Compliance Documentation: Underrated Until You Need It, Then Worth More Than Gold!

Back to Blog

Compliance Documentation: Underrated Until You Need It, Then Worth More Than Gold!

I could hear the fear in her voice.

One of our clients, subject to the HIPAA rules, called to say she had just received a letter saying that her company was being randomly audited by the Office for Civil Rights (OCR)  the federal agency that enforces HIPAA  and she only had days to respond.

When we started with the client several months earlier, we used Network Detective from RapidFire Tools to scan their network and discovered they weren’t compliant. However, they assured me that they had corrected the issues.

We didn’t want to send the old reports, so we ran another set of scans to have proof they had addressed the issues.

But they hadn’t.

Our new scans showed that many of the same problems existed. It turned out that her IT guy did not know how to apply security controls across a network.

Time was running out. They finally fixed the problems, and we ran a third set of scans, which were clean. We gave them a fresh set of Network Detective reports to provide the OCR as evidence of compliance, just before the deadline.

A few months later, I received the following message from our client:

Great news! Attached is the letter we received from the OCR saying they are closing our case without further action.

Mike, thank you so much for your assistance with the response. I can’t tell you how much we appreciate your input that greatly influenced this outcome.


If your clients are in a regulated industry, they are always subject to audit. If they have an incident or someone files a complaint, they will be investigated. If they suffer a breach, they will almost certainly be sued.

Regulated businesses know they are required to have written policies and procedures. But policies, without evidence you are following them, are meaningless.

Most regulators are lawyers. They require written reports. Documentation will be demanded or subpoenaed. Sometimes, they want reports from a year ago or more. HIPAA requires that documentation be retained for six years.

Documentation takes time to produce. It needs to be reviewed to validate security and compliance, and to identify new risks. Sometimes documentation seems pointless because it just records a lot of information that may never be used. But it is critical because you can’t take chances in a regulated environment. Hoping you won’t be audited, investigated, or sued is not a business strategy that will result in good outcomes if your luck runs out, like it did for our client.

Adding Compliance-as-a-Service changed my MSP business and allowed me to charge more because we made compliance documentation an important deliverable.

You may need to educate your prospects and clients about the need for them to be ready to provide written reports showing they have implemented the necessary procedures to comply with their policies. We had to make it clear to our clients that our managed services were keeping them secure, but they needed to pay extra for the documentation they needed to have available if they were audited, investigated, or sued.

Then we added compliance to their bill and profit to our bottom line.


Compliance Manager helps you manage the entire compliance process from beginning to end and automates much of it. When you combine your IT knowledge with the workflow engine built-in to Compliance Manager, you have everything you need to begin offering a wide array of compliance services. Contact us to request a demo today.  


About Mike Semel:

Mike Semel is a noted thought leader, speaker, blogger and best-selling author. He is the president of Semel Consulting, focused on compliance regulations, cybersecurity and Business Continuity planning. Mike has also developed Semel Systems, a series of cybersecurity and compliance training and go-to-market systems for MSPs. He is a Certified Business Continuity Professional, a Certified HIPAA Professional, Certified Security Compliance Specialist and co-author of the Certified HIPAA Security Professional (CHSP) certification course. He has owned or managed VAR and MSP technology companies for over 30 years, served as Chief Information Officer (CIO) for a hospital and a K-12 school district, and managed operations at an online backup company.