Most small practices do not have a security team, and they do not need one. What they need is a current risk assessment, their vendor agreements in order, and someone who can answer the Office for Civil Rights (OCR) if it ever calls. I am a cybersecurity engineer with nine years securing banks, insurers, and manufacturers, and I do exactly that for healthcare practices in the Springfield area.
30 minutes·No sales pitch·Red, yellow, green summary you keep
If you run a small practice, the day in front of you always comes first. These are the questions that sit quietly in the background until a breach, a complaint, or a letter pushes them to the front.
Every vendor that touches patient data is supposed to have a signed Business Associate Agreement (BAA) on file. Your billing service, your cloud backup, your IT contractor, the system that sends appointment reminders. If someone asked you to produce all of them today, would you know where they are, or how many you are supposed to have?
A Security Risk Assessment (SRA) is not a form you file once. It is supposed to reflect how your practice handles protected health information (PHI) right now, and it is the first thing the Office for Civil Rights (OCR) asks to see. Most practices either did one years ago and moved on, or never did one at all. In an investigation, those two look the same.
An investigation rarely starts with the government. It starts with a breach, a complaint, or someone who used to work for you. Once OCR is involved, the opening question is almost always the same. Show me your risk analysis. What you can put on the table in that moment shapes everything that follows.
You do not need to solve all three this week. You do need to know the answer to each one.
When a small practice gets investigated, attention goes straight to the dollar penalty. The penalty is usually the smallest line in the story. Here is one that closed in 2025.
What triggered all of it was not the breach by itself. It was that the practice had never conducted a risk analysis, the one document OCR asks for first. The $5,000 closes out and is forgotten. The two years of federal oversight, the public breach notice, and the letters to nearly 22,000 patients are the real bill. A current risk assessment is the cheap side of this equation.
Source: U.S. Department of Health and Human Services, Office for Civil Rights press release, May 15, 2025. All figures verified against the primary source.
OCR runs a dedicated Risk Analysis Initiative. It reached its 12th enforcement action in February 2026, and OCR's director has said compliance with the risk analysis provision is more essential than ever. The numbers behind that focus:
HHS proposed sweeping changes to the HIPAA Security Rule in January 2025: mandatory multi-factor authentication, mandatory encryption of patient data, a required asset inventory, and annual technical testing. The final rule has not been published and the timing is not settled. What is settled is the direction. Practices that put MFA, encryption, and a current risk analysis in place now are ready under either version of the rule, and safer this year regardless.
Source: HHS Office for Civil Rights, HIPAA Security Rule NPRM, published in the Federal Register January 6, 2025. Status current as of July 2026.
Where protected health information lives depends on what you practice. Start with the page for your specialty.
I also work with dermatology, ophthalmology, orthopedics, gastroenterology, mental health, med spas, and surgery centers. If your specialty is not listed, the snapshot call is still the right place to start.
A 30-minute call across the six areas OCR cares about most. You leave with a red, yellow, green summary you can keep. No pitch.
An OCR-defensible SRA. A PHI flow inventory, a BAA inventory, the full risk register, a policy gap analysis, and a 30, 60, 90 day remediation roadmap. Signed and dated.
A fractional security lead on call for vendor reviews, staff questions, and next year's assessment. Seqora can serve as your designated HIPAA Security Officer. Optional, never required.
If any of the three questions above gave you pause, that is reason enough for a conversation. No cost, no pressure, and you keep the summary either way.
Book your risk snapshotOr email tony@seqorasecurity.com