Services HIPAA Compliance Assessment
HIPAA Compliance · Healthcare

HIPAA Compliance Assessment.

An independent, comprehensive HIPAA assessment covering all three rules that actually apply to your practice. We assess the Security Rule, the Privacy Rule, and the Breach Notification Rule together — not just the risk analysis piece — and deliver a defensible written report you can hand to your insurance carrier, the HHS Office for Civil Rights, a business associate, or your board. No tools to sell you afterward. Just the assessment.

Schedule an assessment What's included
01 / Who this is for

All three rules. One thorough assessment.

Most "HIPAA assessments" cover the Security Rule and call it done. That misses half the law. A complete assessment looks at how PHI is used and disclosed (Privacy), how it's protected (Security), and what happens when something goes wrong (Breach Notification). That's what we do, and that's what OCR expects to see.

A good fit if
  • You're a covered entity (a healthcare provider, dental practice, behavioral health practice, chiropractor, therapist, or health plan) handling protected health information
  • You're a business associate handling PHI on behalf of a covered entity (IT vendor, billing service, transcription, cloud service, etc.)
  • Your insurance carrier has asked you to demonstrate current HIPAA compliance
  • You've received a letter or audit request from the HHS Office for Civil Rights
  • A business associate agreement requires you to maintain documented compliance
  • You're going through M&A due diligence and need to show a defensible compliance posture
  • It has been more than a year since your last HIPAA assessment, or you've never done a comprehensive one
Look elsewhere if
  • You don't handle protected health information and aren't a business associate (consider Complyn Core for a general baseline)
  • You're a non-banking financial services firm under the FTC Safeguards Rule (consider FTC Safeguards)
  • You need a comprehensive, cross-industry framework (consider NIST CSF 2.0)
  • You're looking for a certifying body or auditor producing a HITRUST certification
02 / What's included

Three rules. One assessment.

We assess every standard across the three rules of the HIPAA regulatory framework. Each is evaluated against your actual practice, scored, and explained in plain language. Required specifications are required. Addressable specifications get a documented decision either way, which is what the rules actually expect.

Security Rule

Security Rule

The Security Risk Analysis required by 45 CFR § 164.308(a)(1)(ii)(A), covering all eighteen standards across Administrative, Physical, and Technical Safeguards. The piece most "HIPAA assessments" focus on — but only the first third of the work.

  • Administrative Safeguards (9 standards)
  • Physical Safeguards (4 standards)
  • Technical Safeguards (5 standards)
  • Required vs. addressable determinations
  • Risk-ranked findings with Security Rule citations
Privacy Rule

Privacy Rule

How protected health information is used and disclosed, the rights your patients have over their own information, and the documentation that proves you respect both. The part of HIPAA most practices treat as "we have an NPP posted, we're fine." OCR disagrees.

  • Notice of Privacy Practices review
  • Use and disclosure policies
  • Patient access and amendment rights
  • Accounting of disclosures procedures
  • Minimum necessary standard
  • Authorizations and consents
  • Business associate agreement coverage
Breach Rule

Breach Notification Rule

What happens when something goes wrong. The procedures, documentation, and decision-making your practice needs in place before a breach happens — not after. The rule most practices have never actually read.

  • Breach response procedures
  • Four-factor risk assessment process
  • Individual notification readiness
  • HHS notification readiness
  • Media notification thresholds
  • Business associate breach handling
  • Incident documentation practices
03 / What you receive

A defensible report. A real conversation.

Every HIPAA compliance assessment produces the same set of deliverables. The report is structured to satisfy what a regulator, auditor, business associate, or insurance carrier would expect to see from a current and thorough HIPAA program.

  1. 01

    Written HIPAA compliance report

    A complete written assessment covering all three rules. Each finding includes the relevant regulatory citation, what we observed in your practice, the level of risk, and a specific recommendation. The Security Rule portion satisfies the annual Security Risk Analysis requirement under § 164.308. The Privacy and Breach sections fill the gap most practices don't realize they have.

  2. 02

    Risk-ranked remediation roadmap

    Findings ranked by risk, with realistic time and effort estimates for each remediation. What to fix this month, what to address this quarter, and what can reasonably be scheduled longer term. Designed for a practice that has to keep seeing patients while it improves its compliance posture.

  3. 03

    One-hour roadmap conversation

    Once you've had time to read the report, we sit down for an hour to walk through the findings, answer questions, and align on next steps. You leave knowing exactly what to do, in what order, and why.

  4. 04

    Thirty days of follow-up support

    For thirty days after the roadmap conversation, you can reach us by email or through the Complyn Client Portal with follow-up questions at no charge. We want the engagement to land.

04 / Built to last

Your engagement doesn't end when the report is delivered.

Most compliance work disappears into an inbox. We do it differently. Every Complyn client gets access to the Complyn Client Portal, a dedicated space where your reports, files, and conversations stay organized and accessible for up to three years after the engagement ends.

Three years of access, no extra fee. The platform exists to make compliance something you can return to, not something you have to rebuild every time.

What you get

  • A direct messaging channel to your Complyn team
  • Every report and deliverable we've produced for you, easily accessible and downloadable for three years
  • Our library of compliance framework documentation and implementation guides
  • A secure file exchange for documents that shouldn't move by email
  • Billing history and invoice access in one place
  • Works on any device, anywhere
05 / How long it takes

Most engagements complete in two to four weeks.

