Truvaldi
Compliance Offer · Healthcare

HIPAA Security Risk Assessment — done properly, delivered as a document.

A written HIPAA Security Risk Assessment for small and mid-sized practices. The kind you hand to your cyber insurer, your board, or an OCR examiner without hedging. CISSP-informed methodology, fixed from-price, no retainer.

Price
from $3,500
Scoped to practice size
Timeline
2–3 weeks
From kickoff
Format
Written SRA
Plus review call
What it is

A defensible risk analysis, not a checklist.

A HIPAA Security Risk Assessment (SRA) is the risk analysis required under the HIPAA Security Rule. It is the document OCR asks for first in almost every breach investigation, the document cyber insurers now require at underwriting, and the document that determines whether a subsequent violation is treated as reasonable diligence or willful neglect.

Practices routinely mistake a self-assessment questionnaire, a vendor's compliance certificate, or an outdated 2018 PDF for an SRA. None of those hold up. A defensible SRA identifies the ePHI you hold, the systems that touch it, the threats to those systems, the safeguards in place, the residual risk, and a plan to address it — all in writing, all current.

That is what this offer delivers. Every engagement runs under CISSP-informed methodology, follows the NIST 800-30 / 800-66 risk analysis pattern that OCR examiners are trained on, and produces a document your compliance owner can actually use.

Assessments led by Elija Fayz, CISSP — Certified Information Systems Security Professional
What you get

Deliverables.

Written HIPAA Security Risk Assessment document, formatted for OCR examination
Asset and PHI data-flow inventory (systems, vendors, storage locations)
Vulnerability and threat register with likelihood/impact scoring
Administrative, physical, and technical safeguard gap analysis
Business Associate coverage review (which vendors need a BAA, which have one, which don't)
Prioritized remediation plan with rough level-of-effort estimates
Executive summary suitable for the practice owner and board
60-minute review call with the compliance owner
Who it's for

Practices where an SRA is overdue.

Solo & small group practices

Under 25 staff, no dedicated compliance officer, and the last SRA (if any) was performed years ago.

Medspas & aesthetics practices

Practices that have added AI tooling, patient portals, or new payment processors and don't know if the risk register kept up.

Growing practices adding AI

Anyone introducing automation, AI scribes, chatbots, or new SaaS to a PHI environment. The SRA should precede the deployment, not follow the incident.

FAQ

Common questions.

Is a HIPAA Security Risk Assessment actually required?

Yes. Under 45 CFR § 164.308(a)(1)(ii)(A), every HIPAA-covered entity and business associate is required to conduct an accurate and thorough risk analysis. It's also a prerequisite for most cyber insurance policies, a condition of many Meaningful Use / Promoting Interoperability attestations, and one of the first documents OCR requests during any breach investigation.

How often do we need to redo it?

The regulation says "periodic" — the practical answer is annually, and any time there's a material change: new EHR, new location, new AI or automation tool, a merger, or a security incident. An SRA that's three years old is functionally not an SRA.

Isn't there a free tool from HHS?

Yes, and it's useful. It's also a self-assessment questionnaire, not a risk analysis. It doesn't produce a defensible written document, doesn't inventory your actual systems, doesn't review your BAAs, and doesn't score threats. If you have the time and expertise to run one properly, use it. If you don't, that's what this offer is for.

Do you also fix the gaps?

Optionally. The SRA is a document — it stands on its own and is yours regardless. If the gaps involve automation, integration, or infrastructure we build, we can scope remediation separately. If they involve policies, training, or vendor changes, we'll point you to the right specialist. No lock-in.

Request the SRA.

Tell us about your practice size, EHR, and any recent changes. We respond within one business day with a scoped price and kickoff date.

T

Truvaldi

AI assistant

Online
T

Hey — I'm Truvaldi's AI assistant. Ask me anything about our services, tools, pricing, industries, or process.