HIPAA, implementation-grade.
The Security Rule requires an SRA. The Office for Civil Rights expects to see a real one — not a one-page attestation. We perform the SRA, drive remediation, and prepare you for OCR audit posture.
- Rule
- HIPAA Security Rule
- Scope
- Covered entities + BAs
- Output
- SRA + roadmap
- Cadence
- Annual
What's included
Security Risk Assessment
Full SRA per the Security Rule — administrative, physical, and technical safeguards.
BAA review
Business Associate Agreements reviewed against your actual data flows and obligations.
Remediation roadmap
Prioritized by probability × impact and OCR-audit risk.
Policy library
HIPAA-specific policies written for your stack and stage.
Workforce training program
Required workforce training built and tracked.
Incident response & breach notification
60-day breach notification workflow built and tested.
Engagement lifecycle
- 01Weeks 1–3
Risk assessment
Full SRA covering administrative, physical, and technical safeguards.
- 02Weeks 3–4
Remediation roadmap
Prioritized roadmap with realistic timeline and ownership.
- 03Months 1–6
Remediate
Controls implemented; policies authored; training launched.
- 04Annual
Refresh
SRA refreshed annually or on material change.
What you walk away with
- OCR-audit-defensible Security Risk Assessment
- Remediation roadmap with documented ownership
- Policy library tuned to your stack
- Workforce training operating
- 60-day breach-notification workflow tested
- Annual continuous-improvement cadence