Organizations bearing the Sword & Shield HIPAA Compliance Program (HCP) Trustmark have been independently tested by the Sword & Shield Risk and Compliance consulting team. At the time the Compliance Shield is issued, Sword & Shield attests that the organization meets or exceeds all Privacy and Security rules of the Health Insurance Portability and Accountability Act of 1996  (HIPAA) and the subsequent directives of the HITECH Act.

HIPAA Certification Criteria

The HIPAA Compliance Program (HCP) assures an organization’s customers that the organization has implemented the necessary security measures to safeguard Electronic Protected Health Information (ePHI).


Risk Assessment & Gap Analysis completed in the past 12 months

Working on deficiencies noted in Roadmap to Security & Compliance

No HIGH findings

No MODERATE findings

HIPAA Compliance Program Process

The HIPAA Compliance Program consists of three phases:

1) Risk/Gap

We conduct your Risk Assessment and Gap Analysis.

2) Evaluation

Your current HCP level is determined.

3) Partnership

We assist you with your remediation projects.


Sword & Shield performs a Risk Assessment and a Gap Analysis. Your CE or BA will receive a Risk Assessment Report and Gap Analysis Report, along with a Roadmap to Security and Compliance. The reports will document the results of the analysis and identify the critical findings that will determine the appropriate compliance status.


We determine your current HCP level. After this phase, you will be allowed to display the Assessed, the Validated, or the Compliant Trustmark based on the state of your security and privacy environment.

roadmapThe Roadmap to Security and Compliance describes remediation activities necessary to achieve and maintain an HCP level. Sword & Shield assists in prioritizing and working with you on your remediation projects.

We will conduct follow-up assessment activities to validate your progress toward remediation of risks and gaps. These will occur at 3, 6, and 9 months after your initial assessment. Each follow-up assessment may result in one of the following results:

  • The HCP level does not change, or
  • The HCP level is upgraded to a higher status, or
  • The HCP level is downgraded to a lower status, or
  • The HCP level does not change, but a warning is issued that the current HCP level will be downgraded unless certain actions are completed within the following three months.

Documentation Package

The documentation package for the Assessed, the Validated, or the Compliant status includes:

  • Serialized Trustmark logo
  • Permission for use of the appropriate Trustmark
  • Serialized certificate suitable for framing
  • Congratulatory letter that explains the certification and requirements for framing
  • Template attestation language that can be included in a Business Associate Agreement
  • Letter that can be sent to BAs and CEs that defines the certification

We base our risk analysis methodology on the National Institute of Standards and Technology (NIST) Special Publication (800-30), Revision 1, Guide for Conducting Risk Assessments. We customize the guidance outlined in the Special Publication to focus on each organization individually and conduct a thorough review of the organization’s environment using the Sword & Shield Compliance Shield methodology and the extensive knowledge of our senior healthcare consultants.

Compliance Shield combines online tools and our expert healthcare security consultants to:

  1. Compare current policies, procedures, and technologies against the HIPAA Security, Privacy and Breach Notification Rules,
  2. Identify what assets within the organization need protection,
  3. Conduct in-depth interviews with key personnel,
  4. Conduct manual tests on key systems to validate security controls,
  5. Determine asset vulnerabilities,
  6. Evaluate threats to the organization’s critical assets,
  7. Provide a list of “gaps” and action items that must to be completed prior to a declaration of compliance,
  8. Estimate the likelihood of the threat causing harm which determines the risk to the organization; and,
  9. Revalidate identified deficiencies in preparation for a declaration of compliance.

Sword & Shield Enterprise Security, Inc. makes no statement, representation or warranty as to whether the systems or networks belonging to the bearer of the Sword & Shield Enterprise Security, Inc. Compliance Shield™ are secure from either an internal or external attack or whether protected information is at risk of being compromised. Please contact the company displaying the seal if you have questions about their products, services or customer support.

Fast Track Your HIPAA Certification

Request a free HIPAA Compliance Program consultation.