Your HIPAA Risk Assessment, Done Right — In Three Weeks.
For dental practices, behavioral health, urgent care, PT clinics, and independent physician groups. Federal-grade rigor, right-sized for small practices.
No credit card needed. Free assessment, free roadmap.
What You're Actually Worried About
Small practices are increasingly the target — enforcement is no longer hospital-only.
A single phishing click can wipe out months of revenue and trigger your insurance application questions.
Most practices can't survive 12 days of lost billing without a backup plan.
What HIPAA Actually Requires
HIPAA doesn't tell you what to buy. That's a feature, not a bug.
The HIPAA Security Rule requires you to assess risks, document safeguards, and implement reasonable protections. It does not prescribe specific technologies, vendors, or products.
That's why most "HIPAA cybersecurity" consultants oversell. They sell you tools you don't need to solve problems you don't have, then leave you with a binder no one understands.
We do it differently. A three-week assessment that maps your practice's actual risks to HIPAA's actual requirements — in plain English. You get an executive summary, a gap report, and a 90-day roadmap. Then you decide what to fix and when.
No tool peddling. No fear-mongering. No 200-page audit reports.
Week 1: Discovery
Stakeholder interviews, evidence collection, vendor inventory
Week 2: Risk Mapping
Map findings to HIPAA citations, prioritize by OCR enforcement history
Week 3: Deliverables
Executive summary, gap report, 90-day roadmap, BAA inventory
Right-Sized for Small Practices
- Executive Summary
- Gap Report with HIPAA citations
- 90-Day Prioritized Roadmap
- BAA Inventory
- HIPAA Tracker (auto-populated from assessment)
- Vendor & BAA management
- Cyber insurance questionnaire pre-fill
- Quarterly executive PDF report
- BAA expiration reminders
- Quarterly review call with partner
- Close top critical gaps identified in assessment
- Encryption rollout
- MFA deployment
- Incident Response Plan development
- BAA cleanup & vendor outreach
Three Weeks. No Surprises.
Discovery
- Stakeholder interviews
- Evidence collection
- Vendor inventory
Risk Mapping
- Map findings to HIPAA Security Rule citations
- Prioritize by OCR enforcement history
- Identify cyber insurance gaps
Deliverables
- Executive Summary + Gap Report
- 90-Day Roadmap
- BAA Inventory
- Optional handoff to Continuous Compliance
Proven in Practice
Case study coming soon. When our first practice customer completes their assessment cycle, their anonymized results will live here: practice type, employee count, key gaps closed, and measurable outcomes like insurance renewal or audit readiness.
Common Questions
Most IT MSPs handle technology operations — patching, backups, helpdesk. They are usually not certified in HIPAA Security Rule analysis or OCR enforcement patterns. We complement, not replace, your MSP.
The Risk Readiness Assessment is the same regardless of practice size. Pricing is flat. Solo practices often have the cleanest assessments because there's less to inventory.
It's a HIPAA-flavored governance, risk, and compliance tool. You log in, see your open findings, track BAA expirations, get reminders, and generate insurance questionnaire pre-fills. Plus a quarterly review call with a GreyLee partner.
No. We assess and remediate, but we do not resell technology vendors. We're vendor-neutral by design.
We can review prior assessments to identify gaps in scope or methodology. Often the issue isn't that no one assessed — it's that the assessment was a checklist exercise without prioritization.