Three converging tracks. One practice.
Healthcare Technology Compliance used to mean three separate consultants for three separate problems. ONC certification, HITRUST advisory, and AI governance lived in different binders, run by different specialists, billed under different statements of work.
That world is changing. A single product can now trigger all three at once, and the work has grown beyond what a single specialty consultant can usually cover.
If you’re a VP of Product, Director of Engineering, or compliance lead at a digital health company, you probably didn’t expect to spend a meaningful slice of your week translating regulatory acronyms.
I work the intersection.
Fourteen years inside the certification and assurance world. ONC test events at Drummond Group, the leading ONC-Authorized Test Lab and Certification Body in Health IT, where I helped launch the HITRUST service line and led growth strategy for new programs including pediatrics and FHIR client applications. HITRUST validated assessments at the practitioner level (CCSFP, CISA). AI governance work contributing to the Coalition for Health AI Responsible AI Guide (Privacy and Cybersecurity Profile).
For the past year, also working on the developer side of an interoperability software platform, which keeps the regulatory work tied to what FHIR and API implementation actually look like in shipping code.
The aim is to keep you from having to coordinate across separate vendors when something falls between tracks.
How an engagement works
Scope. A short conversation to find where you are and what is blocking you. If you already know the piece you need run, we go straight to it. If you need the full picture first, we map your active ONC, HITRUST, and AI governance obligations and choose from there.
Execute. I take the work and run it: a test event, a validated assessment, a policy build, a certification through to ACB submission. Not a recommendation deck. The deliverable is the thing done.
Sustain. For ongoing obligations, a quarterly cadence keeps you ahead of the regulatory calendar instead of reacting to it.
Where to go from here
If any of these is on your roadmap, the section pages go deeper.
- ONC certification execution and regulatory strategy. Hands-on certification support: readiness, test events, attestation, CEHRT maintenance, and audit defense. Plus HTI-5 deregulation and the FHIR-API roadmap.
- HITRUST advisory and validated assessment work. Readiness, e1/i1/r2 escalation, recertification, customer-driven attestations.
- AI governance under ISO/IEC 42001 and NIST AI RMF. Privacy and Cybersecurity Profile alignment, internal risk artifacts, customer trust signals.