The Payer Data Classification Gap That's Going to Show Up in Your NPRM Asset Inventory
Why the NPRM's classification mandate traces to OCR's enforcement pattern rather than any single named breach, and what payers should be inventorying now.
SEVERIAN
TECHNOLOGY GROUP
Severian Technology Group is the data security practice of Matthew Silcox, a Microsoft Most Valuable Professional in Purview Data Security and a United States Marine Corps veteran.
The work is architecting and implementing Microsoft Purview programs for organizations that already own E5 licensing and need their Purview tenant to do what their auditors, compliance frameworks, and Copilot deployment plans already assume it is doing.
The clients are regulated enterprises (healthcare, financial services, government, defense, and nonprofit) operating under frameworks that assume data security controls already exist.
If this describes your situation: matt@severiansecurity.com · Book a 30-minute scoping call
The license was treated as the deliverable, but it was only ever the starting material. Copilot didn't create a new risk, it made the existing one observable.
The work
Severian Technology Group architects and implements data security programs on Microsoft Purview. The platform already exists inside your E5 tenant. The work is configuring it with the specificity it demands.
Assessment
A comprehensive examination of sensitive data across Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams + the oversharing exposure that M365 Copilot will amplify if left unaddressed. For mailbox scanning specifically, Severian deploys proprietary tooling that produces results Microsoft's native compliance capabilities do not: actionable, exportable, on-demand inventories of sensitive information types across the full breadth of an Exchange environment, including historical mail at rest that Purview auto-labeling policies cannot retroactively reach.
Content Search and eDiscovery were designed for legal holds and targeted investigation, not for the kind of systematic, organization-wide data mapping that a serious DLP and Copilot-readiness architecture requires. The tool was built because the gap in the platform existed and no one had closed it.
Architecture
Sensitivity labels designed not as a taxonomy exercise but as an operational framework. Each label maps directly to encryption behavior, access restrictions, and downstream DLP policy enforcement.
Information protection policies written to accommodate how people actually work, which is never quite how compliance frameworks imagine they do. DLP rules built with sufficient precision to avoid the characteristic failure modes of the discipline: policies so broadly scoped they produce debilitating alert volumes, and policies so narrowly defined they miss the regulated data they were designed to intercept.
Integration
Where Purview intersects with security infrastructure already deployed (Symantec DLP, Digital Guardian, Varonis, or other platforms), Severian builds integration through the Microsoft Information Protection SDK.
Classification decisions made within Purview propagate to third-party enforcement points. The sensitivity label follows the document across system boundaries. The security ecosystem becomes technically coherent rather than administratively stitched together.
Engagements
Every engagement is fixed-scope and fixed-fee. No hourly billing. No scope ambiguity. The deliverable is something you can hand to an auditor, a board, or a remediation team.
Purview Data Risk Assessment - $15,000 · 3 weeks
A scored examination of what your Purview tenant is actually classifying, what it is missing, and where the gap between your attested compliance posture and your operational reality is widest. Includes proprietary Exchange Online at-rest mailbox scanning, sensitivity label taxonomy recommendation, and a prioritized remediation roadmap with 30/60/90-day milestones. Sometimes the assessment is the entire engagement. More often it becomes the basis for the architecture and implementation work that follows.
Copilot Readiness & Oversharing Assessment - $25,000 · 4 weeks
For organizations deploying or planning M365 Copilot. Copilot does not apply judgment to access, it operates within your users' existing permissions. This engagement quantifies the data exposure Copilot will amplify: SharePoint oversharing audit, persona-based risk modeling, DLP-for-Copilot policy templates, and a go/no-go recommendation with a Copilot-safe deployment architecture.
Enterprise Purview Readiness - $45,000–$75,000 · 6–8 weeks
Full-stack Purview design for regulated enterprises with complex requirements: Information Protection, DLP, Insider Risk Management, Data Lifecycle Management, and Compliance Manager. The deliverable is an implementation blueprint with configuration-level specifications, a phased deployment plan, and a total cost of ownership model for your Purview investment. Scoped based on seat count, workload count, and regulatory complexity.
Managed Purview Operations
For organizations that need ongoing Purview support after implementation: monthly DLP and policy tuning, oversharing monitoring via proprietary scanning, quarterly executive review, and ad-hoc advisory. Retainers start at $4,000/month.
Most Purview tenants are configured to catch what the documentation demonstrates. The regulated data that actually lives in your environment rarely looks like the examples.
Matthew Silcox
Severian is the practice of Matthew Silcox, a Microsoft Most Valuable Professional in Purview Data Security. One of three U.S.-based MVPs whose recognized contribution area is Microsoft Purview. Matt holds SC-100 (Cybersecurity Architect Expert), SC-200 (Security Operations Analyst Associate), and SC-401 (Information Security Administrator Associate) certifications. Prior to technology, Matt served four years in the United States Marine Corps.
MVPs gain access to pre-release capabilities, roadmap briefings, and the architectural context that determines how these platforms will evolve before that evolution reaches public documentation.
The technical depth (implementation specifics, undocumented platform behaviors, the problems that emerge only at the boundary between what the documentation promises and what the software actually does) is published at severian.ghost.io for practitioners who do the work, not the people who approve the budget.
Recent writing
The HIPAA Security Rule NPRM is a Forensic Document
Reading the proposed Security Rule as forensic reconstruction: how 2024's largest breaches dictated 2026's compliance map.
The Copilot Problem Is a Data Hygiene Problem
Copilot did not create a new security risk. The exposure was already there; the deployment just made it observable.
More at severian.ghost.io
Current Engagement
Purview Data Risk Assessment for a major U.S. cultural institution.
Pick the engagement type that fits. The conversation takes 30 minutes.