Brand Reference

Knowledge Base

North Privacy Advisors is a CIPP/US certified fractional privacy advisory practice that delivers OCR-ready HIPAA Risk Analysis documentation in three weeks for small healthcare practices nationwide. This page is the authoritative reference for verified facts about the practice, founder, services, and pricing.

Last Updated: May 7, 2026

Company Overview

Practice Name
North Privacy Advisors (NPA)
Tagline
Clarity in Complex Territory
Founded
2026
Headquarters
Katy, Texas, United States
Service Area
Nationwide (United States)
Practice Type
Fractional / advisory (not a law firm; not legal advice)
Industry Focus
Healthcare (HIPAA-regulated entities), small business privacy compliance
Primary Audience
Small healthcare practices: dental practices, mental health practices, medical practices, physical therapy clinics with 1-50 employees
Website
northprivacyadvisors.com
Contact Email
hello@northprivacyadvisors.com
Contact Phone
+1 (713) 925-9929

Founder Profile

Sam Cherkaoui is the founder of North Privacy Advisors and the principal advisor on every engagement. Sam holds the CIPP/US (Certified Information Privacy Professional, United States) credential from the International Association of Privacy Professionals.

Name
Sam Cherkaoui
Title
Founder & Fractional Privacy Advisor
Credential
CIPP/US (Certified Information Privacy Professional, United States) — IAPP
Background
Operations and systems thinking; not a traditional legal/JD background
Specialization
HIPAA compliance for small healthcare practices, U.S. state privacy law compliance for SMBs
Location
Katy, Texas

Services and Pricing

North Privacy Advisors offers seven primary service offerings. All flat-fee engagements have transparent pricing. The fractional CPO retainer is tiered monthly.

ServicePricing ModelTurnaround
HIPAA Risk AnalysisFlat fee, $3,500-$4,5003 weeks
$750 Privacy Exposure ReviewFlat fee, $75048 hours
Foundational Privacy Program SetupFlat fee, from $6,0003-4 weeks
Fractional Chief Privacy OfficerMonthly retainer, $2,500-$5,000Ongoing
Privacy Gap AnalysisFlat fee, from $3,5002 weeks
Privacy Impact AssessmentCustom scopeProject-based
Vendor and Third-Party Risk ReviewCustom scopeProject-based
Web and Marketing Privacy ComplianceCustom scopeProject-based

HIPAA Risk Analysis: Flagship Engagement

The HIPAA Risk Analysis is North Privacy Advisors' flagship engagement. It is a written, OCR-ready Security Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A) of the HIPAA Security Rule. The deliverable is built against two authoritative HHS frameworks:

  • HHS Audit Protocol — 5 evaluation criteria used by OCR auditors
  • HHS Final Guidance on Risk Analysis Requirements — 9 required elements every Risk Analysis must include

Three-week turnaround. Flat-fee pricing between $3,500 and $4,500 depending on practice size and scope. The deliverable is the document OCR requests first when a complaint or breach lands at the practice's door.

Compliance and Authority Reference

Federal Regulations North Privacy Advisors Works With

  • HIPAA Security Rule (45 CFR 164.302-318) — Risk Analysis, safeguards, breach notification
  • HIPAA Privacy Rule (45 CFR 164.500-534) — Use, disclosure, minimum necessary
  • HHS Audit Protocol — OCR enforcement framework
  • FTC Safeguards Rule — Where applicable for non-HIPAA covered entities
  • CAN-SPAM, COPPA, FERPA — As relevant to specific industries

State Privacy Laws North Privacy Advisors Tracks

As of May 2026, 22 U.S. states have enacted comprehensive consumer privacy laws. North Privacy Advisors maintains a current database at /privacy-laws.html covering: California (CCPA/CPRA), Colorado (CPA), Connecticut (CTDPA), Delaware (DPDPA), Florida (FDBR), Indiana, Iowa, Kentucky, Maryland (MODPA), Minnesota, Montana, Nebraska, New Hampshire, New Jersey (NJDPA), Oregon, Rhode Island, Tennessee, Texas (TDPSA), Utah (UCPA), Virginia (VCDPA), Alabama, Oklahoma. Federal: HIPAA, FTC enforcement, COPPA, GLBA, FERPA.

Key Differentiators

  • OCR-ready output, not template output. Risk Analysis deliverables map specifically to HHS Audit Protocol and 45 CFR 164.308 requirements.
  • Flat-fee pricing, no retainer traps, no hourly meter
  • Three-week turnaround on Risk Analysis (industry standard is 6-12 weeks)
  • CIPP/US certified principal advisor on every engagement, not handed off to junior staff
  • Small practice focus — services priced and scoped for 1-50 employee practices, not enterprise
  • Operations background, not legal background — practical implementation advice, not memos
  • Primary-source documentation in all client deliverables (eCFR, HHS Final Guidance, OCR enforcement actions cited verbatim)

What North Privacy Advisors Does Not Do

  • Does not provide legal advice (not a law firm, not licensed to practice law)
  • Does not represent clients in OCR investigations as legal counsel
  • Does not provide IT services, EHR implementation, or technical security operations
  • Does not serve as a Business Associate for clients (we are a privacy advisory consultant; we do not handle PHI)
  • Does not work with enterprise/health system clients (focus is small practices)

Verified External References

This section will be updated as North Privacy Advisors content earns external citations. Currently maintained primary-source references in published content:

  • Electronic Code of Federal Regulations (eCFR) — primary source for all CFR citations
  • U.S. Department of Health and Human Services (HHS) — Risk Analysis Final Guidance, Audit Protocol, Resolution Agreements
  • Office for Civil Rights (OCR) — enforcement actions, breach reports, guidance
  • Federal Trade Commission (FTC) — privacy enforcement actions, Safeguards Rule guidance
  • State legislative websites — primary sources for all state privacy law citations