Service 07
The HIPAA Security Rule requires every covered practice to conduct and document a written Risk Analysis. OCR has fined small practices from $25,000 to $600,000 in 2025 specifically for missing or inadequate Risk Analyses. We deliver a real one that actually meets the standard.
What You Receive
The HIPAA Security Rule requires a written Risk Analysis. OCR has documented Risk Analysis failures in 11+ enforcement actions in 2025, with fines from $25,000 to $600,000. This is a bounded project that produces a real Risk Analysis, not a checklist generated by software. You get a documented, dated, defensible deliverable that meets the standard OCR has been applying.
This is the right starting point for any covered practice that has not had a written Risk Analysis conducted in the last 12 months, or that bought compliance software and is not sure whether what it produced would actually survive an OCR review.
Engagement Summary
Practice Walkthrough
On-site or remote review of your clinical, administrative, and technical workflows. We talk to the people who actually handle PHI day to day, not just the practice owner. This is where most software-generated Risk Analyses fail. They cannot see how your front desk handles insurance cards or where the printed schedule sits during the day.
Written Risk Analysis Document
A dated, signed document that meets the requirements of HIPAA Security Rule §164.308(a)(1)(ii)(A). Identifies threats, vulnerabilities, current safeguards, and the likelihood and impact of each risk to ePHI. Structured the way OCR investigators have indicated they want to see it.
Risk Management Plan
For every risk identified above a Low rating, a documented decision: accept, mitigate, transfer, or avoid. Plus the specific safeguard, owner, and target completion date. This is what closes the loop OCR wants to see between identifying risk and actually doing something about it.
Vendor & BAA Inventory
A list of every vendor that touches PHI in your practice (PMS, IT provider, cloud backup, email, billing, scheduling, marketing, AI tools), with the BAA status of each. Identifies missing BAAs in priority order. The vendor inventory most practices think they have is incomplete.
Workforce Training Documentation Review
A review of your existing training records against HIPAA's required workforce training standard. Identifies gaps in content, attendance, retraining cadence, and sanctions policy. OCR enforcement actions consistently cite missing or undocumented training.
60-Minute Readout Session
A live walkthrough of findings with you and any staff you want present. We review the Risk Analysis, the management plan, and what you should do in the next 30, 60, and 90 days. Recorded if you want it for training your team later.
How It Works
Practice Intake
A structured intake covering your practice type, locations, workforce, vendors, and existing HIPAA documentation. Plus a list of staff we will need brief interviews with. Takes about 45 minutes of your time.
Day 1–3
Walkthrough
On-site visit (or remote video walkthrough for distant practices). Brief interviews with clinical, billing, and front-office staff. Review of physical safeguards, workstation placement, paper handling, and how PHI actually moves through your day.
Day 4–8
Analysis & Documentation
The written Risk Analysis is produced, with each identified risk scored by likelihood and impact. The Risk Management Plan, vendor inventory, and training review are completed in parallel. Drafts are reviewed internally before delivery.
Day 9–15
Readout & Handoff
60-minute walkthrough of all findings. You receive the signed Risk Analysis document, the Risk Management Plan, and the vendor inventory. Plus a 30-60-90 day prioritized action plan you can execute internally or hire us to handle.
Day 16–21
Who This Is For
Common Questions
How is this different from what my practice management software produces?
Most PMS-bundled or third-party HIPAA software generates a checklist-based Risk Assessment from your answers to a questionnaire. That is a screening tool. A Risk Analysis is a documented professional evaluation of threats, vulnerabilities, and existing safeguards that walks through your actual practice. OCR enforcement actions in 2025 specifically cited inadequate or template-driven Risk Analyses. The output of this engagement is built to meet the standard OCR has been applying.
Do I need this even if I am a solo practitioner?
If you transmit any health information electronically (insurance claims, patient portals, email with PHI, electronic prescriptions), you are a covered entity. The Security Rule applies regardless of practice size. OCR has fined solo and very small practices for missing Risk Analyses, including a $25,000 settlement against a small imaging facility in 2025.
What if OCR has already contacted me?
Tell us in the discovery call. The engagement is structured slightly differently if you have an active investigation, breach notification, or compliance review. We work alongside your attorney if you have one. We do not provide legal advice, but a documented Risk Analysis from a qualified privacy professional is something OCR generally wants to see.
What documents will you need from us?
Existing privacy and security policies, your current Notice of Privacy Practices, vendor contracts and any existing BAAs, training attendance records, and a list of all software and devices that touch PHI. If you do not have all of these, that is part of what the Risk Analysis identifies. Missing documentation is itself a finding.
How long is the Risk Analysis valid?
HIPAA does not specify a fixed expiration. The standard interpretation is that you must update the Risk Analysis whenever there are material changes (new vendor, new system, new location, breach, regulatory change) and review it at least annually. We can also provide annual refresh engagements at a reduced fee.
Can this support my cyber insurance application or renewal?
Yes. Many cyber insurance carriers now require evidence of HIPAA Security Rule compliance as a condition of coverage or favorable rates. The Risk Analysis document, the Risk Management Plan, and the vendor inventory are typically what they want to see. We can deliver in a format that maps directly to their attestation forms if needed.
Book a free 30-minute discovery call and we will confirm this is the right starting point for your situation.