Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach

Posted by Steve Alder

iRhythm Holdings Inc., a publicly traded heart monitoring device manufacturer, has notified the U.S. Securities and Exchange Commission (SEC) about a cybersecurity incident that was first identified on June 8, 2026.

According to the SEC filing, iRhythm identified unauthorized access to certain business applications that are hosted on a third-party platform. The company activated its cybersecurity incident response plan and launched an investigation to determine the nature and scope of the unauthorized activity. On June 9, 2026, one day after the unauthorized access was identified, the company received communications from a threat actor who claimed to have exfiltrated sensitive data from its applications and demanded payment to prevent the data from being publicly released.

San Francisco, CA-based iRhythm makes cardiac monitoring devices that are used by approximately 8 million patients in the United States and Europe, and cloud-based data analytics for diagnosing and tracking patients with heart arrhythmias. The threat actor claimed to have exfiltrated proprietary data and patient data from iRhythm applications.

The internal investigation confirmed that the threat actor had exfiltrated sensitive data, including personal and protected health information. While the number of individuals affected by the incident has yet to be confirmed by iRhythm, the company said in the Form 8-K filing that this was a material incident due to the volume of data potentially stolen in the attack.

iRhythm has not identified any impact on its products, clinical, or medical device systems as a result of the incident. The incident has not had any impact on patient safety, manufacturing, its distribution operations, financial reporting systems, or the company’s ability to meet patient needs.

The threat actor gained access to certain third-party hosted business applications through social engineering. The company’s medical device systems and connections to customers were not affected, and the company does not retain any individual financial account information or payment card information. iRhythm is still investigating the data breach and has yet to announce the number of affected individuals or the types of data compromised in the incident.

The SEC filing does not state whether payment was made to the attacker or if the company is negotiating payment. While this was a material cybersecurity incident, the company does not believe it will have a material impact on its financial condition or results of operations, although the company warned that the attack could cause significant harm to the company’s brand, reputation, and patient trust in its devices. The company holds a cyber insurance policy, which may cover certain losses incurred as a result of the incident.

Several cyberattacks have recently been reported by medical device manufacturers, including UFP Technologies in February 2026, which involved either the theft or destruction of company data; Stryker, which involved the exfiltration of around 50 terabytes of data in March; and Medtronic experienced a major data theft incident in March, involving around 9 million patient records.

The post Heart Monitoring Device Manufacturer Discloses Cyberattack; Data Breach appeared first on The HIPAA Journal.

HIPAA Training for Medical Spas

Posted by Ian

Medical spas that qualify as HIPAA-Covered Entities must provide all members of their workforce with HIPAA training that covers both the foundational requirements of the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule, the specific compliance challenges that arise from working in a medical spa environment, and finally the internal policies and procedures. The HIPAA training requirements are set out at 45 CFR §164.530(b) of the HIPAA Privacy Rule and 45 CFR §164.308(a)(5) of the HIPAA Security Rule. Both are mandatory standards, not implementation specifications, meaning they cannot be waived or substituted. Failure to provide documented HIPAA training is a standalone violation. For example, in 2023 St. Joseph’s Medical Center received an $80,000 penalty from OCR after an impermissible disclosure was partly  attributed directly to a lack of HIPAA Privacy Rule training.

A medical spa workforce that includes physicians, nurses, licensed estheticians performing medical treatments, laser technicians, receptionists, and billing staff with system access must each receive training appropriate to their role. The obligation applies to part-time employees, temporary staff, and volunteers who handle protected health information (PHI) in any format. Training must be documented, with records retained for a minimum of six years.

Foundational HIPAA Rules and Regulations Training

Before medical spa employees receive training on the compliance challenges specific to their working environment, they must first develop a working understanding of the HIPAA rules and regulations that govern all covered healthcare settings. This foundational layer of training establishes the framework within which all role-specific and facility-specific content is applied. Without it, medical spa staff lack the regulatory reference points needed to recognize a compliance problem when they encounter one in practice.

Foundational HIPAA training for employees must cover what PHI is and the categories of data that qualify as protected health information. It must cover the HIPAA Privacy Rule’s standards for permissible and impermissible uses and disclosures of PHI, the minimum necessary standard that requires staff to access and share only the PHI needed for a specific purpose, and the rights that the Privacy Rule grants to clients over their own health information, including the right to access records, request amendments, and receive an accounting of certain disclosures.

