Scope

  • How patient data moves through the organization from intake through storage
  • Systems and applications that store, process, transmit, or expose patient data
  • User access, office processes, physical safeguards, and technical controls
  • Vendors, business associates, backup readiness, and downtime planning

Objectives

  • Identify where patient data and ePHI are created, received, maintained, transmitted, stored, accessed, or shared.
  • Document key patient-data workflows, systems, vendors, users, and devices.
  • Review practical administrative, physical, and technical safeguards protecting patient data.
  • Identify high-priority risks that could lead to exposure, unauthorized access, operational disruption, data loss, ransomware impact, or control failure.
  • Review whether key vendors and business associates are identified and tracked.
  • Review backup, recovery, and downtime readiness at a practical level.
  • Produce a prioritized risk register with recommended actions.
  • Produce a 30/60/90-day or prioritized remediation roadmap.
Pricing

Assessment packages

Choose the assessment depth that matches your organization’s size, complexity, and need for leadership-ready guidance.

Most popular

Essential

Foundational ePHI risk assessment support for small healthcare practices that need to understand security risks and HIPAA Security Rule obligations.

Starting at$1,995/each
  • ePHI Data Flow Review
  • HIPAA Security Rule Gap Analysis
  • System & Vendor Inventory
  • Risk Register
  • Executive Summary Report
  • Findings Review Meeting

Best for

  • Solo practices
  • Dental offices
  • Small clinics
  • Organizations with fewer than 10-15 employees
Most popular

Comprehensive

A leadership-focused assessment for larger or more complex healthcare environments preparing for growth, audits, or strategic security initiatives.

Starting at$4,995/each
  • Everything in Professional
  • Executive Leadership Interviews
  • Security Program Maturity Review
  • Board-Ready Executive Presentation
  • Remediation Workshop
  • Strategic Security Roadmap
  • Quarterly Progress Review

Best for

  • Multi-location practices
  • Healthcare service providers
  • Compliance-sensitive organizations
  • Organizations preparing for audits
Full details

Expand the full service description

Open the full program write-up for the complete breakdown of scope, cadence, deliverables, responsibilities, and exclusions.

ePHI Risk Assessment

Overview

The ePHI Risk Assessment is a focused security review designed to help healthcare organizations understand how electronic Protected Health Information is created, received, maintained, transmitted, stored, and accessed across the business.

The assessment is intended for small healthcare practices, clinics, specialty providers, and healthcare-adjacent organizations that need a practical, plain-language review of patient data risk and HIPAA Security Rule alignment.

The goal is not to create paperwork for its own sake. The goal is to identify meaningful risks, prioritize action, and provide leadership with a clear remediation path.


Assessment Objectives

The ePHI Risk Assessment helps organizations:

  • Identify where ePHI exists across the organization
  • Understand who has access to patient data
  • Review administrative, physical, and technical safeguards
  • Identify security gaps that may increase breach risk
  • Prioritize risks based on likelihood and impact
  • Support HIPAA Security Rule compliance expectations
  • Create a practical remediation roadmap

Scope of Services

1. ePHI Data Discovery Review

Review how patient data moves through the organization.

Activities include:

  • Identify systems that store or process ePHI
  • Review patient intake and registration workflows
  • Review billing, scheduling, and clinical documentation workflows
  • Identify email, file storage, cloud, and device usage involving ePHI
  • Identify vendors and third parties that may handle ePHI

Deliverables:

  • ePHI Data Flow Summary
  • System and Vendor Inventory

2. HIPAA Security Rule Safeguards Review

Evaluate the organization’s safeguards against key HIPAA Security Rule expectations.

Areas reviewed include:

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Workforce access practices
  • Security management processes
  • Incident response readiness
  • Backup and recovery practices
  • Business associate oversight

Deliverables:

  • HIPAA Security Rule Review Summary
  • Safeguards Gap Analysis

3. Access and User Management Review

Review how access to patient data is granted, modified, and removed.

Activities include:

  • Review user access processes
  • Review role-based access practices
  • Review inactive account handling
  • Review shared account usage
  • Review password and MFA practices
  • Review termination and role-change procedures

Deliverables:

  • Access Management Findings
  • Recommended Access Control Improvements

4. Policy and Documentation Review

Review existing security documentation and identify missing or outdated materials.

Typical documents reviewed include:

  • Information Security Policy
  • Access Control Policy
  • Incident Response Policy
  • Backup and Recovery Policy
  • Mobile Device Policy
  • Acceptable Use Policy
  • Business Associate Agreement tracking
  • Security awareness training records

Deliverables:

  • Policy Review Summary
  • Documentation Gap List

5. Risk Identification and Analysis

Identify risks that could impact the confidentiality, integrity, or availability of ePHI.

Activities include:

  • Identify threats and vulnerabilities
  • Assess likelihood and business impact
  • Score and prioritize risks
  • Document existing safeguards
  • Recommend remediation actions

Deliverables:

  • Risk Register
  • Prioritized Findings List

6. Remediation Roadmap

Create a practical action plan for reducing risk.

The roadmap includes:

  • High-priority remediation items
  • Recommended owners
  • Suggested timelines
  • Quick wins
  • Longer-term improvement opportunities

Deliverables:

  • Remediation Roadmap
  • Executive Summary

Final Deliverables

At the conclusion of the assessment, the customer receives:

  • ePHI Risk Assessment Report
  • Executive Summary
  • ePHI Data Flow Summary
  • System and Vendor Inventory
  • HIPAA Security Rule Gap Summary
  • Risk Register
  • Remediation Roadmap
  • Policy and Documentation Gap List

Customer Responsibilities

Customer will:

  • Designate a primary point of contact
  • Provide requested documentation
  • Identify key staff for interviews
  • Provide system and vendor information
  • Coordinate access to IT support personnel, if applicable
  • Review findings and approve remediation priorities

Out of Scope

The following services are not included unless separately agreed:

  • Penetration testing
  • Vulnerability scanning
  • Managed IT services
  • Technical remediation implementation
  • Legal advice
  • Breach notification services
  • Digital forensics
  • Security monitoring
  • Cyber insurance claim support
  • Development of custom software or integrations

Typical Assessment Cadence

Activity Timing
Kickoff Call Week 1
Documentation Request Week 1
Staff Interviews Week 1–2
Safeguards Review Week 2
Risk Analysis Week 2–3
Draft Findings Review Week 3
Final Report Delivery Week 3–4
Executive Readout Week 4

Ideal Customer Profile

This service is designed for:

  • Small medical practices
  • Dental offices
  • Therapy and behavioral health providers
  • Specialty clinics
  • Healthcare startups
  • Billing or administrative service providers
  • Organizations that handle patient information but do not have a dedicated security team

Assessment Outcome

By the end of the assessment, leadership should have a clear understanding of:

  • Where patient data exists
  • Which systems and vendors create the most risk
  • Which safeguards are working
  • Which security gaps need attention
  • What actions should be taken first
  • How to demonstrate ongoing HIPAA Security Rule diligence

The ePHI Risk Assessment provides a practical foundation for improving security, reducing patient data risk, and building a more mature compliance program over time.