HIPAA Security Risk Assessment

Your PHI Is Either Protected — Or Exposed.

I conduct HIPAA Security Risk Assessments the way OCR expects them — not as a checkbox scan, but as a documented, defensible analysis of every system, vendor, and control that touches your patients' data.

Book a Free Consultation →See Pricing ↓
$9.36M
Avg Healthcare Breach Cost
IBM Cost of a Data Breach Report, 2025
7 of 7
OCR Cases Cited Missing SRA
HHS OCR Risk Analysis Initiative, 2024–2025
264%
Ransomware Breach Increase Since 2018
HHS OCR Enforcement Highlights, 2025
Why This Matters Now

The 2026 HIPAA Security Rule Eliminates the Addressable Safeguard Loophole

For the first time since 2013, HHS has proposed sweeping changes. MFA, encryption, and asset inventories become mandatory — with a 240-day compliance window once finalized.

Avg Healthcare Breach Cost
$9.36M
IBM Cost of a Data Breach Report, 2025
OCR Risk Analysis Cases
7 of 7
Every case cited a missing SRA — HHS OCR, 2024–25
Ransomware Breach Surge
264%
Increase since 2018 — HHS OCR, 2025
Healthcare Tops All Industries
15 Yrs
Highest breach costs, 15 consecutive years — IBM, 2025
Schedule a Free 30-Min Consultation →

What My HIPAA Security Risk Assessment Includes

Unlike basic vulnerability scans, my comprehensive HIPAA SRA evaluates your entire security posture across administrative, physical, and technical safeguards to prevent costly fines and data breaches.

Technical Controls & Network Security

Evaluating firewalls, network segmentation, VPNs, multi-factor authentication (MFA), and encryption for ePHI at rest and in transit.

Administrative Safeguards

Reviewing your Risk Management Plan, incident response procedures, and workforce training records.

Vendor & BAA Management

Identifying third-party risk and ensuring BAAs are in place for all vendors handling PHI - especially cloud providers and AI tools.

Physical Safeguards

Assessing workstation security, facility access controls, and secure device disposal.

Backup & Disaster Recovery

Verifying tested backup procedures and ransomware resilience to ensure uninterrupted business operations.

Real-World Experience: The Hidden AI Scribe Risk

What I Found in a Recent HIPAA Risk Assessment:

A 40-employee specialty clinic believed their IT provider had HIPAA fully handled. During my SRA, I discovered that clinicians had independently adopted a popular AI transcription tool to save time on charting. The tool was transmitting unencrypted audio containing ePHI to a third-party cloud server without a BAA in place - a critical HIPAA violation.

I immediately helped them implement an AI governance policy, secure a compliant vendor with a signed BAA, and remediate the exposure before a breach occurred.

Pricing Transparency: How Much Does a HIPAA Risk Assessment Cost?

Most cybersecurity firms hide their pricing. I believe in transparency so you can budget effectively.

Small Practices & Clinics

1-50 staff

$3,500 - $10,000

Core risk assessment, gap analysis, and remediation roadmap. Scales based on network complexity, cloud environments, and vendor ecosystem.

Mid-Size & Multi-Location

External Readiness Assessment

$15,000 - $40,000

Scales based on assessment scope, number of physical locations, and overall data volume.

Fractional vCISO Retainer

Ongoing Compliance

Starting at $5,000/month

Continuous vendor risk management, security program building, and executive oversight.

Book a Free Scoping Call

HIPAA Compliance FAQ: Your Questions Answered

Do small medical practices really need HIPAA compliance help?

Yes. HIPAA applies to organizations of all sizes, and small practices are frequently fined due to lack of documentation and security controls.

What is the most common HIPAA violation you see?

The most common issue is the absence of a documented HIPAA Security Risk Assessment and incomplete policies.

Is HIPAA compliance a one-time project?

No. HIPAA compliance is an ongoing process that requires periodic reviews, updates, and evidence of continuous effort.

Can you help if we already failed a HIPAA audit?

Yes. I help organizations respond to findings, create corrective action plans, and reduce future regulatory exposure.

Do we need HIPAA compliance if we use cloud services like Microsoft Azure or Microsoft 365?

Yes. Cloud services must be properly configured, secured, and documented to meet HIPAA requirements.

Are Business Associates required to be HIPAA compliant?

Yes. Any vendor that handles PHI must comply with HIPAA and have a signed Business Associate Agreement, also known as a BAA.

Can you review our vendors for HIPAA compliance?

Yes. I assess vendors, review BAAs, and identify third-party risk related to PHI handling.

