skip to content
HomePrivacy PolicyHIPAA/FERPA Compliance Statement

HIPAA/FERPA Compliance Statement

Updated on: September 22, 2025

Published on: July 24, 2025

Overview

Public Consulting Group LLC (PCG) is committed to safeguarding the privacy and confidentiality of customer and company information. Our policies and standards are designed to ensure compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Family Educational Rights and Privacy Act (FERPA), and other applicable privacy-related laws and regulations.

All security and privacy policies are reviewed and updated on an annual basis or as major changes occur to the business. These policies reflect international and federal laws, executive orders, directives, regulations, standards, and guidance. All staff are required to read and attest to ongoing compliance with these policies upon hire and annually. Non-compliance can result in disciplinary action, up to and including termination.

HIPAA Compliance

PCG adheres to the regulations set forth by HIPAA to protect the privacy and security of Protected Health Information (PHI). Our policies include measures for access control, audit and accountability, incident response, training, and data protection. PCG has implemented a multitude of protective controls to comply with, and often exceed, requirements set forth in HIPAA, including but not limited to:

  • Business Associate Agreements (BAA): PCG enters into BAAs with third parties for which it handles PHI data and third parties handling PHI data on PCG’s behalf. This ensures that HIPAA compliance is a priority not only within our organization, but also with our partners.
  • Workforce Training: PCG firmly believes in the importance of security, privacy, and risk-related training, as it has been proven that the biggest vulnerability for any company is the human workforce. We require HIPAA (and other security/privacy-focused) training for all employees and staff upon hire on at least an annual basis.
  • Continuous Compliance: We are committed to maintaining a rigorous process of internal and external audits so that we can continue to meet our goals and obligations in protecting PHI and all sensitive data. This allows us to evolve and adapt to address an ever-changing regulatory environment and threat landscape.

FERPA Compliance

PCG also complies with FERPA regulations to protect the privacy of student education records. Our policies ensure that access to these records is restricted to authorized personnel only and that any sharing of information is done in accordance with FERPA guidelines. To ensure compliance and protection of student data, PCG has implemented a variety of controls, including but not limited to:

  • Access Control: PCG understands that one of the most critical aspects of FERPA is controlling access to student data and other personal information. We have implemented robust controls that allow for implementation of least-privilege and role-based access models.
  • Data Classification: PCG maintains a thorough data classification policy and program that improves understanding of different types of data so that employees and systems handle and protect all sensitive data appropriately.
  • Incident Response: PCG has a robust incident response plan to investigate potential events, which includes a 24/7 Security Operations Center. Defined procedures not only outline how we respond to, investigate, and resolve events and incidents, but specific requirements about notification in the case of suspected or confirmed data breaches.

Policies and Standards

Although PCG’s policies and standards are classified as ‘Sensitive’ and cannot be shared with external parties without a Non-Disclosure Agreement (NDA) in place, the below list includes all effective PCG security and privacy policies and standards to illustrate the extent to which PCG prioritizes protecting our clients’ data. The document numbers align with the relevant National Institute of Standards and Technology (NIST) special publication 800-53 Revision 5.

Access Control

  • Access Control Policy AC01
  • Account Management Policy AC02
  • Remote Access Policy AC17
  • Wireless Access Policy AC18
  • Access Control for Mobile Devices Policy AC19
  • Access Control Standard AC01
  • Account Management Standard AC02
  • Remote Access Standard AC17
  • Wireless Access Standard AC18
  • Mobile Device Management Standard AC19

Audit and Accountability

  • Audit and Accountability Policy AU01
  • Documentation Standard AU03

Awareness and Training

  • Security and Privacy Awareness Training Policy AT01
  • Security and Privacy Awareness Training Standard AT01

Configuration Management

  • Configuration Management Policy CM01
  • Change Management Policy CM03
  • Asset Management Policy CM08
  • Configuration Management Standard CM01
  • Change Management Standard CM03
  • Hardened Systems Standard CM06
  • Asset Management Standard CM08

Contingency Planning

  • Business Continuity Policy CP01
  • Disaster Recovery Policy CP02
  • Backup and Recovery Policy CP09
  • Business Continuity Standard CP01
  • Data Backup Standard CP09

Identification and Authentication

  • Identification and Authentication Policy IA01
  • Authentication Standard IA01

Incident Response

  • Incident Management Policy IR01
  • Incident Management Standard IR01
  • Data Breach Notification IR08

Maintenance

  • System Maintenance Policy MA01

Media Protection

  • Media Protection Policy MP01
  • Media Sanitization and Disposal Standard MP06

Personnel Security

  • Personnel Security Policy PS01
  • Security and Confidentiality Policy PS06
  • Acceptable Use Policy PS09
  • Personnel Management Standard PS01
  • Acceptable Use Standard PS06

Physical and Environmental Protection

  • Physical and Environmental Protection Policy PE01
  • Physical Access Policy PE03
  • Physical Security Standard PE01

Planning

  • Security and Privacy Planning Policy PL01

PII Processing and Transparency

  • Privacy Policy CP001
  • PII Processing and Transparency Standard PT01
  • Privacy Standard CS001

Program Management

  • Program Management Policy PM01
  • Enterprise Architecture Policy PM07
  • Program Management Standard PM01
  • Segmentation Standard PM07

Risk Assessment

  • Risk Management Policy RA00
  • Data Classification Policy RA02
  • Vulnerability Management Policy RA05
  • Data Classification Standard RA02
  • Risk Assessment and Management Standard RA02
  • Vulnerability Management Standard RA05

Security Assessment and Authorization

  • Continuous Monitoring Policy CA07
  • Infrastructure Logging Standard CA07

System and Communications Protection

  • System and Communication Protection Policy SC01
  • Encryption Policy SC08
  • Internet Security and Communication Standard SC07
  • Encryption Standard SC08
  • Key Management Standard SC17

System and Information Integrity

  • Capacity Management Policy SI00
  • System and Information Integrity Policy SI01
  • Patch Management Policy SI02
  • Malicious Code Policy SI03
  • System Monitoring Policy SI01
  • Patch Management Standard SI02
  • Malicious Code Standard SI03
  • Data Loss Prevention Standard SI04
  • Intrusion Detection Standard SI04
  • Data De-Identification Standard SI19

System and Services Acquisition

  • System and Services Acquisition Policy SA01
  • Application Security Policy SA08
  • Vendor Management Standard SA01
  • Application Security Standard SA08