HIPAA and cybersecurity,
answered straight.

Yes — it's a legal requirement, not optional guidance. The HIPAA Security Rule requires every covered entity, including solo and small practices, to conduct and document a security risk analysis. It's also the first thing OCR auditors ask for.

Missing or inadequate documentation is treated as "willful neglect" under HIPAA — the highest penalty tier, with fines up to $50,000 per violation. In practice, even a single patient complaint can trigger an OCR investigation, and the first question is always "show us your risk analysis."

They secure their own system — your EHR vendor's HIPAA compliance applies to their platform, not your practice. Your workflows, your staff, your devices, your email, your physical office — those are your responsibility, and they require your own documented risk assessment.

At minimum annually, and any time there's a significant change to your environment — new EHR system, new office location, new staff, new devices. Most practices are behind on this. One documented assessment gets you current; an annual refresh keeps you there.

The proposed update (still being finalized as of mid-2026) would make previously "addressable" security controls mandatory — including encryption, multi-factor authentication, and network segmentation. Even if the final rule is delayed, practices that implement these now are better protected and ahead of compliance requirements.

We review all administrative, physical, and technical safeguards required under HIPAA — your policies, your systems, staff access, physical security, device management, and backup procedures. You receive a written risk analysis document that satisfies OCR documentation requirements, plus a prioritized remediation plan in plain English.

We deploy Wazuh, an enterprise-grade security platform, to monitor your endpoints and network 24/7. When a threat is detected, we alert you and respond — we don't just send a report and leave you to figure it out. You also receive a monthly summary of what was detected and what was done.

We use Nessus, the industry standard for vulnerability scanning trusted by security teams worldwide. We run both external scans (what an attacker outside your network can find) and internal scans (what someone inside could access). Results are organized by severity — Critical, High, Medium, Low — with specific remediation guidance for each finding.

Training covers HIPAA-specific content — how to handle patient data, recognize phishing, and follow your practice's security policies. We also run simulated phishing campaigns using GoPhish to test your team in a real-world scenario. Completion is tracked and documented, giving you the training records HIPAA requires.

The first consult is always free. Our HIPAA Starter Bundle is fixed-price so you know your cost before we start — no surprise invoices. We'll confirm scope and pricing on the call based on your practice size and what you need.

For most small practices (under 20 staff), the assessment itself takes a few business days with minimal impact on your team. You'll have your report within 2–3 weeks of our kickoff call.

Most of our work is done remotely, so geography isn't a barrier. We're based in Annapolis and serve practices throughout Maryland, but we can work with practices in other states for fully remote engagements.

Finding problems is the point — better on your terms than during an OCR audit. If we uncover gaps, you get a clear remediation plan and we can help you fix them. Nothing gets disclosed without your direction; this is your assessment, not a report to a regulator.

Dental offices, therapy and counseling practices, psychiatry offices, physical therapy clinics, and other small independent healthcare providers — the practices with real patient data responsibility and no dedicated IT security team.