Healthcare IT

HIPAA Security Risk Assessment — Cost, Timeline & Audit-Ready Documentation for Florida Practices

May 12, 20267 min readSteve Condit — Founder, Simply IT

Healthcare IT

If you operate a medical or dental practice in North Central Florida, there is a near-100% chance you have something in a binder somewhere with "HIPAA Risk Assessment" written on it. There is also a high chance that document — if you actually read it — is your EHR vendor's 12-question self-attestation, not a real assessment of YOUR practice's environment. The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) requires a documented analysis of risks to electronic protected health information (ePHI) in YOUR practice. The EHR vendor's checklist is necessary but not sufficient. This post walks through what a real assessment looks like, what it costs, the timeline, and the documentation OCR actually expects to see during an audit.

$50K

Max OCR penalty per violation

$1.9M

Annual penalty cap, per category

30 DAYS

Typical assessment timeline

6 YRS

Required HIPAA documentation retention

What HIPAA Actually Requires

The HIPAA Security Rule names the requirement explicitly: "Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate." This is a written requirement listed as an Administrative Safeguard. It is one of the very first things OCR investigators ask to see when a complaint comes in or a breach is reported.

The Office for Civil Rights publishes a Security Risk Assessment Tool jointly with the Office of the National Coordinator for Health IT — that tool is a useful framework, not a substitute for the assessment itself. The assessment has to cover YOUR systems, YOUR data flows, YOUR vendors, and YOUR physical environment. A generic vendor checklist with no specifics about your practice doesn't satisfy the rule.

// What OCR Looks For First

In every OCR enforcement action we've reviewed, the investigators' first formal document request includes "most recent risk analysis" and "risk management plan implementing the results of that analysis." If you can't produce both, the investigation is already going badly — and your defenses against any subsequent finding are weak. The 2024 OCR settlements consistently penalize the absence of a risk analysis as a separate violation from whatever caused the breach itself.

HIPAA Security Risk Assessment process for medical and dental practices in North Central Florida

An EHR vendor checklist is not a HIPAA risk assessment.

The 6 Phases of a Real Assessment

A properly scoped HIPAA Security Risk Assessment for a small or mid-sized practice runs about 30 days from kickoff to final documentation. The work splits into six phases:

Asset & Data-Flow Inventory

Week 1

Document every system that stores, processes, or transmits ePHI. This means EHR + practice management + imaging workstations + billing systems + email + backup + portable devices + vendor portals. For each, record what data lives there, who has access, and how it flows in and out. Most practices discover 8-15 systems they hadn't mapped before. This inventory becomes the foundation of every subsequent phase.

Threat & Vulnerability Identification

Week 1-2

For each asset, identify what could go wrong: ransomware, lost device, insider exfiltration, vendor breach, physical theft, accidental disclosure, misdirected fax. The OCR-aligned framework requires you to consider both human threats (workforce error, malicious actor) and environmental threats (hardware failure, natural disaster). Each threat is paired with the vulnerabilities that would let it happen.

Likelihood & Impact Rating

Week 2

Score each threat-vulnerability pair by likelihood of occurrence and potential impact on confidentiality, integrity, and availability of ePHI. This is the "analysis" in "risk analysis." OCR specifically rejects generic risk inventories that don't score and prioritize. Output: a ranked risk register with high / medium / low classification and rationale for each rating.

Existing Control Assessment

Week 2-3

For each risk, document the existing safeguards (technical, physical, administrative) that mitigate it. Test the controls — don't just list them. "We have encryption" is not evidence; the encryption configuration export from the device-management platform is evidence. Identify which controls work, which are partial, and which are gaps.

Risk Management Plan

Week 3

For each high or medium risk that isn't fully mitigated, document the planned remediation: what control will be implemented, who owns it, what the target date is, what the residual risk is afterward. This becomes the Risk Management Plan, which OCR asks for alongside the risk analysis itself.

Documentation Package & Sign-Off

Week 4

Bundle everything: asset inventory, threat-vulnerability matrix, scored risk register, control inventory, remediation plan, executive summary, and a sign-off page noting who conducted the assessment, who reviewed it, and when. Date everything. Retain it for at least 6 years per HIPAA's documentation requirement — ideally with annual update notes attached.

What This Actually Costs

The cost ranges below reflect what we see in the Ocala / Gainesville / The Villages market for a properly scoped, audit-ready engagement. A two-hour vendor checklist exercise costs less — and offers proportionally less protection during an OCR investigation.

