HIPAA Risk Analysis in 30 Daysknow exactly where your practice stands
A fixed-scope sprint for medical, dental, and behavioral-health practices without an IT team. You get the Security Risk Analysis HIPAA requires, your first controls closed, and an OCR- and MIPS-ready roadmap.
$5,000 fixed
Fixed scope, clear deliverables
30 days
SRA + first controls closed
Audit-ready SRA
Mapped to the HIPAA Security Rule
2 sprint slots open per month. If this month is full, we'll confirm next availability on the call.
What you get from the sprint
Built for practice owners with no time to spare: the required analysis, real progress, and a clear path.
A real Security Risk Analysis
We assess your controls against your actual environment — server, laptops, practice-management software, email, cloud backups, and devices — not a generic checklist. It's the document HIPAA requires and OCR asks for first.
Quick-win controls closed
We don't just find gaps — we close the fast ones. MFA, encryption, and core written policies started before Day 30, with evidence captured.
OCR- and MIPS-ready roadmap
A prioritized fix list and a Business Associate Agreement gap register you can attest to honestly and hand to an auditor. No guesswork on what comes next.
Deliverables
Best for
Not the right fit if you just want a GRC tool subscription or a one-time template. We'll tell you on the scoping call if something else fits better.
How the 30 days work
You'll always know what we're doing, why we're doing it, and what the impact is.
Access + scope
Days 1–3
- Read-only access to the systems that touch PHI (not the patient records themselves)
- Scope definition: which systems, locations, and vendors are in scope
- Inventory of where electronic PHI lives across your practice
Risk analysis
Days 4–12
- Controls mapped against the HIPAA Security Rule for your actual stack
- Gaps and Business Associate Agreement shortfalls identified
- Findings ranked by severity with fix-effort estimates
Quick-win remediation
Days 13–24
- Top controls closed: MFA enforcement, device and backup encryption, access control
- Core written policies drafted (security, access, incident response)
- Evidence captured for the controls we implement
SRA + handoff
Days 25–30
- Final Security Risk Analysis delivered
- Remediation roadmap and realistic timeline scoped
- Documentation ready for MIPS attestation and OCR inquiry
- Optional: scoping call for a continuation sprint or managed support
Why practices do this now
The Security Risk Analysis isn't paperwork for its own sake — it's the gap regulators look for first.
The #1 cited failing
A missing or inadequate Security Risk Analysis is the most common finding in HHS Office for Civil Rights settlements with small providers.
MIPS attestation risk
Attesting to a Medicare incentive program without a real SRA is how a routine check becomes a repayment demand.
Public breach reporting
Breaches affecting 500 or more individuals are reported to HHS and posted on the public OCR breach portal.
New to this? Start with our guide to HIPAA compliance for small practices.
Ready to know exactly where your practice stands?
Book a 30-minute scoping call and we'll confirm fit, scope, and access approach. If a sprint isn't the right move, we'll tell you directly.
FAQ
What does “fixed scope” mean in practice?
Before Day 1 we agree on a written checklist: which systems and locations are in scope, which controls we're assessing, and which quick-wins we'll implement. If we find something outside that scope, we document it in the roadmap — it doesn't become absorbed work or an invoice surprise.
Is a Security Risk Analysis really required?
Yes. The HIPAA Security Rule requires every covered entity to conduct an accurate, thorough risk analysis of the risks to electronic PHI, on an ongoing basis. It's the first thing an OCR investigator or MIPS auditor asks for, and it's the most-cited gap in enforcement actions against small practices.
We already have a template or software SRA — isn't that enough?
Only if it reflects what you actually do. A template that says MFA is enabled when it isn't, or that ignores a laptop with PHI on it, is worse than none in an investigation. We assess your real environment and close the fast gaps, so the SRA matches reality.
Do you need access to patient data?
No. We work with read-only access to the systems and configuration that protect PHI — not the patient records themselves. We're assessing your controls, not your charts. For sensitive environments, screen-share implementation works fine.
Is $5,000 realistic for a small practice?
A single breach or a failed MIPS attestation costs far more, and the SRA is required whether or not you do it. The sprint gets it done right — a real analysis plus the fast fixes — for a fixed price, instead of a template that won't hold up.
How is this different from a consultant?
Fixed scope means fixed price — no “while we were in there we found more, that'll be extra.” A senior engineer runs the work, not a junior who reports to one. And we close quick-win controls during the sprint instead of handing you a report and a bill.