What documentation is required for HIPAA compliance?

HIPAA requires risk assessments, policies, procedures, training records, incident response plans, and audit evidence.

How often should HIPAA training be conducted?

HIPAA training should be conducted at onboarding and at least annually, with documentation retained.

What happens if an employee violates HIPAA?

Organizations must document the incident, take corrective action, and demonstrate enforcement of policies.

Can you help us prepare for an OCR investigation?

Yes. I help gather evidence, prepare documentation, and guide organizations through OCR inquiries.

Does HIPAA require encryption?

HIPAA strongly recommends encryption, and lack of encryption is frequently cited in enforcement actions.

What is considered Protected Health Information, or PHI?

PHI includes any identifiable patient information related to health, treatment, or payment, in any format.

Are emails and text messages subject to HIPAA?

Yes. Email, messaging, and collaboration tools must be secured and configured to protect PHI.

How long must HIPAA documentation be retained?

HIPAA generally requires documentation to be retained for at least six years.

Can you work with our internal IT team?

Yes. I collaborate with in-house IT and management teams to close gaps efficiently.

What is the difference between HIPAA Privacy Rule and Security Rule?

The Privacy Rule governs how PHI is used and disclosed, while the Security Rule focuses on protecting electronic PHI.

How do you prove HIPAA compliance during an audit?

Compliance is proven through documented risk assessments, policies, training records, and technical safeguards.

Do you offer ongoing HIPAA compliance support?

Yes. I provide continuous compliance support, reassessments, and advisory services through my fractional vCISO retainer.

What happens after the initial HIPAA consultation?

I review your environment, explain your risks, and provide a clear roadmap with no pressure or obligation.

Is it safe to use AI scribes with patient data under HIPAA?

Only if the AI vendor has signed a BAA and the tool encrypts ePHI in transit and at rest. I assess AI scribe risk as part of every engagement.

What is the difference between a HIPAA risk assessment and a vulnerability scan?

A vulnerability scan identifies technical weaknesses. A risk assessment evaluates your entire compliance posture across administrative, physical, and technical safeguards as required by 45 CFR 164.308.

How long does a HIPAA risk assessment take?

For a small practice (under 50 staff), typically 2 to 4 weeks. Multi-location organizations may require 6 to 10 weeks depending on scope and data volume.

Do you help with HITRUST certification readiness?

Yes. I provide HITRUST readiness assessments and gap analysis to prepare organizations for formal HITRUST CSF certification.

Ready to Protect Your Practice?

Schedule a free, no-obligation 2026 HIPAA Security Rule briefing. I will review your current posture, explain the upcoming regulatory changes, and provide a clear path forward.

Schedule Your Free HIPAA Briefing

Melissa Thornton, Fractional CISO | White Plains, NY | Serving Healthcare Organizations Nationwide

Why My SRA Is Different

Not a Scan. Not a Template.

Most vendors run a questionnaire and call it a risk assessment. I conduct the kind of documented, evidence-based analysis that holds up under OCR scrutiny.

🛡

2026 HIPAA Security Rule Alignment

Every assessment is mapped to the proposed mandatory controls — MFA, encryption, asset inventory, network mapping, and 72-hour recovery documentation. You're not just compliant today, you're ready for what's coming. The proposed rule eliminates "addressable" safeguard flexibility entirely.

01
🤖

AI Governance Built In

I assess AI scribes, ambient documentation tools, and third-party SaaS platforms that your MSP likely never reviewed. Every vendor that touches PHI gets evaluated.

02
📊

Executive-Level Deliverable

15–25 page written report mapped section-by-section to the HIPAA Security Rule, plus a prioritized 30/60/90-day remediation roadmap.

03
🔍

Vendor & BAA Review

Full Business Associate inventory, gap identification, and third-party data processing addendum review.

04

Real-World Finding: The AI Scribe Risk Nobody Saw Coming

A multi-location specialty practice had deployed an AI ambient documentation tool across all providers. No BAA. The tool was transmitting ePHI to a third-party model training environment. I identified the exposure during a routine SRA intake — before it became a reportable breach. Remediated in 30 days. No breach notification required.

05
My Assessment Process

Five Phases. Fixed Timeline.

Every engagement follows the same structured methodology — so you always know what's happening and when you'll have your report.