Foundational training must also address the HIPAA Security Rule’s requirements for protecting electronic PHI, including the obligation to use unique login credentials, the role of audit logs in monitoring system access, the requirement to report suspected security incidents to the Security Officer without delay, and the prohibition on using unapproved software or circumventing security settings on organizational systems. The HIPAA Breach Notification Rule must be covered to the extent that employees understand the difference between a HIPAA violation and a reportable data breach, when a breach determination must be escalated to the Privacy Officer, and what notification obligations follow.

Spa staff must also understand the consequences of non-compliance. Internal sanctions apply to violations of the organization’s policies and procedures even when the violated standard was not covered in prior training. External consequences range from referral to a licensing board for willful violations of patient confidentiality to criminal penalties under Section 1177 of the Social Security Act for violations committed for personal gain or malicious purposes. Foundational training that grounds staff in these regulatory realities produces a workforce better prepared to apply the specific guidance that follows for the medical spa context.

Targeted HIPAA Training for the Medical Spas

General HIPAA training programs satisfy the foundational regulatory requirement but do not prepare medical spa staff for the compliance challenges that are specific to their working environment. A training program built around large hospital workflows, multi-department clinical teams, or enterprise-scale IT infrastructure does not reflect the operational reality of a small, single-location medical spa where one or two employees simultaneously manage clinical support, reception, billing, and client-facing responsibilities.

Most medical spas in the United States employ fewer than ten staff members. In smaller facilities, the Medical Director may hold both the Privacy Officer and Security Officer designations while also delivering clinical treatments. Compliance resources are more limited than in larger healthcare organizations, and workforce members must take more individual responsibility for applying HIPAA correctly in their day-to-day work. Targeted training acknowledges this context and prepares staff for the situations they will actually encounter.

The physical environment of a medical spa creates privacy risks that do not arise in the same way in larger clinical facilities. Reception areas where clients register, check in, discuss appointment details, and wait for treatment often occupy the same space where staff handle paper records, take telephone calls containing PHI, and access electronic systems. Verbal disclosures of client information in these settings must be limited to the minimum necessary. Staff must be trained to recognize the conditions under which an ordinary front-desk conversation becomes an impermissible disclosure, and to manage those risks without disrupting client service.

Multitasking in publicly accessible areas is among the most consistent sources of inadvertent HIPAA violations in small medical spa settings. When a staff member is simultaneously managing a client registration, answering a telephone query about another client’s treatment, and processing a billing transaction, the likelihood of overlooking a verification step, leaving a printed record visible on a counter surface, or failing to log out of an electronic system before an interruption increases substantially. Targeted training must address these multitasking scenarios with practical guidance rather than abstract regulatory principles.

Credential sharing is a common HIPAA Security Rule violation in small medical spa teams, typically arising not from malicious intent but from a desire to accelerate access to client records and support team collaboration. When login credentials are shared between staff members, or when one employee accesses a system left open by a colleague, the audit trail that the Security Rule requires is corrupted. A workforce member whose credentials are used by a colleague to make an impermissible disclosure may be sanctioned for a violation they did not personally commit. Training must address this scenario directly, establishing the obligation to log out of all systems when leaving a workstation and to report anomalies in electronic records attributed to their own credentials.

HIPAA Training for Medical Spa Employees

The HIPAA Journal has developed a dedicated course, HIPAA Training for Medical Spa Employees, that delivers both the foundational HIPAA rules and regulations content required of all covered entities and the targeted training modules addressing the specific compliance challenges of the medical spa environment described above. The course is built on more than ten years of The HIPAA Journal’s analysis of HIPAA violations and data breaches, translating that reporting into practical training that focuses on the decision points where violations actually occur rather than abstract regulatory text.

The course addresses the privacy risks specific to medical spas, where patient records include treatment histories, clinical photographs, and financial data that must all be handled in accordance with HIPAA requirements. It covers the compliance obligations applicable to medical spa workforces handling PHI in a setting that combines clinical and aesthetic services, including the particular challenges of publicly accessible treatment environments, small teams with limited compliance infrastructure, and community-facing practices where social pressure to disclose PHI can be persistent and indirect.

The curriculum is structured to deliver mandatory foundational content in Section One, through which learners earn an accredited HIPAA certificate on completion. Section Two provides additional modules covering emerging compliance topics including the use of generative AI tools and social media risks, which are of particular relevance to medical spas that maintain active client-facing digital channels. Lesson-by-lesson randomized knowledge checks confirm comprehension at each stage rather than permitting completion by guesswork, and the course is accessible on any web-enabled device with pause-and-resume functionality to accommodate staff working across shifts and treatment schedules.

