FOR HEALTHCARE PRACTICES

The HIPAA gaps your
practice management software
does not cover.

Most small healthcare practices think their software handles HIPAA. It does not. Software covers data hygiene. It does not produce a written, OCR-defensible Risk Analysis. It does not vet your business associates. It does not document your security awareness training. North Privacy Advisors closes those gaps for dental, medical, mental health, and specialty practices.

CREDENTIAL

CIPP/US Certified

RANGE

$750 to $5,000/mo

SCOPE

Houston-based, nationwide

THE GAP

Software is necessary. It is not sufficient.

Practice management platforms and EHR systems handle access controls, audit logs, and encryption at rest. That is real value. But the HIPAA Security Rule has 18 implementation specifications across administrative, physical, and technical safeguards. Software touches a fraction of them.

The pieces that fall outside software are exactly the pieces OCR investigates first when a complaint or breach hits: the written Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), the Business Associate Agreement chain, the documented training program, the contingency plan, the access management policies, and the breach notification protocol.

OCR's Risk Analysis Initiative resulted in 12 documented enforcement actions through February 2026. The single most cited deficiency in those settlements: failure to conduct or maintain a written Risk Analysis. Practice management software does not produce one.

The "small practice" assumption is wrong. HIPAA has no employee count threshold. A solo dental practice has the same legal obligations as a hospital system. OCR settlements regularly include practices with under 20 employees.

WHAT WE DO FOR HEALTHCARE PRACTICES

Six engagements. One mission: defensible compliance.

HIPAA Risk Analysis

Written, documented, OCR-defensible Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A). Includes Risk Management Plan, vendor inventory, and 30-60-90 day action plan. Three-week turnaround. Starting at $3,500.

Privacy Gap Analysis

Benchmark your current privacy posture against HIPAA, state privacy laws, and applicable federal rules. Written gap report with remediation roadmap and 60-minute readout session. Starting at $3,500.

Foundational Privacy Program Setup

End-to-end privacy program build for practices starting from scratch. Privacy policy, consumer rights workflow, BAA review, vendor DPAs, and training documentation. Three to four week turnaround. Starting at $6,000.

Fractional Chief Privacy Officer

Ongoing embedded privacy leadership without a full-time hire. Three-tier monthly retainers. Ideal for practices that need continuous guidance, vendor management, and compliance updates. Starting at $2,500/month.

Vendor and Third-Party Risk Review

Comprehensive vendor stack review with Data Processing Agreement audit. Your liability extends to every vendor handling PHI. We catalog vendors, score risk, and draft missing DPAs. Starting at $2,500.

$750 Privacy Exposure Review

Top 3 privacy risks identified in 48 hours. Flat fee. No retainer. No commitment. One-page memo with prioritized next steps. For practices that want a credible second opinion before committing to a full engagement. Flat fee $750.

WHY A CIPP/US ADVISOR vs SOFTWARE OR YOUR IT VENDOR

Compliance is a written record, not a checkbox.

Software vendors

Sell tools that produce checklists, audit logs, and policy templates. Helpful, but they cannot interpret your specific practice, sign a Business Associate Agreement on your behalf, conduct a Risk Analysis, or sit across from an OCR investigator and explain your decisions.

Your IT vendor or MSP

Implements technical safeguards: encryption, access controls, backup, network security. Critical work. But the HIPAA Privacy Rule, Security Rule administrative safeguards, vendor risk, training documentation, and breach response plan all sit outside their scope.

A CIPP/US privacy advisor

Specifically certified in US privacy law by the IAPP. Produces the written documentation OCR asks for. Reviews the BAAs your software vendor would never volunteer to audit. Trains your workforce. Owns the artifacts that prove compliance to a regulator.

Together

Software + IT + privacy advisor is the only configuration that survives an OCR investigation. We work alongside your existing software and IT vendor, not in place of them.

WHO WE SERVE

Healthcare practices under 100 employees.

Solo and small group dental practices (1 to 10 providers)
Independent medical practices and specialty clinics
Mental health practitioners and counseling groups
Dermatology, ophthalmology, physical therapy, and other specialty practices
Med spas and aesthetic practices that handle PHI
Home health and ambulatory care providers under 100 employees
Concierge and direct primary care practices
Multi-location practice groups under common ownership or management

Start with a $750 Privacy Exposure Review.

Top 3 privacy risks in 48 hours. Flat fee. No retainer. No commitment. The fastest way to know exactly where you stand.

Book Your Review

Or book a free 30-minute consultation to discuss your practice.

The HIPAA gaps yourpractice management softwaredoes not cover.

Software is necessary. It is not sufficient.

Six engagements. One mission: defensible compliance.

Compliance is a written record, not a checkbox.

Healthcare practices under 100 employees.

Start with a $750 Privacy Exposure Review.

The HIPAA gaps your
practice management software
does not cover.