password manager
  • Enforce password policies
  • Eliminate password sharing
4
Phase 4: Ongoing Security Training Program (Continuous)
  • Monthly security awareness activities
  • Incident response drills
  • Metrics and reporting
Conclusion and Recommendations
This Security Risk Analysis identifies critical HIPAA compliance gaps requiring immediate executive attention and comprehensive remediation. The systematic vendor failures, technical control deficiencies, and administrative gaps create unacceptable regulatory exposure that must be addressed through coordinated implementation of enhanced security controls and qualified vendor relationships.
Executive Action Required
Immediate termination of the problematic vendor relationship, engagement of qualified healthcare IT services, and implementation of comprehensive security enhancements as outlined in this remediation plan.
Timeline Criticality
The 30-day immediate action phase is essential for preventing regulatory action and achieving defensible compliance posture. Delayed implementation increases penalty exposure and operational risk.
Investment Justification
The estimated $60,000-$150,000 investment in comprehensive security enhancements is significantly less than potential regulatory penalties and provides long-term operational benefits.
Success Probability
With proper executive support and resource allocation, the outlined remediation plan can achieve acceptable compliance levels within 90 days and comprehensive security enhancement within 180 days.
The organization has the opportunity to transform current compliance challenges into competitive advantages through implementation of industry-leading security controls and vendor management practices that exceed regulatory requirements while supporting business growth and operational excellence.
CONFIDENTIAL - PROFESSIONAL CONSULTANT COMMUNICATION
This report contains confidential analysis and recommendations prepared for Concierge Care, LLC executive decision-making. Distribution should be limited to authorized personnel with legitimate business need for this information.