For medical spas operating in Texas or California, optional state law overlay modules are available at no additional charge. Texas medical spas must consider requirements under the Texas Medical Records Privacy Act as amended by HB 300, which imposes additional obligations beyond the federal HIPAA baseline. California medical spas operate under the Confidentiality of Medical Information Act and other California state medical privacy provisions that interact with HIPAA in ways that affect workforce practice. These overlay modules ensure that staff in those states receive training that reflects the full compliance environment in which they work.

Training records are maintained within the course platform and are accessible to compliance managers through real-time administrative dashboards that show learner progress and completion status, supporting the documentation obligations that apply under both the HIPAA Privacy Rule and the HIPAA Security Rule. For medical spas operating without a dedicated compliance team, the combination of role-appropriate content, documented completion tracking, and accredited certification provides a defensible training record suitable for OCR compliance review.

The post HIPAA Training for Medical Spas appeared first on The HIPAA Journal.

HIPAA Compliance for Medical Spas

Posted by Ian

Medical spas that collect health histories, administer injectable treatments, perform laser procedures, or operate under the supervision of a licensed physician are HIPAA-Covered Entities and must comply in full with the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule. This compliance obligation applies regardless of whether the facility describes itself as a spa, a wellness center, or an aesthetic clinic. The presence of a licensed medical professional and the creation of protected health information (PHI) during clinical intake or treatment determines covered entity status, not the branding or ambiance of the business.

Many medical spa operators assume HIPAA applies only to hospitals, physician practices, or insurance companies. That assumption is incorrect and carries substantial regulatory risk. OCR enforcement actions have reached small practices and specialty providers, and civil monetary penalties under the HIPAA Privacy Rule apply equally to all covered entities regardless of size.

Medical Spas as HIPAA-Covered Entities

A medical spa becomes a HIPAA-Covered Entity when it employs or contracts with licensed healthcare providers who conduct clinical assessments, write prescriptions, or create treatment records in the course of delivering care. The touchpoint that triggers covered entity status is not the treatment itself but the creation, receipt, maintenance, or transmission of PHI in connection with that treatment.

PHI at a medical spa includes client intake forms that capture health history, medication lists, or allergy information; clinical notes documenting treatments such as neurotoxin injections or laser resurfacing; before-and-after photographs linked to a client’s identity and treatment record; prescription records for topical or injectable medications; and billing records that combine a client’s identity with a diagnosis or procedure code. Each of these data types falls within the definition of PHI under 45 CFR §160.103 and requires protection under applicable HIPAA rules.

Develop Internal HIPAA Policies and Procedures

The HIPAA Privacy Rule at 45 CFR §164.530(i) requires covered entities to implement policies and procedures that reasonably protect PHI and that govern day-to-day operational activities. For a medical spa, this obligation extends to every touchpoint where PHI is created, accessed, used, or disclosed.

Policies must address permissible and impermissible uses and disclosures of PHI. At minimum, a medical spa’s HIPAA policy framework should define how treatment records are accessed by clinical and non-clinical staff, who may discuss a client’s care and under what circumstances, how client identity is verified before PHI is disclosed in person or by telephone, and how the minimum necessary standard is applied when sharing information between staff members or with third parties.

The minimum necessary standard under 45 CFR §164.502(b) requires that workforce members access only the PHI needed to perform their specific job function. A front desk coordinator scheduling a follow-up appointment does not need access to a client’s full clinical notes. A laser technician reviewing contraindications does not need access to billing records. Policies must define these access boundaries in operational terms, not just regulatory language.

Medical spas frequently use before-and-after photographs in marketing materials. Using a client’s identifiable photograph for marketing purposes requires a valid HIPAA authorization that complies with 45 CFR §164.508. Authorization forms must contain all required core elements, must be written in plain language, and must be stored for a minimum of six years. Using a photograph without a compliant authorization constitutes an impermissible disclosure of PHI and a violation of the HIPAA Privacy Rule.

The Notice of Privacy Practices (NPP) required under 45 CFR §164.520 must be provided to each new client at the first point of service, posted in a visible location within the facility, and made available on the organization’s website if one exists. The NPP must be reviewed and updated whenever a material change affects an individual’s privacy rights or the organization’s permissible uses and disclosures.

Designate a HIPAA Privacy Officer and HIPAA Security Officer

The HIPAA Privacy Rule at 45 CFR §164.530(a) requires every covered entity to designate a HIPAA Privacy Officer responsible for developing and implementing the organization’s privacy policies and procedures. The HIPAA Security Rule at 45 CFR §164.308(a)(2) requires designation of a HIPAA Security Officer responsible for the policies and procedures governing the protection of electronic PHI (ePHI).

