HIPAA Readiness Snapshot
You handle protected health information. Healthcare clients want proof you're HIPAA compliant. We assess your safeguards, review your policies, and show you exactly where the gaps are.
This is for you if:
- Healthcare clients are asking for HIPAA compliance proof
- You're signing BAAs but haven't documented your safeguards
- You've never done a formal HIPAA risk analysis
- You need to know your gaps before a breach forces the issue
What you get
Covered Entity / Business Associate Determination
Clear analysis of your HIPAA classification. Are you a CE, BA, or hybrid entity? We document your specific obligations based on how you handle PHI.
Security Rule Gap Analysis
Comprehensive review across all three safeguard categories—administrative, physical, and technical. We identify what's missing against the 18 standards and 54 implementation specifications.
Privacy Rule Compliance Checklist
Assessment of your Notice of Privacy Practices, authorization forms, minimum necessary policies, and patient rights procedures. We show what needs updating.
Business Associate Agreement Review
Template BAA with all required provisions plus a checklist to evaluate your existing agreements. We identify gaps in your BA coverage.
Risk Analysis Framework
Methodology documentation aligned with HHS/OCR guidance. Includes ePHI inventory approach, threat identification, and risk determination process.
Prioritized Remediation Roadmap
Gaps ranked by risk level with specific recommendations. You'll know what to fix first and what can wait.
The process
8 steps from kickoff to complete HIPAA readiness assessment.
Submit intake
Online form
CE/BA analysis
Classification
Policy review
Documentation
Security Rule
Gap assessment
Privacy Rule
Checklist
BAA review
Templates
Risk framework
Methodology
Delivery
Full report
Mount ShuksanWhat's included
- Complete Security Rule gap analysis
- Privacy Rule compliance checklist
- CE/BA determination documentation
- BAA template and review checklist
- Risk analysis methodology guide
- Prioritized remediation roadmap
- Policy gap documentation
- Implementation specifications matrix
- 30-day email support
Important
This engagement constitutes an assessment and does not result in certification. The Health Insurance Portability and Accountability Act (HIPAA) has no formal certification program. Compliance is demonstrated through documented policies, procedures, and implemented safeguards.
Security Rule safeguards
HIPAA's Security Rule organizes requirements into three categories. We assess all of them.
Administrative
9 standards- Security management
- Workforce security
- Access management
- Training
- Incident procedures
- Contingency planning
Physical
4 standards- Facility access
- Workstation use
- Workstation security
- Device controls
Technical
5 standards- Access control
- Audit controls
- Integrity controls
- Authentication
- Transmission security
Before vs After
Without assessment
Not sure if you're CE or BA
Signing BAAs without knowing obligations
No documented risk analysis
Gaps discovered during breach
Hoping for the best
With HIPAA Snapshot
Clear CE/BA determination
Know exactly what's required
Risk analysis methodology documented
Gaps identified and prioritized
Ready for OCR questions
Result
You know where you stand
Common questions
How do I know if I'm a Covered Entity or Business Associate?
Covered Entities are healthcare providers who transmit health information electronically, health plans, and healthcare clearinghouses. Business Associates are companies that handle PHI on behalf of CEs—this includes SaaS vendors, cloud providers, billing services, and IT support. If you're signing BAAs with healthcare clients, you're almost certainly a BA. We'll give you a definitive determination.
We're a tech company that serves healthcare clients. Does HIPAA apply to us?
If your software stores, processes, or transmits PHI—patient records, health data, billing information, appointment details—you're a Business Associate under HIPAA. Your healthcare clients are required to have a BAA with you, and you must comply with the Security Rule. This applies even if you never directly interact with patients.
What's the difference between this and a HIPAA audit?
We provide a readiness assessment, not an audit. We identify gaps and document your current state so you know where you stand. There's no formal HIPAA certification—compliance is demonstrated through documentation and evidence. This snapshot gives you that documentation and tells you what needs work before OCR shows up.
What are the penalties for HIPAA violations?
OCR penalties range from $100 to $50,000 per violation, with annual caps of $25,000 to $1.5 million per violation category. Willful neglect with no correction can cost $50,000 per violation. Beyond fines, breaches require notification to affected individuals, HHS, and sometimes media. The reputational damage often exceeds the financial penalties.
Do we need to encrypt everything?
HIPAA requires encryption for ePHI in transit. Encryption at rest is "addressable"—meaning you must implement it or document why an alternative is equally protective. In practice, most organizations encrypt everything because it's the simplest way to demonstrate compliance and avoid breach notification requirements.
What about mental health or substance abuse records?
These records may also be protected under 42 CFR Part 2, which has stricter requirements than HIPAA. Part 2 requires specific patient consent for most disclosures and has different breach notification rules. If you handle this data, we'll identify the additional requirements.
Know where you stand with HIPAA before a breach forces the question.
We assess all three safeguard categories, review your policies, and give you a prioritized gap list. 10 days, $2,490. Then you'll know exactly what needs work.
Get Started