AG Grace, Inc

Compliance, Governance & Risk Management

AG Grace’s Compliance, Governance and Risk Management (CGR) services help clients confront the comprehensive issues of corporate governance, enterprise risk management, and effective corporate compliance, We offer  specialized assistance in key areas such as privacy, security, health, information technology, human capital, anti-fraud & dispute consulting, and financial services.


We help our customers with:

  • Self-Audits – RMF, HIPAA and CMMC requires entities and b to conduct annual audits of their organization to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards. Under HIPAA, a Security Risk Assessment is NOT ENOUGH to be compliant–it’s only one essential audit that HIPAA-beholden entities are required to perform in order to maintain their compliance year-over-year.
  • Remediation Plans – Once covered entities and business associates have identified their gaps in compliance through these self-audits, they must implement remediation plans to reverse compliance violations. These remediation plans must be fully documented and include calendar dates by which gaps will be remedied.
  • Policies, Procedures, Employee Training – Covered entities and business associates must develop Policies and Procedures corresponding to HIPAA, RMF & CMMC regulatory standards as outlined by the HIPAA Rules. These policies and procedures must be regularly updated to account for changes to the organization. Annual staff training on these Policies and Procedures is required, along with documented employee attestation stating that staff has read and understood each of the organization’s policies and procedures.
  • Documentation – Organizations must document ALL efforts they take to become  compliant. This documentation is critical during an assessment or audit.
  • Business Associate Management – Covered entities and business associates alike must document all vendors with whom they share PHI in any way, and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability. BAAs must be reviewed annually to account for changes to the nature of organizational relationships with vendors. BAAs must be executed before ANY PHI can be shared.
  • Incident Management – If an organization has a data breach, they must have a process to document the breach and notify the appropriate authorities.