Overview
HIPAA's Security Rule requires covered entities and their business associates to protect electronic protected health information (ePHI) with administrative, physical, and technical safeguards. The requirement isn't just to have policies — it's to demonstrate that your security program is actively managed, documented, and effective. We conduct security audits that give you an honest assessment of where your program stands and what it takes to get it where it needs to be.
A healthcare software vendor came to us because a hospital prospect asked for evidence of their HIPAA compliance before signing. They had a BAA template and a few IT policies, but no formal security assessment and no documented risk analysis. Without that foundation, the deal stalled — and it kept stalling until the work was done.
Security Risk Analysis
HIPAA requires a documented risk analysis. We conduct a thorough assessment of potential threats to ePHI across your environment, document findings in the format regulators expect, and produce a risk register you can actually maintain year over year.
Safeguards Review
We assess your administrative (policies, training, access controls), physical (facility controls, device management), and technical safeguards (encryption, audit controls, transmission security) against Security Rule requirements — and document where each stands.
Documentation & Policy Alignment
We review and help align your policies, procedures, and workforce training programs to HIPAA requirements, ensuring your documentation supports your program and would hold up under a compliance review or OCR investigation.
OCR audits and breach investigations both begin with the same question: can you show your security risk analysis? If the answer isn't yes, that's the first thing to fix.
What You Can Expect
- Documented security risk analysis meeting HIPAA requirements
- Safeguard gap assessment across administrative, physical, and technical controls
- Policy and procedure review against Security Rule standards
- Workforce training program evaluation
- Executive-ready summary suitable for leadership reporting or business associate due diligence
Need policies to go with the audit? Our Policy & Procedure Development service can build or update the documentation your HIPAA program depends on.
Who This Is For
- Healthcare providers, health plans, and clearinghouses (covered entities) that need a documented security risk analysis to satisfy HIPAA requirements
- Software vendors, billing companies, IT service providers, and other organizations that handle ePHI as business associates
- Organizations that have never conducted a formal HIPAA security risk analysis, or whose last one is more than a year old
- Companies that received a finding from OCR or a compliance review and need to remediate and document corrective action
- Healthcare technology startups whose hospital or health system prospects require evidence of HIPAA compliance before signing a Business Associate Agreement
Common Questions
What is required in a HIPAA security risk analysis?
The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they hold. That means identifying where ePHI exists across your environment, evaluating current controls, assessing the likelihood and impact of potential threats, and documenting findings in a format that can be reviewed by auditors or OCR investigators. A risk analysis that is not documented is treated as one that was never performed.
What is the difference between a covered entity and a business associate under HIPAA?
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that handles protected health information (PHI) directly as part of its core function. A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity — including IT vendors, billing companies, EHR platforms, cloud storage providers, and consultants. Both are subject to the HIPAA Security Rule, and both are required to have a documented security risk analysis. The covered entity / business associate distinction determines how HIPAA obligations flow through contracts (via Business Associate Agreements).
What happens if we fail an OCR audit or compliance investigation?
OCR (the HHS Office for Civil Rights) enforces HIPAA through complaint investigations and periodic audits. Findings can result in corrective action plans, civil monetary penalties ranging from $100 to $50,000 per violation (with annual caps), and in cases of willful neglect, criminal referral. The most common finding is a missing or inadequate security risk analysis. Organizations that can demonstrate a documented, current risk analysis and evidence of ongoing risk management are significantly better positioned — even when an incident has occurred.