HIPAA TIM Consulting - Expert HIPAA Compliance Services

Your Trusted HIPAA Compliance Partner

TIM* Consulting, Compliance, and Notary Services LLC.  

 *TIM is an acronym for “Tutor IMinisterium” (Latin) - meaning “guardian in service” - implying a protective role within service or official capacity.  TIM’s services involve guardian / protective services in one form or another. 

Mission Statement:

TIM’s primary mission is to assist small to mid-sized HIPAA regulated entities (e.g., physician practices, dental practices, nursing facilities, home health services, durable medical equipment suppliers, etc.,) and business associates/vendors,(e.g., IT service companies, offsite media backup vendors, media destruction firms, etc.) with their HIPAA compliance programs.

Very few organizations offer the HIPAA capabilities and in-depth experience that TIM provides to covered entities and business associates. 

TIM assists organizations by sharing twenty-five years of HIPAA experience, including twenty years of operational / managerial experience as the HIPAA Privacy / Security Officer at major organizations - including Henry Ford Health System (Detroit), and Genpact - an international company.

TIM Services:

  • Comprehensive HIPAA Compliance Solutions
  • Consulting and Project Management
  • Notary Public 

 

 

Comprehensive HIPAA Compliance Solutions

 

Comprehensive HIPAA Compliance Solutions

HIPAA and Small to Mid-Sized HIPAA Covered Entities and Business Associates

Oftentimes, small and mid-sized HIPAA Covered Entities and Business Associates assign the role of HIPAA compliance officer as an add-on to someone who is already overworked and stressed out. Most organizations do not realize that HIPAA regulations covering provider identifiers, transactions, code sets, privacy, security, and breach notification regulations involve over 200 standards/regulatory sections and hundreds of implementation specifications.  These standards and implementation specification are supported by over 150 documents spanning thousands of pages of regulation, guidance, NIST manuals, etc. And - the proposed HIPAA security regulation is much more prescriptive. 

TIM offers HIPAA readiness reviews and HIPAA compliance program development to assist small and mid-sized HIPAA Covered Entities and Business Associates. A HIPAA readiness review is also available that is based on the more detailed HIPAA proposed final rule to help organizations plan for future requirements - especially related to cybersecurity. For those regulated entities that do not currently have a HIPAA compliance program, TIM will develop a comprehensive HIPAA program for them.

_________________________________________________________________________________________

A note about what government regulators are expecting.

Regulators have made it clear that documentation alone is no longer enough. A clinic can have perfect policies, but if there is no evidence that those policies are followed, OCR treats the program as non‑compliant. This expectation is reflected in:

  • OCR audit requests that ask for logs, screenshots, system artifacts, and proof of execution—not just policies. 
  • Guidance emphasizing that policies must match actual operations, be current, and be backed by retained records showing they were carried out. 

In other words: HIPAA compliance = documented policies + evidence that those policies were implemented consistently.

Examples of “documentation” vs. “operational evidence”

Documentation (necessary but insufficient)

  • HIPAA Privacy, Security, and Breach Notification policies
  • Workforce training policy
  • Access control policy
  • Incident response policy
  • Risk analysis and risk management plan
  • Business Associate Agreement templates

These show intent.

Operational evidence (what regulators now expect)

These show execution:

  • Training records with dates, completions, and acknowledgments
  • Audit logs showing access to ePHI and security events (required under 164.312(b)) 
  • System configuration screenshots proving MFA, encryption, role‑based access, etc.
  • Backup logs and restore test results
  • Incident/breach logs
  • Version‑controlled policy approvals and periodic review records
  • Ticketing or workflow records showing that procedures (e.g., access termination) actually occurred
  • Asset inventories showing systems that store/transmit ePHI and their security posture

OCR increasingly asks for these artifacts within days during an investigation. 

Why regulators emphasize operational evidence

Two reasons:

  1. Most HIPAA failures occur in execution, not policy writing.
  2. OCR has repeatedly found that organizations had policies “on paper” but no proof they were followed—leading to large financial settlements.

Current compliance guidance reinforces that policies must be “current” and aligned to real operations, not templates. 

__________________________________________________________________________________________

TIM’s HIPAA Readiness Review Process

TIM will review an organization’s adherence to the current and, if applicable, the proposed HIPAA regulations. The HIPAA Readiness Review process includes five project phases:

  1. Pre-readiness review meeting
  2. Discovery
  3. Risk Analysis
  4. Risk Mitigation
  5. Monitoring and Review

Pre-readiness Review Meeting

Typically, this is an introductory call, in-person meeting, or virtual meeting between the healthcare entity and TIM. Basic entity information is discussed as well as TIM’s capabilities. Based on the results of the meeting, a proposal will be submitted to the client and will include a project plan, deliverables, and costs for the Discovery Phase.

