When OCR or Medicare asks for your Security Risk Analysis, will you have the document?

Fixed-fee HIPAA Security Risk Assessments for medical practices in The Villages, Lady Lake, Leesburg, and Ocala.

HIPAA Security Risk Assessment Services

The Intermachine HIPAA Security Risk Assessment

A defined engagement with a fixed fee and a concrete deliverable. No hourly meters, no vague consulting.

What we do

  1. Scoping interview and ePHI inventory. We map where patient information lives: EHR, email, backups, and old workstations.
  2. Asset and network review. A full inventory of the systems, devices, and vendors that touch patient data, and how data flows between them.
  3. Threat and vulnerability assessment. Your administrative, physical, and technical safeguards evaluated against the NIST risk-assessment methodology federal regulators point to.
  4. Risk register. Every identified risk, rated by likelihood and impact, in plain English.

What you receive

  • The written Security Risk Analysis Report. The document you hand to an auditor, insurer, and the record behind your MIPS attestation.
  • A prioritized remediation roadmap. What to fix first, what can wait, whether you fix it with us or with your current IT provider.
  • An executive summary the practice owner can read in five minutes.

Timeline: Most single-location practices are complete within 2 weeks of the on-site visit.

Investment: $1500 flat fee for practices up to 5 providers / single location. Multi-site quoted after a 15-minute call.

Annual option: HIPAA expects your risk analysis to be kept current, and MIPS attestation recurs every year. Our annual reassessment plan keeps your documentation continuously audit-ready.

Easy Three Step Process

1. Quick 15-minute call

We confirm the scope of your practice and schedule the on-site visit that best works for you.

2. On-site assessment

One scheduled visit, minimal disruption to patient flow. Most of our work happens off-site afterward.

3. Findings review

We walk you through the report and roadmap in person, in plain English.

Not sure where you stand? Start with the self-check.

Free PDF. 10 Yes/No questions. Two minutes.
You’ll know immediately whether your practice has a documentation gap, before someone else finds it.

Download the Free HIPAA Self-Check

Ready to get started?

Schedule Free Consultation

Free phone consultation, you select date and time

Schedule Now

Contact Intermachine

Call text or send an email.

Contact Us

Local Technical and Independent

Certified security professionals

Your assessment is performed by a CompTIA Security+ certified engineer with a background in software and network systems.

In your neighborhood

Based in Lady Lake, serving The Villages, Lady Lake, Leesburg, and surrounding areas. On-site means on-site.

We assess honestly

You choose what to do with the findings. Remediate with us, with your existing IT company, or on your own. The report is yours either way.

We hold ourselves to the same standard

Intermachine operates under Business Associate Agreements and conducts its own security risk analysis.

A risk analysis isn’t a best practice. It’s the law, and it’s the first thing they check.

Every practice is required to conduct and document a security risk analysis. Not a checklist. Not a policy binder from 2015. A current, written analysis of where your patient data lives, what threatens it, and what you’re doing about it.

Here’s what most practice owners don’t realize until it’s too late:

  • Federal audits have resumed. The HHS Office for Civil Rights restarted its HIPAA audit program, and the stated focus is the risk analysis and risk management requirements, historically the single most common failure cited in OCR enforcement actions.
  • Medicare asks every year. If your practice participates in MIPS, you attest annually that a security risk analysis was conducted. An attestation without the document behind it is a problem you don’t want.
  • Your insurance carrier asks at renewal. Cyber and malpractice underwriters now demand proof of risk assessments, multi-factor authentication, and tested backups. No documentation can mean higher premiums, exclusions, or a denied claim after an incident.
  • Penalties were just increased. HIPAA civil penalties were inflation-adjusted in January 2026, with annual maximums rising for uncorrected willful neglect.
  • Bigger changes are coming. Washington has proposed the largest update to the HIPAA Security Rule in over 20 years, which would make encryption, MFA, and annual risk assessments mandatory for every practice regardless of size. Practices that assess now will comply calmly. Practices that wait will scramble.

Common questions

Is a HIPAA risk analysis legally required for a practice my size?

Yes. The HIPAA Security Rule's risk analysis requirement applies to covered entities of every size, solo practices included. There is no small-practice exemption.

We have an IT company. Isn't this their job?

Usually not. Most IT providers maintain systems. A risk analysis is a formal, documented compliance assessment against the Security Rule. An independent assessment carries more weight with auditors and insurers than a provider grading its own work.

Will this make us HIPAA certified?

No, and be wary of anyone who says otherwise. HHS does not certify HIPAA compliance. What we provide is the required, documented security risk analysis and a remediation plan: the core evidence of a good-faith compliance program.

What if the assessment finds problems?

It will. Every assessment does. Finding gaps in a report you commissioned is better than an auditor, insurer, or ransomware operator finding them first. Documented findings with a remediation plan are evidence of diligence, not an admission of guilt.

Do you sign a Business Associate Agreement?

Yes, before any engagement begins. We will provide one, or work under yours.

Is the new 2026 HIPAA rule final?

Not yet. The proposed Security Rule update would mandate encryption, MFA, and annual risk assessments, but it has not been finalized. What is true today: the current rule requires a risk analysis and OCR audits are underway and focused exactly there.

Not sure where you stand? Start with the self-check.

Free PDF. 10 Yes/No questions. Two minutes.
You’ll know immediately whether your practice has a documentation gap, before someone else finds it.

Download the Free HIPAA Self-Check

Or contact us for more information.

Serving medical and dental practices in Lady Lake · The Villages · Leesburg · Ocala · Fruitland Park · Wildwood · Summerfield · Belleview

Intermachine Systems provides security assessment and information technology services. We are not a law firm, and assessment findings do not constitute legal advice. No organization can be certified HIPAA compliant by HHS.