In a small or single-location medical spa, one individual may hold both roles. That individual must have sufficient authority and operational knowledge to fulfill both sets of obligations. Assigning these roles to a staff member without providing training, authority, or time to carry out compliance functions does not satisfy the regulatory requirement.

The Privacy Officer serves as the point of contact for client requests related to their HIPAA rights, including requests for access to records, amendments, restrictions on use, and accounting of disclosures. The Privacy Officer also receives and responds to internal reports of potential privacy violations and manages complaints filed with HHS. The Security Officer conducts or coordinates the organization’s security risk assessment, oversees technical and physical safeguards for ePHI, and leads workforce training on security practices.

Conduct a HIPAA Security Risk Assessment

The HIPAA Security Rule at 45 CFR §164.308(a)(1) requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This security risk assessment is not optional and is one of the most consistently cited deficiencies in OCR compliance investigations.

For a medical spa, the risk assessment must account for every system that creates, stores, transmits, or receives ePHI. This includes electronic intake platforms, appointment booking software, practice management systems, cloud-based storage solutions, email platforms used to communicate client information, and any mobile devices used by clinical staff. The assessment must document identified risks, rate the likelihood and potential impact of each risk, and produce an actioned remediation plan.

The risk assessment must be repeated whenever there is a material change to the organization’s operations, technology, or physical environment. Moving to a new electronic health record system, adding a new treatment modality that generates new data, or opening an additional location each triggers a reassessment obligation. All risk analyses and remediation documentation must be retained for a minimum of six years.

HIPAA Training for Medical Spa Employees

Medical spa employees face HIPAA compliance challenges that differ from those in larger healthcare settings due to the physical environment, staffing structure, and community dynamics in which most medical spas operate. The majority of medical spas are single-location businesses with small workforces, where the same staff member may handle clinical support, front desk duties, billing, and marketing simultaneously. That combination of limited resources and multitasking in publicly accessible reception areas increases the risk of inadvertent PHI disclosures. Medical spas serving local communities add a further layer of risk, as workforce members may face direct or indirect pressure from community members to disclose information about a client’s condition or treatment. These factors make role-specific, facility-focused HIPAA training a regulatory necessity rather than a supplement to generic compliance education.  The HIPAA training requirements under 45 CFR §164.530(b) mandate that covered entities train all members of their workforce on the policies and procedures developed to comply with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, as necessary and appropriate for each individual’s role. Training must be provided to new workforce members within a reasonable period of joining the organization and repeated when material changes to policies or procedures occur.

At a medical spa, the workforce subject to HIPAA training includes every individual whose work involves PHI in any form. This includes physicians, nurse practitioners, physician assistants, registered nurses, licensed estheticians performing medical treatments, laser technicians, front desk and scheduling staff, billing personnel, and any contracted workers who access client records. The obligation covers part-time employees, temporary staff, and volunteers who handle PHI.

HIPAA Security Rule training must address how to create and manage secure passwords for systems containing ePHI, the requirement not to share login credentials with other staff members, the use of automatic logoff features on shared workstations and devices, the correct handling and disposal of devices that store ePHI, how to recognize phishing emails targeting healthcare businesses, and the obligation to report a suspected security incident to the HIPAA Security Officer immediately rather than attempting to resolve it independently.

Every training session must be documented. Documentation must include the date of training, the content covered, the names of all participants, and the training format. Where state law requires it, workforce members must provide written attestation that they completed the training. For example, Texas state law requires HIPAA training to be completed within 90 days of hire. Medical spa operators must confirm whether their state imposes specific training timeframes beyond the federal baseline requirement.

Establish Channels for Reporting HIPAA Violations

HIPAA incident management depends on workforce members having a clear and accessible mechanism to report potential violations internally. The HIPAA Privacy Rule at 45 CFR §164.530(d) requires covered entities to have a process for individuals to make complaints about the organization’s privacy practices. Internally, covered entities must ensure that workforce members can report concerns without fear of retaliation.

Medical spas should designate the Privacy Officer as the recipient of internal violation reports and make that designation known to all workforce members during training. Anonymous reporting channels, while not required by HIPAA, increase the likelihood that workforce members will report incidents they might otherwise conceal. Any PHI contained in an anonymous report must be handled with the same safeguards applied to other PHI within the organization.

