Skip to main content
NorthStar Technology Group
All Case Studies
Healthcare

Turning an OCR HIPAA Violation Into a Clean Audit

How NorthStar helped a 150-bed hospital pass a federal HIPAA audit after a data breach triggered an OCR investigation.

The Client

A 150-bed acute care and critical access hospital that had experienced a data breach, triggering a formal investigation by the HHS Office for Civil Rights (OCR). The hospital needed to demonstrate full HIPAA Security Rule compliance under direct federal scrutiny.

The Challenge

  • Active OCR investigation following a reported data breach
  • Existing security documentation was incomplete and did not meet OCR expectations
  • No comprehensive risk assessment had been conducted prior to the breach
  • Hospital leadership needed to respond to federal investigators while maintaining daily operations
  • Tight timeline to produce a complete book of evidence demonstrating compliance remediation

What NorthStar Did

  • Conducted a full HIPAA Security Risk Assessment covering all systems with access to ePHI
  • Developed the System Security Plan (SSP) documenting the hospital's complete security posture
  • Built the entire book of evidence required for OCR review: policies, procedures, training records, technical control documentation
  • Attended all OCR calls alongside hospital leadership, presenting technical findings and remediation evidence
  • Identified and closed the specific security gaps that contributed to the original breach
  • Implemented ongoing monitoring and documentation processes to prevent future compliance drift

Results

Passed

OCR Audit Outcome

Complete

Risk Assessment

100+

Evidence Items

Active

Ongoing Monitoring

The Full Story

When a data breach triggers an OCR investigation, the stakes are as high as they get in healthcare compliance. OCR does not investigate casually. They request documentation, interview staff, and test whether the organization's security program was operational before the breach, not just on paper.

This 150-bed acute care and critical access hospital found itself in exactly that position. A breach had been reported, OCR had opened an investigation, and the hospital needed to demonstrate that it had taken HIPAA Security Rule compliance seriously and was actively remediating the gaps that led to the incident.

NorthStar was brought in to lead the compliance response. The first step was a comprehensive HIPAA Security Risk Assessment, the foundational document OCR looks for in every investigation. Without a current, thorough risk assessment, no other compliance documentation matters. We assessed every system touching ePHI, identified vulnerabilities, and documented both the current state and the remediation plan.

From there, we built the System Security Plan (SSP), the master document that maps the hospital's security controls to HIPAA Security Rule requirements. We then assembled the full book of evidence: written policies, technical control configurations, access logs, training records, incident response documentation, and vendor management records. Every item was organized and cross-referenced so OCR investigators could trace any requirement to its supporting evidence.

Throughout the investigation, NorthStar attended every call with OCR alongside hospital leadership. We presented the technical findings, explained the remediation steps taken, and answered investigator questions with specificity and documentation. This is not something most IT providers do. It requires deep familiarity with both the technical controls and the regulatory language OCR uses.

The hospital passed the audit. More importantly, the security program we built during the investigation became the hospital's ongoing compliance foundation, with continuous monitoring, regular risk assessment updates, and documentation discipline that keeps them audit-ready at all times.

About the author

Ken Satkunam, CISM

Ken Satkunam, CISM

President & Founder, NorthStar Technology Group

Ken has spent over 25 years in IT leadership, serving in roles from technical support to CIO for organizations as large as 23,000 employees. He founded NorthStar Technology Group in 2000 to help regulated organizations build secure, compliant, and operationally resilient technology environments. Ken holds the Certified Information Security Manager (CISM) credential from ISACA and is the co-author of the Amazon best-seller "Cyber Attack Prevention." He has been quoted in industry publications including eWeek and DM News, and NorthStar has been recognized on the Inc. 5000 list in both 2024 and 2025.

CISMInc. 5000MSP 500Published Author25+ Years
Connect on LinkedInView full profile

Facing a Similar Challenge?

Every engagement starts with understanding where you are and building a clear path forward.

View Healthcare Resources