Discovery

The Discovery phase includes the review of various aspects of an organization, such as its practice offerings, locations, staff size, IT infrastructure, business associates, and any regulatory concerns that the owner may have.  A high-level HIPAA gap analysis / HIPAA program evaluation is performed and will include a preliminary review of any prior risk assessments, privacy, security, and data breach policies, training documentation, incidents, and HIPAA transactions. The deliverables of this phase will include documentation of the Discovery Phase findings and recommendations for next steps. 

 

Risk Analysis

HIPAA requires that covered entities and business associates/subcontractors conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. TIM can provide strategic direction and help conduct an assessment of your organization’s adherence to security, privacy, data breach and other components of the HIPAA rule. A HIPAA security risk assessment tool will be used. The assessment findings will help highlight any of the organization’s gaps to the HIPAA requirements and will recommend strategies and administrative, physical, and technical safeguards to help the organization with their HIPAA readiness. 

 

Risk Analysis components include: privacy, security, and data breach elements; technology asset inventory; identifying threats and vulnerabilities; assessing current security controls; determination of threat likelihood and impact; determination of level of risk; recommended security controls; documentation of risk analysis findings; and recommendations for next steps. 

 

Risk Mitigation

Based on the Risk Analysis findings, corrective actions (mitigations) may be required to enhance the entities HIPAA compliance program.  A risk mitigation plan will be proposed that will recommend a mitigation strategy and elements. Typical mitigation activities include the following areas:

  • Policies, Standards, and Procedures 
  • Awareness and training
  • Business Associate/Subcontractor Audit
  • Security Audit and Control
  • Incident Response - Security, Privacy, and Data Breach Incidents 
  • Emergency / Disaster Preparedness 

 

While developing and implementing an effective mitigation strategy and program, TIM follows the Department of Health and Human Services, General Compliance Program Guidance for small entities, which include the following elements:

  1. Compliance contact
  2. Policies, procedures, and training
  3. Open lines of communication
  4. Risk assessment, auditing, and monitoring
  5. Enforcement standards
  6. Responding to detected offenses and developing corrective action initiatives

 

  • Policies, Standards, and Procedures 

Covered entities and business associates/subcontractors are required to implement reasonable and appropriate organizational policies, standards, and procedures to comply with the standards, implementation specifications, or other requirements of the HIPAA rule. TIM will review your current policies and procedures to measure their compliance with HIPAA. We can also help with the development of any new policies and procedures that will fit the needs of your organization.

 

  • Awareness and Training 

To be effective, security and privacy training needs to be an on-going process. TIM will review your current awareness and training programs and can also develop custom courses, security reminders, bulletins, white papers, and presentations to address your overall security and privacy requirements. 

 

  • Business Associate/Subcontractor Audit

Most HIPAA covered entities have a number of business associates that handle ePHI for the covered entity. Likewise, business associates may have a number of subcontractors that have access to ePHI for the business associate. We can assist covered entities with the HIPAA program evaluation and governance of their business associates and their subcontractors. 

TIM performs product, project, system, and vendor security evaluations and technical reviews. Vendor organizations are reviewed for valid contracts, non-disclosure and/or business associate agreements. We also review the company for any reported breaches, Office of Inspector General actions, and other reported incidents or potential risks.

 

  • Security Audit and Control

Security audits include the formal inspection and verification to check whether a standard or set of guidelines is being followed, records are accurate, or efficiency and effectiveness targets are being met. The auditing of complex information systems may involve the Internet, intranet, extranet, electronic data interchange, client servers, local and wide area networks, data communications, telecommunications, wireless technology, and integrated voice/data/video systems. It is important to establish, implement and monitor proper controls to serve as the means of managing risk. Security controls can be of an administrative, physical, technical, management, or legal nature. TIM can assist your organization establish and maintain a security audit and control program and can perform security audits of your internal information systems

 

  • Incident Response - Security, Privacy, and Data Breach Incidents 

HIPAA requires that organizations identify and respond to suspected or known incidents involving violations of the HIPAA privacy and security rules. Special response is mandated for incidents involving the compromise/loss of PHI (i.e., data breach). TIM can assess your current incident response plans and procedures or help develop new response mechanisms.