Two-way communication is a component of an effective compliance program. Workforce members on the clinical floor frequently encounter privacy challenges not anticipated in formal policy documents. A front desk coordinator who regularly encounters family members requesting information about a client’s treatment plan, or a nurse who is asked to document a procedure in a system she lacks proper access credentials for, represents a compliance problem that policy revision or targeted training can address. Without a mechanism to surface these ground-level challenges, the compliance program operates on assumptions rather than operational reality.

Monitor HIPAA Compliance at the Operational Level

Policies and training produce HIPAA compliance only when monitored at the level where PHI is actually handled. For a medical spa, this means supervisors and the Privacy Officer must observe how client intake is conducted, how PHI is discussed at the reception desk, how treatment rooms handle the visibility of records, and how electronic devices storing ePHI are managed between client appointments.

Minor compliance shortcuts, such as discussing a client’s treatment in the waiting area or leaving a workstation logged in while unattended, are the entry point for a culture of non-compliance. When these behaviors go unaddressed, they become normalized and replicated. The appropriate response to a minor violation identified at the floor level is corrective action and retraining, not punitive sanction. The objective is correction before a pattern develops.

Audit log reviews for electronic systems containing ePHI should be conducted on a scheduled basis by the Security Officer. These reviews confirm that access to client records is consistent with each workforce member’s assigned role and flag anomalous access events that may indicate a security incident. Many electronic health record and practice management platforms generate access logs automatically. Using those logs as a compliance monitoring tool requires a process for regular review and documentation of findings.

Apply and Document a HIPAA Violations Sanctions Policy

The HIPAA Privacy Rule at 45 CFR §164.530(e) requires covered entities to apply appropriate sanctions against workforce members who fail to comply with the organization’s privacy policies and procedures. The HIPAA penalties framework applies to the covered entity, but internal sanctions govern the workforce member whose conduct created the compliance failure.

Sanctions must be proportionate to the nature and severity of the violation. A minor inadvertent disclosure by a new employee who has not yet received full training warrants a different response than a deliberate unauthorized access to a client’s records by a tenured staff member. The sanctions policy must define the range of responses available, including verbal warnings, written warnings, mandatory refresher training, suspension, and termination, and must be applied consistently across all roles and seniority levels.

The application of sanctions and the rationale for the sanction applied must be documented. Sanction records must be retained for a minimum of six years. Inconsistent application of the sanctions policy, or evidence that senior staff were treated differently from junior staff for equivalent violations, undermines the compliance program and creates legal exposure in enforcement proceedings.

Respond Promptly to HIPAA Violations and Breaches

The HIPAA Breach Notification Rule at 45 CFR §164.400 requires covered entities to notify affected individuals, HHS, and in some cases the media following the discovery of a breach of unsecured PHI. A breach is presumed notifiable unless the covered entity can demonstrate through a four-factor risk assessment that there is a low probability the PHI has been compromised.

For a medical spa, breach scenarios include unauthorized access to an electronic client database, a lost or stolen device containing unencrypted client records, an email sent to the wrong recipient containing PHI, and the impermissible posting of client photographs online. Each of these events triggers the obligation to conduct a breach risk assessment and, where notification is required, to notify affected individuals within 60 days of discovery.

Breaches affecting fewer than 500 individuals must be reported to HHS in an annual log submitted no later than 60 days after the close of the calendar year. Breaches affecting 500 or more individuals in a single state or jurisdiction require media notification in addition to individual and HHS notification, all within 60 days of discovery. All breach notifications, risk assessments, and remediation steps must be documented and retained.

Prompt internal response to a reported or discovered incident determines whether the organization can demonstrate a good-faith compliance posture in the event of an OCR investigation. Delayed responses, failure to investigate, and failure to notify on time are each independently sanctionable under the HIPAA Breach Notification Rule.

Use Business Associate Agreements

Medical spas routinely work with third-party vendors who access, store, or process client PHI on behalf of the covered entity. Each such vendor qualifies as a HIPAA Business Associate and requires a signed Business Associate Agreement (BAA) before any PHI is disclosed to them. Operating without a BAA in place constitutes a violation of the HIPAA Privacy Rule regardless of whether a breach has occurred.

Business associate relationships at a medical spa commonly include electronic health record and practice management software vendors, appointment booking and client management platforms, cloud storage services used to retain intake forms or photographs, billing and revenue cycle management companies, email marketing platforms that receive client contact information combined with service history, and IT support providers with remote access to systems containing ePHI.

