Every medical practice that handles electronic protected health information is required by federal law to have a Security Risk Assessment on file. We produce yours — audit-grade, scored against NIST standards, delivered within 48 hours, and requiring just one call from you. No software to learn. No network scanning. Just documented compliance, handled.
or schedule a free consultation →
Epic, athenahealth, eClinicalWorks, patient portals, e-prescribing — modern medicine runs on digital systems. Every system that touches patient data is part of your HIPAA obligation.
The Promoting Interoperability component of MIPS now includes a security/risk assessment measure. An SRA report demonstrates compliance and supports your meaningful use attestation.
OCR's Risk Analysis Initiative — launched in late 2024 and still active in 2025 — has produced multiple seven-figure settlements, including a $3M resolution against a national medical supplier that failed to conduct a compliant risk analysis. Risk analysis failures have been cited in the majority of recent HIPAA enforcement actions. When OCR audits, your answer can't be "we haven't done one yet."
Patient portals (secure messaging, online bill pay, results delivery) are required by law to be encrypted, audited, and documented. A thorough SRA identifies gaps in portal security before OCR does.
E-prescribing and telehealth platforms require secure, authenticated access. Remote staff access needs unique user IDs, encryption, and audit logs. Your SRA verifies all of it is in place.
HIPAA requires an annual Security Risk Assessment. Many practices do one and forget. An SRA valid 12 months from today means you'll need another next year. Planning and budgeting start now.
Health plans increasingly request proof of HIPAA compliance during credentialing. An SRA report with attestation letter is the credential insurers want to see.
Our $2,500 all-inclusive package delivers more than most vendors charge $5,000+ for.
Scored assessment of all 44 HIPAA Security Rule implementation specifications plus 6 Privacy Rule requirements. Each finding includes risk level, remediation guidance, and responsible party.
All gaps prioritized by risk (Critical, High, Moderate, Low). Focus on what matters most first. Timeframes for each remediation target included.
55 pre-populated HIPAA policies and procedures. All mapped directly to your assessment findings. Word documents ready to review, modify, and adopt — no starting from scratch.
A professional attestation letter confirming your SRA was completed per NIST SP 800-66. Valid 12 months. Can be shared with payers, business associates, and auditors without disclosing scores.
A scannable, one-page action checklist showing which policies to adopt, which IT changes are critical, and which can wait. Your roadmap, printed.
One live assessment call with you and your team. We walk every requirement, collect the details we need, and score everything on the call. You're done — we handle the rest.
Every practice is different, but patterns emerge. Here are the six most frequent findings in assessments of 1–10 provider practices.
Most practices have never done a formal SRA. Your EHR vendor may have checked a box for you, but OCR considers vendor risk assessments insufficient. You need your own.
Patient portals are often treated as the EHR vendor's responsibility. They're not. Your practice is responsible for portal access control, encryption, audit logs, and breach detection.
Remote staff access via VPN, cloud EHR, or telehealth platform requires encryption in transit and encryption at rest. Many practices skip this thinking the cloud handles it. Auditable proof is required.
Billing companies, clearinghouses, cloud hosting providers, IT companies — anyone who touches PHI is a business associate. You need BAAs with all of them. Most practices have half-executed BAAs or none.
When a breach occurs, you have 60 days to notify affected individuals and OCR. A written plan, templates, contact information, and decision-making roles must exist before the breach happens.
HIPAA requires each user to have a unique login. Many small practices use one master EHR login for all front desk staff. This eliminates audit accountability and is a common OCR enforcement target.
Sign your service agreement and answer a short intake questionnaire (basic practice info). 3-5 minutes.
One call with you and your team (IT provider optional but recommended). We walk all HIPAA standards and score in real time.
Within 48 hours, receive your complete report, attestation letter, and 55 pre-populated policies ready to adopt.
All-inclusive. No hidden costs. No subscriptions. One assessment, one price.
Annual renewal: same price, same product. HIPAA requires an annual SRA — your assessment is valid 12 months from delivery.
Yes. We specialize in independent practices of 1-10 providers. Most compliance consultants focus on large health systems (50+ providers). We focus exclusively on the small-practice space where SRA resources are scarce and practices need the most help.
Not directly. We produce HIPAA Security Risk Assessments against the NIST SP 800-66 framework. MIPS Promoting Interoperability requires meaningful use of an EHR — which is outside HIPAA's scope. That said, our SRA often surfaces gaps (missing encryption, no BAAs with vendors, no audit logs) that directly affect your ability to demonstrate meaningful use and interoperability to CMS.
That's fine. Many practices use an EHR for clinical work, a separate PM system for scheduling and billing, a clearinghouse for e-prescribing, and other point solutions for imaging or lab interfaces. We assess your entire environment — all systems and the policies that govern PHI across all of them.
Strongly recommended. The assessment includes questions about encryption, backups, unique logins, access control, and network security. If you have an IT company or MSP managing your infrastructure, they should be on the call. If not, the person responsible for your computers and network should join. If neither is available, we'll collect what we can during the call, and we may follow up afterward for technical clarification.
Yes. HIPAA requires a current Security Risk Assessment on file. Three years is well beyond current. You've likely implemented new technology (cloud-based EHR, telehealth platforms), onboarded new staff, changed vendors or business associates, or updated policies. An SRA from three years ago doesn't reflect your actual compliance state.
Many insurers and health plans now request proof of HIPAA compliance during initial credentialing and recredentialing. An SRA report with an attestation letter (valid 12 months) is professional documentation that demonstrates to payers you've conducted a thorough, documented, NIST-aligned compliance review.
Two ways to start: book a consultation if you have questions, or head straight to onboarding to schedule your assessment.
Clicking below takes you to our onboarding form — service agreement, a short intake questionnaire, and secure payment, all in one step. You'll pick a time for your live assessment call right after.
$2,500 flat rate, all-inclusive
Book Your Assessment →Not ready to commit? Book a free, no-obligation call to ask questions about the SRA process, what's included, or whether your organization needs one.
No payment required
Schedule a Free Consultation →Questions? Call us at (732) 576-6302 or email info@structuredcompliance.co
Structured Compliance works with organizations across healthcare. Find the page that fits your situation: