Skip to content
MY PROCESS

How I Protect Your Practice

Five phases. One methodology. Everything mapped to HIPAA Security Rule requirements.

Phase 01 Discovery
What I doEmail security configuration checkWebsite encryption and certificate reviewExposed services and open port scanWebsite software and version detectionPublic records and breach database reviewSearch engine indexing review
What this means for you

Right now, anyone can look up information about your practice online: your email configuration, your website software, whether your staff’s credentials have appeared in a data breach. I check all of it. This is the same information a bad actor would look for, and it’s the same information OCR can see without ever contacting you. Most practices have no idea what’s out there.

This phase uses only publicly available information. I never access your systems without written authorization.

Phase 02 Analysis
What I doCross-reference findings against known vulnerability databasesAssess real-world risk of each findingMap each finding to specific HIPAA requirementsClassify severity: Low, Moderate, High, or CriticalIdentify how individual issues combine into real exposure
What this means for you

Finding 20 issues doesn’t mean you have 20 emergencies. Some are critical, like patient data showing up in a breach database. Some are minor, like an outdated copyright year on your website. I rank everything so you’re not guessing what matters. Each finding gets a severity level and a direct connection to the specific HIPAA rule it affects.

Phase 03 Reporting
What I doPlain-English report you can actually readEvery finding mapped to specific HIPAA requirementsPrioritized fix list with effort estimatesSeverity-graded findings with specific guidanceDelivered in person and walked through with you
What this means for you

You get a document written in plain English, not technical jargon. For each finding, it explains what I found, why it’s a problem, which HIPAA requirement it falls under, and exactly what needs to happen to fix it. HIPAA requires two things: a risk analysis and a risk management plan. This report is both. If OCR ever audits your practice, this is the document you hand them. It proves you identified your risks, prioritized them, and have a documented plan to address them.

Phase 04 Remediation
What I doEmail security record configurationSSL certificate deployment and renewalWebsite security header setupExposed service hardeningCoordination with your existing vendorsVerification re-scan to confirm everything is resolved
What this means for you

I don’t just hand you a list of problems. I fix what I can: email security gets configured, certificates get updated, security headers get installed, policies get written, and I coordinate directly with your vendors so you don’t have to make those calls. Some things take longer, like staff training or physical security changes. Those go on a prioritized checklist with timelines. You don’t have to fix everything overnight. What matters to OCR is that you have a documented plan and you’re working through it. When I’m done with the technical fixes, I re-scan everything and give you a confirmation report as proof.

Phase 05 Ongoing Support
What I doMonthly security scans of your digital footprintBreach database monitoring for your practiceCertificate expiry and configuration change alertsSoftware vulnerability monitoring for your tech stackQuarterly updated security reportAnnual risk assessment update included (required by HIPAA)Direct line for security or tech questions
What this means for you

New vulnerabilities appear constantly. Staff turns over. Software gets updated. The security posture you have today will drift if nobody’s watching it. On the monthly plan, I become your practice’s tech and security person. I monitor your digital footprint, handle day-to-day tech issues, keep your compliance documentation current, and run your annual risk assessment update so you never fall behind. You get a real person who picks up the phone when something goes wrong.

This is a separate monthly service. See the Services page for what’s included.

Full HIPAA Security Risk Assessment + Remediation

Beyond external scanning, I offer full HIPAA Security Risk Assessments with remediation included. I assess your administrative, physical, and technical safeguards, then fix what I find. One engagement, one price. You get the audit-ready documentation AND a more secure practice.

See what I can help with →

Ready to see what I find?

Start with a free external security review. I check what's visible about your practice from the outside, the same information anyone on the internet can see.

Get Free AssessmentSee Services →