A BAA must specify the permitted uses and disclosures of PHI by the business associate, require the business associate to implement appropriate safeguards, obligate the business associate to report breaches and security incidents to the covered entity, and include terms governing the return or destruction of PHI at the end of the relationship. Covered entities are responsible for monitoring whether their business associates operate in compliance with the terms of the agreement. If a covered entity knew or should have known of a pattern of non-compliance by a business associate and failed to act, the covered entity may share liability for the resulting HIPAA violation.

Maintain Full HIPAA Program Documentation

HIPAA compliance is an ongoing operational obligation, not a project with a completion date. The HIPAA audit checklist used by OCR during compliance investigations covers policies and procedures, training records, risk assessment documentation, sanctions records, breach notification files, and BAA records. Each of these document categories must be retained for a minimum of six years from the date of creation or the date it was last in effect, whichever is later.

Medical spas that cannot produce documentation during an OCR investigation face the same compliance exposure as organizations that never implemented the required safeguards. Documentation functions as evidence that the organization’s compliance program exists, was communicated to the workforce, and was enforced. The absence of records is not treated as proof that nothing went wrong. It is treated as evidence that the organization cannot demonstrate compliance.

An annual compliance review cycle provides a structured mechanism for updating policies to reflect regulatory changes, confirming that all workforce members have completed required training, reviewing audit logs and any incidents from the prior year, reassessing vendor relationships and BAA status, and confirming that the security risk assessment remains current. Medical spa operators who build compliance review into their operational calendar reduce the likelihood that a regulatory change or a staff turnover event will create an undetected gap in their compliance posture.

Medical spas operating across multiple locations must replicate the compliance program at each site. A policy maintained at a headquarters location does not automatically govern operations at a second or third location. Workforce training, designated compliance roles, and monitoring protocols must be implemented and documented at each facility where PHI is created, used, or maintained.

HIPAA common HIPAA violations in the medical spa sector are not materially different from those found in other small healthcare practices: impermissible disclosures, failure to execute BAAs, failure to train staff, failure to respond to patient access requests, and absence of a documented security risk assessment. Each of these failures is preventable through a structured compliance program built around the seven fundamental elements of effective compliance and adapted to the specific operational environment of a medical spa.

The post HIPAA Compliance for Medical Spas appeared first on The HIPAA Journal.

Compliancy Group Acquires Healthicity

Posted by Steve Alder

Compliancy Group has acquired Healthicity in a deal that combines two healthcare compliance software companies and expands Compliancy Group’s platform to include healthcare compliance, workforce compliance, risk assessment, third-party risk management, incident management, provider auditing, coding auditing, and documentation auditing.

The acquisition was announced on June 17, 2026. Financial terms of the transaction were not disclosed. Compliancy Group said the combined organization will serve more than 3,000 healthcare organizations across the United States and selected global markets.

Healthicity provides healthcare compliance and medical auditing software and advisory services. Its products include Compliance Manager, Audit Manager+, and Compliance Advisory Services, which are used by health systems, hospitals, physician groups, and other healthcare organizations to manage compliance programs and auditing activities.

Compliancy Group said the acquisition will allow healthcare organizations to manage more elements of their compliance programs through a single platform ecosystem. The expanded offering will combine Healthicity’s provider, coding, and documentation auditing capabilities with Compliancy Group’s existing compliance management tools, including workforce compliance, risk assessment, third-party risk, and incident management.

Darin Johnson, Chief Executive Officer of Healthicity, said Compliancy Group was selected as the right strategic partner for Healthicity’s software and customers because of its service reputation, regulatory expertise, and product innovation. Johnson said the two companies share a customer-focused approach and are positioned to deliver greater value together than either company could independently.

Crispin Vary, Chief Executive Officer of Compliancy Group, said the transaction will allow healthcare organizations to run broader compliance programs from a single partner. “For the first time, a healthcare organization can run its entire compliance program, from workforce training and risk assessment to vendor oversight, incident management, and now provider, coding, and documentation auditing, from a single trusted partner with one conformance score,” said Vary. Compliancy Group provides healthcare compliance software and advisory support for organizations that need to build, manage, and maintain compliance programs. Healthicity provides software and expert guidance for healthcare compliance management and medical auditing.

The acquisition brings the two businesses together at a time when healthcare organizations face increasing pressure to document the effectiveness of their compliance programs and demonstrate that required risk management, auditing, training, vendor oversight, and incident response activities are being performed.

The post Compliancy Group Acquires Healthicity appeared first on The HIPAA Journal.