Back to home

FOR HEALTHCARE PRACTICES

The HIPAA gaps your
practice management software
does not cover.

Most small healthcare practices think their software handles HIPAA. It does not. Software covers data hygiene. It does not produce a written, OCR-defensible Risk Analysis. It does not vet your business associates. It does not document your security awareness training. North Privacy Advisors closes those gaps for dental, medical, mental health, and specialty practices.

CREDENTIAL

CIPP/US Certified

FIRST STEP

Free Consultation

SCOPE

Houston-based, nationwide

THE GAP

Software is necessary. It is not sufficient.

Practice management platforms and EHR systems handle access controls, audit logs, and encryption at rest. That is real value. But the HIPAA Security Rule has 18 implementation specifications across administrative, physical, and technical safeguards. Software touches a fraction of them.

The pieces that fall outside software are exactly the pieces OCR investigates first when a complaint or breach hits: the written Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), the Business Associate Agreement chain, the documented training program, the contingency plan, the access management policies, and the breach notification protocol.

OCR's Risk Analysis Initiative resulted in 12 documented enforcement actions through February 2026. The single most cited deficiency in those settlements: failure to conduct or maintain a written Risk Analysis. Practice management software does not produce one.

The "small practice" assumption is wrong. HIPAA has no employee count threshold. A solo dental practice has the same legal obligations as a hospital system. OCR settlements regularly include practices with under 20 employees.

WHAT WE DO FOR HEALTHCARE PRACTICES

Six engagements. One mission: defensible compliance.

01
HIPAA Risk Analysis
Written, documented, OCR-defensible Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A). Includes Risk Management Plan, vendor inventory, and 30-60-90 day action plan. Three-week turnaround. Learn more →
02
Privacy Gap Analysis
Benchmark your current privacy posture against HIPAA, state privacy laws, and applicable federal rules. Written gap report with remediation roadmap and 60-minute readout session. Learn more →
03
Foundational Privacy Program Setup
End-to-end privacy program build for practices starting from scratch. Privacy policy, consumer rights workflow, BAA review, vendor DPAs, and training documentation. Three to four week turnaround. Learn more →
04
Fractional Chief Privacy Officer
Ongoing embedded privacy leadership without a full-time hire. Three-tier monthly retainers. Ideal for practices that need continuous guidance, vendor management, and compliance updates. Learn more →
05
Vendor and Third-Party Risk Review
Comprehensive vendor stack review with Data Processing Agreement audit. Your liability extends to every vendor handling PHI. We catalog vendors, score risk, and draft missing DPAs. Learn more →
06
$750 Privacy Exposure Review
Top 3 privacy risks identified in 48 hours. Flat fee. No retainer. No commitment. One-page memo with prioritized next steps. For practices that want a credible second opinion before committing to a full engagement. Learn more →

WHY A CIPP/US ADVISOR vs SOFTWARE OR YOUR IT VENDOR

Compliance is a written record, not a checkbox.

Software vendors

Sell tools that produce checklists, audit logs, and policy templates. Helpful, but they cannot interpret your specific practice, sign a Business Associate Agreement on your behalf, conduct a Risk Analysis, or sit across from an OCR investigator and explain your decisions.

Your IT vendor or MSP

Implements technical safeguards: encryption, access controls, backup, network security. Critical work. But the HIPAA Privacy Rule, Security Rule administrative safeguards, vendor risk, training documentation, and breach response plan all sit outside their scope.

A CIPP/US privacy advisor

Specifically certified in US privacy law by the IAPP. Produces the written documentation OCR asks for. Reviews the BAAs your software vendor would never volunteer to audit. Trains your workforce. Owns the artifacts that prove compliance to a regulator.

Together

Software + IT + privacy advisor is the only configuration that survives an OCR investigation. We work alongside your existing software and IT vendor, not in place of them.

WHO WE SERVE

Healthcare practices under 100 employees.

  • Solo and small group dental practices (1 to 10 providers)
  • Independent medical practices and specialty clinics
  • Mental health practitioners and counseling groups
  • Dermatology, ophthalmology, physical therapy, and other specialty practices
  • Med spas and aesthetic practices that handle PHI
  • Home health and ambulatory care providers under 100 employees
  • Concierge and direct primary care practices
  • Multi-location practice groups under common ownership or management

By Specialty

Specialty-specific HIPAA pages with the citations and risks that apply to your practice.

HIPAA for Dental Practices →

Imaging PHI, parental access, vendor stack, front-desk workflow.

HIPAA for Mental Health →

Psychotherapy notes, 42 CFR Part 2, telehealth, solo workflows.

HIPAA for Telehealth →

Platform BAA table, multi-state risk, Texas SB 1188 data localization.

HIPAA for Dermatology →

Tracking pixels, clinical photography, aesthetic vs medical scope.

Start with a $750 Privacy Exposure Review.

Top 3 privacy risks in 48 hours. Flat fee. No retainer. No commitment. The fastest way to know exactly where you stand.

Book Your Review

Or book a free 30-minute consultation to discuss your practice.