HIPAA for healthcare practices

You run the practice. I will handle the HIPAA side.

Most small practices do not have a security team, and they do not need one. What they need is a current risk assessment, their vendor agreements in order, and someone who can answer the Office for Civil Rights (OCR) if it ever calls. I am a cybersecurity engineer with nine years securing banks, insurers, and manufacturers, and I do exactly that for healthcare practices in the Springfield area.

30 minutes·No sales pitch·Red, yellow, green summary you keep

Three things that are easy to put off until they are not.

If you run a small practice, the day in front of you always comes first. These are the questions that sit quietly in the background until a breach, a complaint, or a letter pushes them to the front.

01
The agreements you cannot locate.

Every vendor that touches patient data is supposed to have a signed Business Associate Agreement (BAA) on file. Your billing service, your cloud backup, your IT contractor, the system that sends appointment reminders. If someone asked you to produce all of them today, would you know where they are, or how many you are supposed to have?

02
The assessment that never happened.

A Security Risk Assessment (SRA) is not a form you file once. It is supposed to reflect how your practice handles protected health information (PHI) right now, and it is the first thing the Office for Civil Rights (OCR) asks to see. Most practices either did one years ago and moved on, or never did one at all. In an investigation, those two look the same.

03
What happens if OCR comes knocking.

An investigation rarely starts with the government. It starts with a breach, a complaint, or someone who used to work for you. Once OCR is involved, the opening question is almost always the same. Show me your risk analysis. What you can put on the table in that moment shapes everything that follows.

You do not need to solve all three this week. You do need to know the answer to each one.

The fine is rarely the expensive part.

When a small practice gets investigated, attention goes straight to the dollar penalty. The penalty is usually the smallest line in the story. Here is one that closed in 2025.

OCR enforcement, resolved May 2025
Vision Upright MRI

A small California imaging provider. A server holding patient images was left exposed to an unauthorized party. The records of 21,778 people were involved.

$5,000
Paid to OCR. The part everyone remembers.
2 years
Of a federally monitored corrective action plan. The part that actually costs you.
21,778
People notified of the breach. So was HHS. So was the media.

What triggered all of it was not the breach by itself. It was that the practice had never conducted a risk analysis, the one document OCR asks for first. The $5,000 closes out and is forgotten. The two years of federal oversight, the public breach notice, and the letters to nearly 22,000 patients are the real bill. A current risk assessment is the cheap side of this equation.

Source: U.S. Department of Health and Human Services, Office for Civil Rights press release, May 15, 2025. All figures verified against the primary source.

The risk analysis is now the whole ballgame.

OCR runs a dedicated Risk Analysis Initiative. It reached its 12th enforcement action in February 2026, and OCR's director has said compliance with the risk analysis provision is more essential than ever. The numbers behind that focus:

772
Large breaches reported to HHS in 2025, affecting 138.5 million people. Over 80% traced to hacking and IT incidents.
12
Enforcement actions under OCR's Risk Analysis Initiative as of February 2026. Every one found the same gap: no accurate, current risk analysis.
$2.19M
The 2026 annual penalty cap per violation category. Penalty amounts were raised again in January 2026.
Coming next
The first major Security Rule update in over two decades is pending.

HHS proposed sweeping changes to the HIPAA Security Rule in January 2025: mandatory multi-factor authentication, mandatory encryption of patient data, a required asset inventory, and annual technical testing. The final rule has not been published and the timing is not settled. What is settled is the direction. Practices that put MFA, encryption, and a current risk analysis in place now are ready under either version of the rule, and safer this year regardless.

Source: HHS Office for Civil Rights, HIPAA Security Rule NPRM, published in the Federal Register January 6, 2025. Status current as of July 2026.

Your data flows are not generic. Neither is the work.

Where protected health information lives depends on what you practice. Start with the page for your specialty.

I also work with dermatology, ophthalmology, orthopedics, gastroenterology, mental health, med spas, and surgery centers. If your specialty is not listed, the snapshot call is still the right place to start.

Start with a snapshot. Decide from there.

01
Free risk snapshot

A 30-minute call across the six areas OCR cares about most. You leave with a red, yellow, green summary you can keep. No pitch.

02
Full Security Risk Assessment

An OCR-defensible SRA. A PHI flow inventory, a BAA inventory, the full risk register, a policy gap analysis, and a 30, 60, 90 day remediation roadmap. Signed and dated.

03
Ongoing support, if you want it

A fractional security lead on call for vendor reviews, staff questions, and next year's assessment. Seqora can serve as your designated HIPAA Security Officer. Optional, never required.

A clear read on your practice, in 30 minutes.

If any of the three questions above gave you pause, that is reason enough for a conversation. No cost, no pressure, and you keep the summary either way.

Book your risk snapshot

Or email tony@seqorasecurity.com