HIPAA Security
Risk Assessment
Required by federal law for every covered entity. Most medical and dental practices have never completed one. That is an OCR audit waiting to happen.
If You Handle Patient Data, This Is Required
The HIPAA Security Rule requires every covered entity to conduct a thorough assessment of the potential risks and vulnerabilities to patient health information. This is not optional.
Medical Practices
Physicians, specialists, urgent care clinics, and multi-provider groups that store or transmit electronic patient records.
Dental Offices
Dental practices using digital X-rays, EHR platforms, or any software that stores patient health information.
Mental Health Providers
Therapists, psychiatrists, and counseling practices where confidentiality and PHI protection are especially critical.
Business Associates
Billing companies, IT vendors, and other organizations that handle PHI on behalf of a covered entity.
What Happens If You Do Not Have One
The HHS Office for Civil Rights (OCR) requires a documented Security Risk Assessment as part of every HIPAA audit. Practices without one face automatic findings of non-compliance. Fines range from $100 to $50,000 per violation, with annual caps reaching $1.9 million per violation category.
Beyond fines, a breach without a documented SRA on file removes your ability to demonstrate good-faith compliance efforts — which is one of the primary factors OCR uses to determine penalty severity.
How the Assessment Works
A structured five-phase process that follows NIST SP 800-66 and HHS SRA Tool methodology. You receive a complete written report at the end.
Discovery Call
Free 30-minute call to understand your practice size, systems in use, and current compliance posture.
PHI Inventory
Identify every location where patient health information is created, stored, received, or transmitted.
Staff Interviews
Structured interviews with the practice owner, office manager, and IT contact to assess current controls.
Technical Review
Review of your EHR configuration, access controls, encryption, audit logs, and vendor agreements.
Written Report
Delivery of a complete written Security Risk Assessment with prioritized remediation recommendations.
What the Assessment Covers
The HIPAA Security Rule organizes requirements into three categories. Every category is assessed and documented.
Administrative Safeguards
- Security officer designation
- Workforce training and awareness
- Access management policies
- Security incident procedures
- Contingency and disaster recovery plan
- Business Associate Agreement review
- Periodic evaluations and audits
Physical Safeguards
- Facility access controls
- Workstation use policies
- Workstation physical security
- Device and media disposal
- Server and equipment room access
- Visitor and maintenance logging
- Mobile device controls
Technical Safeguards
- Unique user ID and authentication
- Automatic logoff configuration
- Encryption of data at rest and in transit
- Audit log review and retention
- EHR access control configuration
- Email and transmission security
- Backup and recovery verification
Your Deliverables
Every engagement produces a complete written record. These documents satisfy the HIPAA requirement and serve as your evidence of compliance in the event of an audit or breach investigation.
Written Security Risk Assessment
A formal document covering all three safeguard categories, each identified risk, its likelihood and impact, and your current controls. This is the document OCR asks for in every audit.
PHI Inventory
A documented inventory of every system, device, and location where protected health information exists in your practice.
Risk Register
A prioritized list of every identified vulnerability and threat, rated by likelihood and impact, so you know exactly what to fix first.
Remediation Roadmap
Plain-language recommendations for each identified gap, organized by priority. Written for practice owners, not IT professionals.
Findings Debrief Call
A 60-minute call to walk through every finding, answer questions, and confirm you understand your next steps before we close the engagement.
30-Day Follow-Up
A check-in 30 days after delivery to answer implementation questions and confirm remediation progress on high-priority items.
Flat-Fee Pricing. No Surprises.
Enterprise compliance firms charge $5,000 to $15,000 for the same assessment. These prices reflect the reality of what small and mid-size practices can actually afford to pay.
Small Practice
1 to 5 providers · Single location
- Complete HIPAA Security Risk Assessment
- PHI inventory documentation
- All three safeguard categories reviewed
- Written report with risk register
- Prioritized remediation roadmap
- 60-minute findings debrief call
- 30-day follow-up check-in
Mid-Size Practice
6 to 15 providers · Single location
- Everything in Small Practice
- Expanded staff interview process
- Department-level access control review
- Multi-system PHI flow mapping
- BAA gap analysis for all vendors
- 60-minute findings debrief call
- 30-day follow-up check-in
Complex or Multi-Location
Multiple locations or complex IT environments
- Everything in Mid-Size Practice
- Multi-location PHI inventory
- Site-specific risk documentation
- Scoped to your actual environment
- Estimated hours provided before start
- No-surprise billing
- 30-day follow-up check-in
Frequently Asked Questions
Is the Security Risk Assessment actually required by law?
Yes. 45 CFR § 164.308(a)(1) requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. It is one of the most commonly cited findings in OCR audits and breach investigations.
How often does it need to be done?
The HIPAA Security Rule does not specify an exact interval, but HHS guidance requires that the assessment be conducted periodically and whenever operations, technology, or the environment change significantly. In practice, annual completion is the standard most compliance programs follow.
We already use a HIPAA-compliant EHR. Are we covered?
No. Your EHR vendor being HIPAA-compliant does not transfer compliance to your practice. You are independently responsible for how your staff uses that system, who has access, how devices are secured, and how patient data moves within and outside your office. The Security Risk Assessment covers all of that.
What if the assessment finds serious problems?
That is exactly what the assessment is for. Identified problems are documented with plain-language explanations and prioritized by risk level. I will walk you through every finding on the debrief call. Remediation recommendations are practical and written for practice owners, not IT staff. Many issues can be resolved without significant expense.
How long does the process take?
For a small practice, the full process from kickoff to report delivery typically takes two to three weeks. This includes the PHI inventory, staff interviews, technical review, and report writing. Complex or multi-location engagements may take longer and will be scoped before work begins.
Is this the same as a HIPAA privacy audit?
No. This is a Security Risk Assessment focused on the HIPAA Security Rule, which governs electronic protected health information. It does not cover the HIPAA Privacy Rule in full. If you need a comprehensive privacy and security review, contact me and we can discuss a broader engagement scope.
Ready to Get Compliant?
Start with a free 30-minute consultation. I will answer your questions, assess your situation, and tell you exactly what the engagement would involve before you commit to anything.
Start with the Free Scoping Form
Under five minutes. Thabiti reviews every submission personally and replies within one business day with a tailored next-step plan. Your information is never sold or shared.
Thanks. Submission received.
Thabiti will review your HIPAA scoping submission and follow up within one business day with a tailored next-step plan.