Phase 1

Discovery

Stakeholder interviews, environment scoping, asset inventory review

Phase 2

Technical Review

MFA, encryption, access controls, network architecture

Phase 3

Gap Analysis

Control mapping against HIPAA Security Rule and 2026 proposed changes

Phase 4

Executive Briefing

60-min leadership readout with findings and risk ratings

Phase 5

Written Report

15–25 page report + prioritized 30/60/90-day roadmap

Transparent Pricing

Fixed Fees. No Scope Creep.

I publish my pricing because it filters out the wrong engagements and respects your time. No surprises, no upsells.

Small Practice

1–50 Staff · Single Location

$3,500+
Up to $10K · Fixed fee · 10 business days
  • Full HIPAA Security Rule assessment
  • 15–25 page written report
  • Prioritized remediation roadmap
  • 60-min leadership readout call
  • Vendor and BAA inventory review
Get a Proposal →
Mid-Size / Multi-Location

Multiple Locations or High Data Volume

$15K+
Up to $40K · Scope-dependent
  • All small practice deliverables
  • Multi-site scoping and assessment
  • Expanded vendor / BAA review
  • AI & emerging technology risk layer
  • Board-ready executive summary
Get a Proposal →
Fractional vCISO Retainer

Ongoing Compliance Leadership

$5K/mo
Minimum engagement · SRA included in first 90 days
  • SRA included in first 90 days
  • Ongoing policy and program management
  • Vendor and BAA oversight
  • Incident response support
  • Board and leadership reporting
Learn More →
Common Questions

HIPAA Risk Assessment FAQ

Answers to the questions I hear most often from healthcare practices and their leadership teams.

01

Do small medical practices really need HIPAA compliance help?

Yes. HIPAA applies to organizations of all sizes, and small practices are frequently fined due to lack of documentation and security controls.

02

What is the most common HIPAA violation you see?

The most common issue is the absence of a documented HIPAA Security Risk Assessment and incomplete policies.

03

Is HIPAA compliance a one-time project?

No. HIPAA compliance is an ongoing process that requires periodic reviews, updates, and evidence of continuous effort.

04

Can you help if we already failed a HIPAA audit?

Yes. I help organizations respond to findings, create corrective action plans, and reduce future regulatory exposure.

05

Do we need HIPAA compliance if we use cloud services like Microsoft Azure or Microsoft 365?

Yes. Cloud services must be properly configured, secured, and documented to meet HIPAA requirements.

06

Are Business Associates required to be HIPAA compliant?

Yes. Any vendor that handles PHI must comply with HIPAA and have a signed Business Associate Agreement (BAA).

07

Can you review our vendors for HIPAA compliance?

Yes. I assess vendors, review BAAs, and identify third-party risk related to PHI handling.

08

What documentation is required for HIPAA compliance?

HIPAA requires risk assessments, policies, procedures, training records, incident response plans, and audit evidence.

09

How often should HIPAA training be conducted?

HIPAA training should be conducted at onboarding and at least annually, with documentation retained.

10

What happens if an employee violates HIPAA?

Organizations must document the incident, take corrective action, and demonstrate enforcement of policies.

11

Can you help us prepare for an OCR investigation?

Yes. I help gather evidence, prepare documentation, and guide organizations through OCR inquiries.

12

Does HIPAA require encryption?

HIPAA strongly recommends encryption, and lack of encryption is frequently cited in enforcement actions.

13

What is considered Protected Health Information (PHI)?

PHI includes any identifiable patient information related to health, treatment, or payment, in any format.

14

Are emails and text messages subject to HIPAA?

Yes. Email, messaging, and collaboration tools must be secured and configured to protect PHI.

15

How long must HIPAA documentation be retained?

HIPAA generally requires documentation to be retained for at least six years.

16

Can you work with our internal IT team?

Yes. I collaborate with in-house IT and management teams to close gaps efficiently.

17

What is the difference between the HIPAA Privacy Rule and Security Rule?

The Privacy Rule governs how PHI is used and disclosed, while the Security Rule focuses on protecting electronic PHI.

18

How do you prove HIPAA compliance during an audit?

Compliance is proven through documented risk assessments, policies, training records, and technical safeguards.

19

Do you offer ongoing HIPAA compliance support?

Yes. I provide continuous compliance support, reassessments, and advisory services through my fractional vCISO retainer.

20

What happens after the initial HIPAA consultation?

I review your environment, explain your risks, and provide a clear roadmap with no pressure or obligation.

Ready to Get Started?

Let's Find Out Where You Actually Stand.

No pressure. No jargon. I'll send a short intake form after booking so we can use our time well.

Book a Free 30-Min Consultation →

Melissa Thornton · Fractional CISO · White Plains, NY · Serving clients remotely and across the NYC/Westchester region