From the signed engagement letter to the delivered report. The exact timing depends on how quickly your team can return documents, business associate agreements, and any prior risk analyses, and how soon we can schedule short interviews with the people who actually do the work. Multi-site or multi-entity practices may take longer.

Week 1
Discovery
Document requests, BAA review, intake meeting, short interviews
Week 2
Security Rule analysis
Eighteen Security Rule standards assessed, risk levels assigned
Week 3
Privacy + Breach analysis
Privacy Rule and Breach Notification Rule procedures assessed
Week 4
Report
Delivery + roadmap
Report finalized, delivered, and one-hour roadmap call scheduled
06 / Common questions

Things people ask about HIPAA assessments.

Isn't a HIPAA risk analysis enough? Why do I need all three rules assessed?

The Security Risk Analysis is required, and on its own satisfies one specific requirement under the Security Rule (§ 164.308(a)(1)(ii)(A)). It does not, however, satisfy the Privacy Rule or the Breach Notification Rule, both of which apply to every covered entity. When OCR investigates a complaint or a breach, they look at all three. A practice with a strong SRA but no Privacy Rule documentation or Breach Notification procedures is still substantially out of compliance. We assess all three because all three are the law.

Do we actually have to do this, or is it optional?

The Security Rule explicitly requires a written risk analysis, reviewed and updated periodically. The Privacy Rule and Breach Notification Rule both require documented policies, procedures, and workforce training. None of it is optional for a covered entity or business associate. The Office for Civil Rights treats missing or stale compliance documentation as a serious deficiency in nearly every investigation we've seen.

Will this satisfy our insurance carrier or business associate agreement?

In nearly every case, yes. The deliverable is structured to satisfy what carriers and BA partners actually look for: a current, written, comprehensive HIPAA assessment covering all required rules, with documented findings and a remediation plan. If your specific carrier or BA has unique requirements (a particular template, a NIST 800-66 mapping, an OCR-style audit format), tell us in discovery and we can scope to those requirements.

What if OCR is already investigating us?

Tell us right away. An active OCR investigation changes timing, scope, and the kind of documentation the report needs to produce. We've worked engagements alongside OCR responses and can move quickly when the timeline requires it. A current, defensible compliance assessment is one of the most important things you can put in front of an investigator. We won't promise the assessment will resolve the investigation, but a thorough, well-documented assessment combined with a credible remediation plan materially helps your case.

How often does this need to be redone?

The Security Rule doesn't specify an exact cadence, but says the risk analysis must be reviewed and updated "as needed" and that updates should reflect material changes in your environment. The defensible standard most practices land on is annually, with an interim update whenever something significant changes (new EHR, new office location, major staffing change, an incident, or a new business associate relationship). Many of our clients return annually for an updated assessment.

Do you handle the remediation work after the report?

Just the assessment, by design. We don't sell security tools, we don't take vendor commissions, and we don't double as a managed service provider. Our independence is the whole product. If you want ongoing support implementing the roadmap, our Advisory retainer picks up where the assessment ends. For specific remediation work (new EHR security settings, MFA rollouts, encryption projects, policy drafting), we'll recommend vendors and partners who can help.

Will we get a HIPAA certificate or accreditation?

No, and you should be suspicious of anyone offering one. HIPAA is not a certifying framework. There is no "HIPAA certificate" issued by HHS or OCR. What you receive from us is a documented compliance assessment that demonstrates compliance with all three HIPAA rules and provides defensible evidence of due diligence. If you need a formal third-party certification, you may be thinking of HITRUST or SOC 2, which are separate frameworks with separate certifying bodies.

How much does a HIPAA compliance assessment cost?

Pricing depends on the size of your practice, the number of locations, the volume of business associate relationships, and whether you need a fresh assessment or an annual update to an existing one. We provide a written scope and fixed price after a free thirty-minute discovery call. No hidden fees, no commissions, no scope creep without your approval. Schedule an assessment to get a specific quote for your situation.

Trusted by clients

What clients say about working with Complyn

Complyn was upfront with me and helped me understand what I needed to secure my business. I did not feel like they were trying to upsell me any extra features I didn't need. Assuming everything stays this great I feel no need to find another vendor!

Daniel Coley

COO, Kuma-Ko

August 2025

Complyn turned what we dreaded into a smooth process. Their team is sharp, knowledgeable, and kept us informed every step of the way. These guys really understand cybersecurity. Will use them again.

Jonathan Calderwood

IT Director, BFCU

October 2025

We process a large volume of credit card transactions and collect personal information from both our audience and cast members. Complyn performed a thorough assessment of our processes and has been an incredible resource in helping us strengthen our security practices and maintain compliance. Their guidance has given us confidence that sensitive information is being handled securely and responsibly.

Rexburg Community Theatre

Performing Arts Nonprofit

February 2026

They have been very helpful and bring peace of mind in this digital world.

Tyler Christian

CEO, X7 Relight

December 2025

Leave a review on Google

Worked with us? We'd appreciate hearing about your experience.

Ready to know where you stand?

Tell us about your practice and what's prompting this. We'll review your request, propose a scope, and set up a free thirty-minute discovery call. No obligation, no scare tactics, no high-pressure sales pitch.

Schedule an assessment