Service 07
OCR has been settling Risk Analysis enforcement cases against small healthcare entities as recently as March 2026. The Risk Analysis is the document OCR asks for first when a complaint or breach lands on their desk. Most small practices do not have one that would survive review. We produce a written, defensible Risk Analysis mapped to all nine HHS elements in three weeks. Flat fee. No retainer. You walk away with documentation that proves active compliance posture.
What You Receive
When OCR opens an investigation, the request letter starts with one specific document: the written HIPAA Risk Analysis required under 45 CFR 164.308(a)(1)(ii)(A). OCR has been settling Risk Analysis enforcement cases against small healthcare entities as recently as March 2026, all citing missing or inadequate Risk Analysis. This is a bounded project that produces the actual document OCR wants to see. Not a software-generated checklist. A written, dated, signed deliverable mapped to all nine elements of HHS Risk Analysis guidance.
This is the right service for any covered practice that does not currently have a Risk Analysis it could produce within 24 hours if OCR sent a request letter on Monday morning.
Engagement Summary
Practice Walkthrough
On-site or remote review of your clinical, administrative, and technical workflows. We talk to the people who actually handle PHI day to day, not just the practice owner. This is where most software-generated Risk Analyses fail. They cannot see how your front desk handles insurance cards or where the printed schedule sits during the day.
Written Risk Analysis Document
A dated, signed document that meets the requirements of HIPAA Security Rule §164.308(a)(1)(ii)(A). Built against the five elements OCR auditors are instructed to evaluate per the HHS Audit Protocol: a defined scope identifying every system that creates, transmits, or maintains ePHI; details of identified threats and vulnerabilities; assessment of current security measures; impact and likelihood analysis; and risk rating. Mapped to all nine elements of HHS Final Guidance on Risk Analysis Requirements.
Risk Management Plan
For every risk identified above a Low rating, a documented decision: accept, mitigate, transfer, or avoid. Plus the specific safeguard, owner, and target completion date. This is what closes the loop OCR wants to see between identifying risk and actually doing something about it.
Vendor & BAA Inventory
A list of every vendor that touches PHI in your practice (PMS, IT provider, cloud backup, email, billing, scheduling, marketing, AI tools), with the BAA status of each. Identifies missing BAAs in priority order. The vendor inventory most practices think they have is incomplete.
Workforce Training Documentation Review
A review of your existing training records against HIPAA's required workforce training standard. Identifies gaps in content, attendance, retraining cadence, and sanctions policy. OCR enforcement actions consistently cite missing or undocumented training.
60-Minute Readout Session
A live walkthrough of findings with you and any staff you want present. We review the Risk Analysis, the management plan, and what you should do in the next 30, 60, and 90 days. Recorded if you want it for training your team later.
How It Works
Practice Intake
A structured intake covering your practice type, locations, workforce, vendors, and existing HIPAA documentation. Plus a list of staff we will need brief interviews with. Typically completed by your office manager. About 45 to 60 minutes of practice time.
Day 1 to 3
Walkthrough
On-site visit (or remote video walkthrough for practices outside the Houston metro). Structured interviews with the practice owner, office manager, and IT support. Brief touch-points with clinical, billing, and front-office staff. Review of physical safeguards, workstation placement, paper handling, and how PHI actually moves through your day. About 3.5 to 4.5 hours of practice time, distributed across staff.
Day 4 to 8
Analysis & Documentation
The written Risk Analysis is produced, with each identified risk scored by likelihood and impact. The Risk Management Plan, vendor inventory, and training review are completed in parallel. Drafts are reviewed internally before delivery.
Day 9 to 15
Readout & Handoff
60-minute findings walkthrough plus 30 minutes of treatment-decision input from the Security Officer for the Risk Management Plan. You receive the signed Risk Analysis document, the Risk Management Plan, and the vendor inventory. Plus a 30-60-90 day prioritized action plan you can execute internally or hire us to handle. About 1.5 hours of practice time.
Day 16 to 21
Time Investment
A defensible Risk Analysis represents 20 to 25 hours of CIPP/US certified professional work behind the scenes. The time commitment from your practice is much smaller, distributed across a few people over the three-week engagement. Honest expectations help you plan.
Practice Owner / HIPAA Security Officer
3 to 4 hrs
Most of the walkthrough, Risk Management Plan input, findings readout, signature
Office Manager
2 to 3 hrs
Pre-Intake completion, front office walkthrough, vendor list, RMP review
IT Support or MSP
1 hr
Tab 5 IT and Network walkthrough segment, joining via video
Billing Manager (if separate)
30 to 45 min
Billing and coding workflow walkthrough segment only
Total practice time across all staff: 6 to 7 hours, distributed across two weeks. Compare to compliance software that demands 20-plus hours of staff time entering questionnaire answers across multiple sessions to produce something that has consistently failed OCR review.
Who This Is For
Common Questions
Want to estimate the OCR fine range for a HIPAA violation before committing to a Risk Analysis? Use the free HIPAA Penalty Calculator: verified against the 2026 Federal Register adjustment.
How is this different from what my practice management software produces?
Most PMS-bundled or third-party HIPAA software generates a checklist-based Risk Assessment from your answers to a questionnaire. That is a screening tool. A Risk Analysis is a documented professional evaluation of threats, vulnerabilities, current safeguards, impact, and likelihood that walks through your actual practice. The HHS Audit Protocol instructs OCR auditors to evaluate Risk Analysis documentation against five specific criteria, and the HHS Final Guidance defines nine required elements. Software-generated Risk Assessments rarely satisfy either standard. Recent OCR Risk Analysis Initiative enforcement actions, including cases settled as recently as March 2026, have all involved entities whose documentation did not meet these criteria. The output of this engagement is built directly against the Audit Protocol and the nine-element guidance.
Do I need this even if I am a solo practitioner?
If you transmit any health information electronically (insurance claims, patient portals, email with PHI, electronic prescriptions), you are a covered entity. The Security Rule applies regardless of practice size. Solo and small practices have appeared regularly in OCR's Risk Analysis Initiative enforcement actions, with cases settled against small healthcare entities as recently as March 2026.
What if OCR has already contacted me?
Tell us in the discovery call. The engagement is structured slightly differently if you have an active investigation, breach notification, or compliance review. We work alongside your attorney if you have one. We do not provide legal advice, but a documented Risk Analysis from a qualified privacy professional is something OCR generally wants to see.
What documents will you need from us?
Existing privacy and security policies, your current Notice of Privacy Practices, vendor contracts and any existing BAAs, training attendance records, and a list of all software and devices that touch PHI. If you do not have all of these, that is part of what the Risk Analysis identifies. Missing documentation is itself a finding.
How long is the Risk Analysis valid?
HIPAA does not specify a fixed expiration. The standard interpretation is that you must update the Risk Analysis whenever there are material changes (new vendor, new system, new location, breach, regulatory change) and review it at least annually. We can also provide annual refresh engagements at a reduced fee.
Can this support my cyber insurance application or renewal?
Yes. Many cyber insurance carriers now require evidence of HIPAA Security Rule compliance as a condition of coverage or favorable rates. The Risk Analysis document, the Risk Management Plan, and the vendor inventory are typically what they want to see. We can deliver in a format that maps directly to their attestation forms if needed.
Book a free 30-minute discovery call and we will confirm this is the right starting point for your situation.