HIPAA Software at $39/Month: What You Get and Don't

Quick answer

A $39-a-month HIPAA software subscription gives you policy templates, training modules, BAA templates, and a self-assessment questionnaire with a green-checkmark dashboard. What it does not give you is the documented, organization-wide Risk Analysis OCR requires under 45 CFR 164.308(a)(1)(ii)(A), which has to be “accurate and thorough” across all of your ePHI. Even the free government SRA Tool says in its own disclaimer that using it does not guarantee compliance. Inadequate risk analysis is the single most-cited issue in OCR enforcement, appearing in roughly 90% of Security Rule actions. The software is a useful filing cabinet. It is not the analysis.

If you run a small practice in Texas or anywhere else, you have probably seen the ads: HIPAA compliance, handled, for about $39 a month. It is a tempting price. The problem is not that the software is bad. The problem is what the subscription quietly implies, that paying for it makes you compliant. It does not, and the gap between what these tools do and what OCR actually requires is exactly where small practices get caught.

What you get for $39 a month

Most HIPAA compliance platforms in this price range give you a genuinely useful bundle:

A library of policy and procedure templates you can brand and adopt. Workforce training modules with completion tracking, which is a real HIPAA requirement. Business Associate Agreement templates you can send to vendors. A self-assessment questionnaire that walks you through a list of security questions. And a dashboard that turns your answers into a tidy compliance score and a stack of stored documents.

None of that is worthless. Training records, written policies, and executed BAAs are all things OCR will ask for. If the software helps you actually keep them current, it is doing a job. The trouble starts when the dashboard turns green and the practice owner concludes the work is done.

What you don’t get: a real Risk Analysis

The foundation of the entire HIPAA Security Rule is the Risk Analysis, and it is the one thing a $39 subscription cannot do for you. OCR’s Guidance on Risk Analysis is specific. A compliant analysis must be “accurate and thorough,” and it has to:

Identify everywhere your ePHI is created, received, maintained, or transmitted, not just your EHR. Identify and document the threats and vulnerabilities to that data. Assess the potential impact and likelihood of each. And it must be organization-wide, covering all of your ePHI regardless of the system, medium, or location it lives in.

That is an exercise in judgment about your specific practice. A questionnaire cannot see that your backups sit on the same server that gets encrypted, that a former employee still has portal access, or that your new texting app quietly stores patient names. Software gives you a generic checklist. OCR wants a documented analysis of your actual risks. As OCR spelled out in an April 2018 cybersecurity newsletter, a gap analysis (do you have X control, yes or no) is not the same thing as a Risk Analysis, and a gap analysis alone does not satisfy the rule.

Doesn’t the software’s risk assessment count as my Risk Analysis?

This is the assumption that costs practices the most, so it is worth being blunt. The questionnaire inside the software is a starting point, not the finished analysis.

Here is the cleanest proof. The government offers its own free Security Risk Assessment (SRA) Tool, built by ONC together with OCR, aimed squarely at small and medium providers. It is more thorough than most paid questionnaires, and it costs nothing. Yet its own disclaimer states plainly that “use of this tool is neither required by nor guarantees compliance with the HIPAA Security Rule requirements,” and that it “is not intended to be an exhaustive or definitive source on safeguarding health information.”

Read that again. The free tool that the regulators themselves built will not certify you as compliant. So a $39 monthly version of the same idea cannot either. In 2025 enforcement, OCR repeatedly found risk analyses that “missed key assets, cloud workloads, and data flows,” which is exactly what happens when a practice fills out a questionnaire and calls it done.

What does OCR do when your Risk Analysis is thin?

It enforces, and aggressively. Inadequate risk analysis is cited in roughly 90% of OCR HIPAA Security Rule enforcement actions. In OCR’s own 2016 to 2017 audits, 86% of covered entities failed the risk-analysis requirement, so this is not a rare stumble. It is the norm.

In October 2024, OCR launched a Risk Analysis Initiative, a targeted campaign against organizations that cannot produce an adequate one, and it has continued since. The pattern in these cases is consistent: a ransomware attack or breach triggers an investigation, the investigation finds no thorough risk analysis, and the practice settles, almost always with a two-to-three-year corrective action plan that requires submitting an updated analysis to OCR. In April 2026 alone, OCR settled four ransomware cases covering 427,000 patients for $1.165 million. In 2025, a behavioral health provider, Deer Oaks, settled for $225,000 over the same gap.

Civil penalties in 2026 run from $145 to $2,190,294 per violation under Federal Register 2026-01688. And here is what no subscription will do when that letter arrives: the software will not talk to OCR for you, it will not defend the adequacy of your analysis, and it will not produce the judgment that was never done in the first place.

So is the $39 software a waste of money?

No, and that is the honest part. Used correctly, these platforms are a good system of record. After you have a real Risk Analysis, the software is a sensible place to store your policies, run annual training, track remediation tasks, and keep your BAAs organized. That ongoing upkeep is genuine value, and doing it well is better than a binder that never gets opened.

The mistake is the order of operations. The subscription is the filing cabinet. The Risk Analysis is the thing that goes in it. Buying the cabinet first and assuming it filled itself is what leaves practices exposed.

What to do next

Start with the analysis, not the app. Get a documented, organization-wide HIPAA Risk Analysis that actually looks at where your patient data lives and what could go wrong, then use whatever software you like to maintain it year over year. That documented analysis is the exact thing OCR asks for first, and it is the work behind our HIPAA Risk Analysis service. If you want the fuller picture of where these tools stop short, we broke it down in what your HIPAA software cannot do.

Not sure where your practice stands? The fastest way to find out is the $750 Privacy Exposure Review: 48 hours, your top three risks, no big commitment.

A green dashboard feels like safety. OCR does not grade the dashboard. It grades the analysis underneath it.

Last Updated: June 17, 2026