HIPAA Security Risk Assessment — done properly, delivered as a document.
A written HIPAA Security Risk Assessment for small and mid-sized practices. The kind you hand to your cyber insurer, your board, or an OCR examiner without hedging. CISSP-informed methodology, fixed from-price, no retainer.
A defensible risk analysis, not a checklist.
A HIPAA Security Risk Assessment (SRA) is the risk analysis required under the HIPAA Security Rule. It is the document OCR asks for first in almost every breach investigation, the document cyber insurers now require at underwriting, and the document that determines whether a subsequent violation is treated as reasonable diligence or willful neglect.
Practices routinely mistake a self-assessment questionnaire, a vendor's compliance certificate, or an outdated 2018 PDF for an SRA. None of those hold up. A defensible SRA identifies the ePHI you hold, the systems that touch it, the threats to those systems, the safeguards in place, the residual risk, and a plan to address it — all in writing, all current.
That is what this offer delivers. Every engagement runs under CISSP-informed methodology, follows the NIST 800-30 / 800-66 risk analysis pattern that OCR examiners are trained on, and produces a document your compliance owner can actually use.
Deliverables.
Practices where an SRA is overdue.
Solo & small group practices
Under 25 staff, no dedicated compliance officer, and the last SRA (if any) was performed years ago.
Medspas & aesthetics practices
Practices that have added AI tooling, patient portals, or new payment processors and don't know if the risk register kept up.
Growing practices adding AI
Anyone introducing automation, AI scribes, chatbots, or new SaaS to a PHI environment. The SRA should precede the deployment, not follow the incident.
Common questions.
Is a HIPAA Security Risk Assessment actually required?
Yes. Under 45 CFR § 164.308(a)(1)(ii)(A), every HIPAA-covered entity and business associate is required to conduct an accurate and thorough risk analysis. It's also a prerequisite for most cyber insurance policies, a condition of many Meaningful Use / Promoting Interoperability attestations, and one of the first documents OCR requests during any breach investigation.
How often do we need to redo it?
The regulation says "periodic" — the practical answer is annually, and any time there's a material change: new EHR, new location, new AI or automation tool, a merger, or a security incident. An SRA that's three years old is functionally not an SRA.
Isn't there a free tool from HHS?
Yes, and it's useful. It's also a self-assessment questionnaire, not a risk analysis. It doesn't produce a defensible written document, doesn't inventory your actual systems, doesn't review your BAAs, and doesn't score threats. If you have the time and expertise to run one properly, use it. If you don't, that's what this offer is for.
Do you also fix the gaps?
Optionally. The SRA is a document — it stands on its own and is yours regardless. If the gaps involve automation, integration, or infrastructure we build, we can scope remediation separately. If they involve policies, training, or vendor changes, we'll point you to the right specialist. No lock-in.
Request the SRA.
Tell us about your practice size, EHR, and any recent changes. We respond within one business day with a scoped price and kickoff date.