Frequently Asked Questions
Honest answers to the questions I hear most.
What is a HIPAA Security Risk Assessment?
It's a documented analysis of every risk to electronic patient data in your practice. It covers your internal systems, policies, physical security, staff practices, and vendor agreements across all three HIPAA safeguard categories: administrative, physical, and technical. It's the document OCR asks for first in any audit, and the one most practices don't have.
Do I actually need one?
If your practice handles electronic patient data, yes. The HIPAA Security Rule (§164.308(a)(1)) requires every covered entity to conduct a documented risk assessment. In OCR's 2016–2018 audit cycle, 86% of audited covered entities failed to meet risk analysis requirements. It's the number one thing they check.
What does the assessment involve?
An on-site visit to your office (2–4 hours), where I walk through your physical space, interview staff, and inventory every system that touches patient data. After the visit, I analyze everything against HIPAA requirements, fix what I can, and deliver a full written risk assessment document with findings, risk ratings, and completed remediation notes.
What do I get at the end?
Two things: a complete risk assessment document built to meet OCR audit requirements (executive summary, asset inventory, findings with risk ratings, HIPAA mapping, remediation roadmap), AND a practice that's actually more secure. I fix technical issues, write your missing policies, draft BAA templates, and configure security settings as part of the engagement. Things that require your action (physical security changes, workflow changes) get a specific checklist with deadlines.
How long does it take?
Typically 2–4 weeks from kickoff to delivery. That includes scheduling the on-site visit, the visit itself, document collection follow-up, analysis, and report preparation. Annual updates are faster since I already have your baseline documented.
What if we can’t fix everything right away?
That’s normal, and OCR knows it. HIPAA requires two things: a risk analysis (identifying the problems) and risk management (a plan to address them). You don’t have to fix everything overnight. What matters is that you’ve documented your risks, have a prioritized plan with timelines, and can show you’re making reasonable progress. A practice with a thorough assessment and a remediation roadmap in progress is in a far stronger position than a practice with no documentation at all.
How often do I need to redo it?
HIPAA requires periodic review, and any time there's a significant change to your environment: new software, new office location, a security incident, or a change in how you handle patient data. Most practices should update annually at minimum. My monthly plan includes your annual update at no extra cost.
Why is the initial review free?
Technology is my passion and I'm building my name. The free assessment lets my work speak for itself. You get a real report with real findings, and if you want help fixing what I find, I'm here. If not, the report is yours.
What does the free review cover?
Your public digital footprint: email security configuration, website encryption, exposed services, breach database results, and security headers. Each finding includes what I found, why it matters, which HIPAA requirement it touches, and what to do about it. You get an overall letter grade so you can see where you stand. It does not cover your internal systems, policies, or physical security.
How is it different from the full assessment?
The free review only covers what's visible from the outside. The full Security Risk Assessment covers everything inside your practice too: systems, policies, physical security, staff practices, vendor agreements, and all three HIPAA safeguard categories. The free review is a starting point. The full assessment is what HIPAA actually requires.
How much does this cost?
Every practice is different, so I scope the work and give you the exact price in writing before anything starts. The free external assessment is always free. For remediation or a full HIPAA Security Risk Assessment, I'll tell you exactly what it costs after I understand your environment. No surprises.
What does the monthly plan include?
I become your practice's tech and security person. That means: monthly security scans and reports, breach monitoring, certificate and configuration alerts, a quarterly review call, your annual risk assessment update (included, not extra), and direct tech support for anything digital. Account setup for new hires, password resets, vendor coordination, EHR troubleshooting, email and website issues, "is this phishing?" questions. Day-to-day fixes and troubleshooting are included. Bigger projects (website builds, platform migrations, new office setup) get a separate quote in writing before I start.
Is our practice too small to worry about HIPAA?
No. OCR has specifically stated they are targeting small and medium organizations in their current audit cycle. If you handle electronic protected health information in any form, the Security Rule applies to you regardless of practice size.
What happens if we get audited by OCR?
The Office for Civil Rights conducts both random audits and complaint-driven investigations. The first thing they ask for is your documented Security Risk Assessment. If you have one, you're in a strong position. If you don't, that alone can result in a fine. A current, documented SRA is the single most important thing you can do to prepare.
Can we get fined if we don’t have a risk assessment?
Yes. OCR has fined solo practices specifically for missing risk assessments. A dental provider was fined $80,000 for failing to conduct one after a ransomware attack. Fines start at $145 per violation and go up to $2.19 million depending on the level of negligence (45 CFR 160.404, 2025 inflation adjustment).
What triggers an OCR audit?
Two things: random selection and complaints. OCR runs a random audit program targeting covered entities of all sizes. They also investigate any complaint filed by a patient or employee, and any reported breach affecting 500 or more individuals triggers an automatic investigation. You don't have to have a breach to get audited.
What methodology do you use?
My assessments follow NIST SP 800-30, the risk assessment framework recommended by the U.S. Department of Health and Human Services. I use the HHS Security Risk Assessment Tool as my structured framework and follow NIST SP 800-66r2 for HIPAA-specific implementation guidance. What matters is methodology, thoroughness, and documentation quality, and those are what my reports demonstrate.
Do you come to my office?
For the free review and external remediation, everything is done remotely. For the full Security Risk Assessment, I visit your office in person to evaluate physical security, interview staff, and inventory your systems. I'm based in Stansbury Park and serve the Wasatch Front.
Can you work with our existing IT provider?
Yes. I focus on security and HIPAA compliance, which is a specialized area most general IT providers don't cover in depth. I coordinate with your existing team on any changes that affect your systems.
How do you handle our passwords and credentials?
When I need system access for remediation, I send you an encrypted, self-destructing link. You enter your credentials there. The link encrypts everything and deletes itself after I access it. I never store passwords in plain text and never ask for credentials over email or text.
What happens if you find something critical?
I call you directly and walk you through what I found, what the risk is, and what needs to happen to fix it. If it's something I can resolve on my end, I do. If it requires your action, like changing a compromised password, I stay on the line until it's handled. If I can't reach you by phone, I send an urgent email with clear next steps and follow up within the hour until I make contact.
Do you need access to our systems?
Not for the free review or the initial external scan. For remediation and the full Security Risk Assessment, I need limited access to specific systems, always under a signed written agreement. I tell you exactly what I need and why before accessing anything.
Still have questions?
Reach out directly. No waiting for a callback.
Get in Touch