Common questions
Is a HIPAA risk analysis legally required for a practice my size?
Yes. The HIPAA Security Rule's risk analysis requirement applies to covered entities of every size, solo practices included. There is no small-practice exemption.
We have an IT company. Isn't this their job?
Usually not. Most IT providers maintain systems. A risk analysis is a formal, documented compliance assessment against the Security Rule. An independent assessment carries more weight with auditors and insurers than a provider grading its own work.
Will this make us HIPAA certified?
No, and be wary of anyone who says otherwise. HHS does not certify HIPAA compliance. What we provide is the required, documented security risk analysis and a remediation plan: the core evidence of a good-faith compliance program.
What if the assessment finds problems?
It will. Every assessment does. Finding gaps in a report you commissioned is better than an auditor, insurer, or ransomware operator finding them first. Documented findings with a remediation plan are evidence of diligence, not an admission of guilt.
Do you sign a Business Associate Agreement?
Yes, before any engagement begins. We will provide one, or work under yours.
Is the new 2026 HIPAA rule final?
Not yet. The proposed Security Rule update would mandate encryption, MFA, and annual risk assessments, but it has not been finalized. What is true today: the current rule requires a risk analysis and OCR audits are underway and focused exactly there.