 

  • Emergency / Disaster Preparedness 

Almost daily we hear of disastrous events, natural and man-made, that affect people’s lives and government and business operations. Healthcare organizations must have effective – and tested – plans to be able to respond to critical incidents and to recover from disaster situations. In addition to natural disasters, organizations must also be prepared for cyber-attacks against their own information networks or against the US critical infrastructure – which includes the electric grid and communications. TIM’s experienced staff can assist your organization with disaster preparedness and recovery planning, and emergency management/crisis response operations.

 

CONTINUAL MONITORING, REVIEW AND SUPPORT

TIM can support your organization with continual monitoring and review of your HIPAA compliance program. 

The HIPAA security rule requires that a covered entity and business associate/subcontractor assign an “official” who is responsible for the development and implementation of the policies and procedures required by HIPAA. This role may be filled by an internal or external resource. TIM can provide a part-time “Virtual” HIPAA Security and/or Privacy Officer to assist you with the governance of your HIPAA readiness program.

In the physician‑practice Compliance Program Guidance for Individual and Small Group Physician Practices (65 Fed. Reg. 59434, October 5, 2000), the HHS Office of Inspector General, acknowledges that small practices often lack the resources for a full‑time compliance officer. Therefore, small practices may:

  • Assign compliance duties to an existing staff member or
  • Contract with an external party to perform some or all compliance‑officer functions

The key requirement is that the designated individual or third party must still have sufficient authority, access, and independence to carry out compliance responsibilities

 

Contact TIM for further information.

 

Consulting and Project Management

TIM’s consulting and management background includes many years of experience in various business segments. This experience included corporate management and project-based initiatives ranging from small projects to large scale efforts. Some projects involved large teams and thousands of hardware and software endpoints at multiple locations. We can also assist with Artificial Intelligence (AI) general assessments.

Please contact TIM for further information on how we can assist your organization.

Notary Public

A notary public is an officer commissioned by the Michigan Secretary of State to serve as an unbiased and impartial witness on business, public and other documents. The most common function of the notary is to prevent fraud by attesting to the identity of a person signing a document. A notarization on a document certifies that the person whose signature is entered on the document personally appeared before the notary, established his or her identity, and personally signed the document in the presence of the notary.

Michigan's Law on Notarial Acts (MiLONA), P.A. 238 of 2003, as amended, is an act to provide for the qualification, appointment, and regulation of Notaries Public (Notaries) by the Secretary of State. As such, a Notary is a public servant. 

 

A commissioned Notary is authorized to perform three (3) types of notarizations.

1. Take acknowledgments

  • An acknowledgment confirms the identity of the signer who acknowledges that they have signed the record.

2. Administer oaths or affirmations (jurat)

  • Jurat notarizations are required for transactions where the signer must attest to the content of the document, such as all affidavits and pleadings in court. It is a certification on an affidavit declaring when, where and before whom it was sworn. However, jurat notarizations do not prove a document is true, legal, valid or enforceable.

3. Witness or attest to a signature

  • The act of witnessing or attesting a signature is like a jurat, except that it does not require the signer to take an oath or affirmation. It is used when establishing the signing date is of major importance.

Note: A Notary should not decide what type of notarial act a document requires. The client must know and tell the Notary or the document itself must clearly indicate what is needed. For example, if the jurat indicates that the document was "sworn to before me," then an oath must be administered.

In Michigan, notaries public are not allowed to provide legal advice.

 

Tim Schabeck has been approved by the State of Michigan to perform the following forms of notarizations:

1. Traditional/Pen and Paper Notarizations

Conducted without the aid of electronic or remote notarization software.

2. Electronic Notarizations (sometimes referred to as an eNotary)

An e-notarization is similar to a traditional/pen and paper notarization inasmuch as the signer appears before the notary, except in an electronic notarization the document being notarized is digital and the notary uses electronic signatures. An example of this is signing and initialing at the bank or doctor’s office using a stylus and pad.

3. Remote Notarizations (sometimes referred to as a Remote Online Notary – RON)

A remote notarization is conducted through State approved audio and visual equipment; the signer is not in the physical presence of the notary public. The notarization itself is considered an e-notarization as the document being notarized is digital and the notary uses electronic signatures. The notary public must physically be in Michigan; however, the signee(s) may be geographically located in any state or country but must be visually in the presence of the notary public using audio and visual technologies.

 

Please contact TIM for further information.

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.