The HIPAA Security Rule, assessed for real risk — not a checklist.
The Security Rule requires an accurate, thorough risk analysis — the single thing OCR cites most in breach settlements. We run a real one: every safeguard examined, every gap ranked, and a remediation roadmap you can actually act on.
Every safeguard, weighted by real risk
We evaluate the administrative, physical and technical safeguards the Security Rule requires, weighted by where risk most often concentrates — so you fix what matters first, not what's easiest.
Risk analysis & management
The Security Rule's keystone — and the single finding OCR cites most in breach settlements.
Access & authentication
Who can reach PHI, how that access is proven, and how fast it's revoked.
Encryption & transmission
Protected data secured in transit and at rest, end to end.
Business associate oversight
The third parties touching your PHI — under agreement and actually assessed.
Audit controls & logging
Tamper-evident evidence of who did what, and when, to PHI.
Workforce & contingency
The human safeguards and the ability to recover when something goes wrong.
Assessed by engineers who build the same systems
We evaluate security from inside the architecture, the way an attacker and an auditor both actually see it — not from a questionnaire.
We assess security the way we build it — from inside the systems, not from a questionnaire.
Administrative, physical and technical — tested against the rule, not skimmed.
An inadequate risk analysis. It's exactly the assessment we specialize in getting right.
A prioritized plan you can execute — not a 200-page PDF that lands in a drawer.
How the assessment works
From scoping your real attack surface to a ranked remediation roadmap — a risk analysis that does what the Security Rule actually asks for.
Start a conversation
01Scoping & inventory
We map every system, data flow and place PHI actually lives, so the assessment covers your real attack surface — not a sample of it.
- Asset & data inventory
- PHI flow mapping
- System boundaries
- Threat sources
02Risk analysis
The accurate, thorough risk analysis the Security Rule requires — threats and vulnerabilities identified, likelihood and impact scored, the whole thing on a register.
- Threat & vulnerability ID
- Likelihood × impact
- Risk scoring
- Risk register
03Safeguard evaluation
We test the administrative, physical and technical safeguards against what the rule actually requires — and find the gaps between policy and reality.
- Administrative review
- Physical controls
- Technical testing
- Control-gap analysis
04Remediation roadmap
A prioritized, costed plan — what to fix, in what order, and why — handed to you in a form your team can actually execute against.
- Ranked findings
- Remediation plan
- Effort & owners
- Re-assessment path
The safeguards we put under the microscope
Access & authentication
Identity, least privilege, MFA and de-provisioning across every PHI surface.
- Access model
- MFA & SSO
- Privileged access
- Joiner/mover/leaver
Encryption & transmission
Protection of PHI in transit and at rest, and the keys behind it.
- At-rest encryption
- TLS & transport
- Key management
- Endpoint encryption
Audit & logging
Whether you can prove who touched PHI, and would notice if someone shouldn't have.
- Audit logging
- Log integrity
- Monitoring & alerting
- Retention
Workforce & training
The administrative safeguards and human controls behind the technical ones.
- Policies & procedures
- Security training
- Sanctions
- Access management
Device & media
Control over the endpoints and media that store or move protected data.
- Device controls
- Media disposal
- Mobile & BYOD
- Asset tracking
Contingency & recovery
Staying operational and recoverable when an incident or outage hits.
- Backup & recovery
- Continuity plan
- Incident response
- DR testing
Three reasons this lands on your desk
A regulator asking questions, an annual obligation coming due, or a deal that needs a clear read on inherited risk — we scope to whichever brought you here.
Facing an audit or after a breach
OCR is asking questions, or you've had an incident and need to know what's exposed. We run the analysis that stands up to scrutiny and tells you exactly where the risk sits.
- OCR-defensible analysis
- Breach exposure map
- Priority fixes
- Evidence trail
Meeting the yearly obligation
The Security Rule expects an ongoing, updated risk analysis — not a one-time exercise. We run a real one each cycle so the obligation is met and the posture actually improves.
- Annual cadence
- Change-driven updates
- Trend over time
- Audit-ready record
Investors and acquirers
Buying or funding a healthcare business means knowing what HIPAA risk you're inheriting. We give a clear-eyed read on exposure before the deal closes.
- Exposure assessment
- Remediation cost view
- Deal-risk flags
- Clear findings
The difference between a checklist and an analysis
Both are called a “risk assessment.” Only one of them tells you where your real risk is — and survives an OCR investigation.
A generic questionnaire filled in against a template, with no real ranking of risk. It satisfies a procurement form — and almost nothing else.
- Generic template
- No real risk ranking
- Sits in a drawer
- Won't satisfy OCR
A system-specific risk analysis with findings ranked by real risk and a roadmap your team can act on — the kind OCR's guidance actually describes.
- Tailored to your systems
- Risk-ranked findings
- Actionable roadmap
- OCR-defensible
From scope to a roadmap you can run
Systems, data and the boundary of the analysis.
Where PHI lives and how it flows.
Threats, vulnerabilities, likelihood and impact.
Evaluate the safeguards against the rule.
Score and prioritize every finding.
A costed, ordered plan to close the gaps.
Assessment principles we work by
The convictions that separate a risk analysis that protects you from one that just checks a box and waits to be cited.
Real risk, not theater
We assess the risk that could actually cause a breach — not whatever a template happens to ask about.
Rank what matters
Findings ordered by real risk, so you fix the things that move the needle before the things that don't.
Test, don't assume
We verify that controls work as written, because the gap is almost always between policy and reality.
Defensible to OCR
An analysis aligned to OCR's methodology, built to hold up if an investigator ever reads it.
Findings you can act on
Every finding comes with a fix, an owner and an effort — not just a red mark on a spreadsheet.
A roadmap, not a report
The deliverable is a plan you execute against, with a clear path to re-assessment, not a PDF you file away.
HIPAA Security Rule assessment FAQ
Isn't a HIPAA risk analysis just a checklist?
No — and that misconception is exactly what gets organizations cited. OCR requires an accurate and thorough, system-specific risk analysis. A generic checklist doesn't assess your real risk and won't hold up in an investigation, which is why it's the most common finding in breach settlements.
How often do we need one?
The Security Rule treats risk analysis as ongoing — at minimum annually, and again after any significant change to your systems, vendors or operations. We can run it on a cadence so the obligation is continuously met rather than rediscovered before an audit.
Do you fix what you find, or just report it?
Both, if you want. The assessment ends in a prioritized roadmap, and our security and architecture teams can remediate the findings — so assessment and fix live under one roof instead of being handed to yet another vendor.
Will this satisfy OCR?
We produce a risk analysis aligned to OCR's guidance and methodology, documented to be defensible in an investigation. No one can promise an outcome with a regulator, but a thorough, evidenced analysis is exactly what they look for — and exactly what most organizations are missing.
How is this different from a penetration test?
A pen test probes for exploitable holes in specific systems; a Security Rule risk analysis evaluates all of your safeguards — administrative, physical and technical — and ranks organizational risk. They're complementary, and we offer both.
When did you last do a real HIPAA risk analysis?
If the honest answer is “a template, a while ago,” that's the gap OCR looks for. We'll run the analysis that holds up — and hand you a roadmap you can act on.
Talk to our team