Practice Size	Typical Cost	Scope Notes
Solo practitioner, 1-3 staff	$1,500 — $3,000	1-2 locations, 1 EHR, <10 systems on the inventory
Small practice, 4-10 staff	$3,000 — $5,500	1-2 locations, imaging or specialty systems add scope
Mid-sized practice, 11-25 staff	$5,500 — $9,000	Multi-provider workflows, 2-3 locations possible
Large group, 25-50 staff	$9,000 — $15,000	Multiple specialties, multi-location, complex vendor ecosystem
Bundled with managed IT	Included annually	If you're on a HIPAA-aligned managed IT plan, the annual assessment is part of the engagement

For context: the average OCR settlement for a small or mid-sized practice in 2024 was in the $50,000-$250,000 range, with the absence of a current risk analysis cited as a separate violation in nearly every published case. The cost of doing the assessment is a small fraction of the cost of not having one when an investigation begins.

"Your practice is the covered entity. The compliance obligation belongs to you. What an IT partner can do is produce the documentation that proves you took the obligation seriously — risk analysis, risk management plan, technical safeguards, training records, BAAs. That documentation is your defense."

Steve Condit, Simply IT

What "Audit-Ready Documentation" Means

If OCR sends you a document request tomorrow, here is what you should be able to produce within their typical 30-day window:

The risk analysis document itself

Dated within the last 12 months, signed by the responsible party, covering the practice's actual environment (not a generic template with your name pasted in).

Risk management plan

Remediation roadmap with owner, target date, and current status for each identified high or medium risk.

Asset and data-flow inventory

List of every system that stores, processes, or transmits ePHI with current configuration notes.

Technical safeguard evidence

Encryption configuration exports, access-control logs, audit-log retention proof, MFA enforcement reports.

Workforce training records

Per-employee completion records for annual security awareness training, with dates and material covered.

Business Associate Agreements

Current signed BAAs for every vendor that handles ePHI — IT provider, EHR, billing, transcription, backup, anyone.

Incident response plan

Written plan covering breach notification procedures, including the 60-day reporting requirement for breaches affecting 500+ individuals.

Annual update notes

Evidence that the risk analysis has been reviewed and updated within the last 12 months, even if no material changes occurred.

How Often You Need to Do This

The Security Rule requires the risk analysis to be reviewed and updated "periodically." OCR's consistent enforcement interpretation is annually at minimum — and immediately after material changes to the environment, including:

✓

New EHR or practice management system implementation

✓

Major changes to your network (new firewall, new VPN, new locations)

✓

Adoption of new cloud services that touch ePHI (Microsoft 365, telehealth, AI tools)

✓

Significant workforce changes (new providers, layoffs, role consolidation)

✓

After any security incident or near-miss, regardless of whether it was reportable

✓

When you take on a new line of service that changes your data footprint

✓

When a major regulation update is published (e.g., HHS guidance on AI in healthcare)

Common Failure Modes

What Practices Actually Have	What OCR Expects
EHR vendor's annual checklist with practice name pasted in	Practice-specific risk analysis covering the full environment
A risk analysis from 2019 in a binder	Current analysis dated within the last 12 months
"We have firewalls and antivirus" with no further detail	Documented controls per identified risk with evidence of implementation
No risk management plan — the analysis exists but nothing followed it	Risk register tied to a remediation plan with owners, dates, and status
Training records for some employees, dated whenever	Per-employee completion records with current dates and topic coverage
BAA with the IT company but not with the imaging vendor or telehealth platform	Vendor inventory with current BAAs for every vendor handling ePHI
Generic incident response template the practice has never read	Practice-specific plan with named roles, contact lists, and a documented test or tabletop exercise

// Key Takeaway

Your practice owns the HIPAA compliance program — that responsibility cannot be outsourced. What you can outsource is the technical and documentation work that produces the evidence your compliance program needs. A real risk assessment costs a few thousand dollars and takes about 30 days. An OCR investigation without one costs significantly more. The math has been the same for a decade.

Simply IT conducts HIPAA Security Risk Assessments for medical and dental practices across North Central Florida. We follow the six-phase process above, produce the complete documentation package, and sign a Business Associate Agreement with every regulated-industry client. If your last assessment was the EHR vendor's checklist — or you can't find one at all — schedule a free consultation. We'll scope what your specific practice needs and what the timeline looks like.

Related reading: our HIPAA IT checklist covers the seven technical safeguard areas in more depth, and our cyber-insurance controls walkthrough shows how the same evidence package satisfies cyber-insurance underwriting at renewal.

Schedule a HIPAA Risk Assessment Consult →

// Written By

STEVE CONDIT

Founder & Owner, Simply IT · US Marine Veteran · 30+ Years IT Experience

Steve Condit founded Simply IT to bring enterprise-grade IT management to small and mid-sized businesses across North Central Florida. With over 30 years of IT experience and a background in the US Marine Corps, Steve built Simply IT around the principle that local businesses deserve the same quality of technology partnership that large companies take for granted — without long-term contracts or national call center support.

Full Bio →LinkedIn →About Simply IT →