Common questions

HIPAA Compliance FAQs for Small Healthcare Practices

Answers to the questions Maryland dental offices, therapy practices, and small clinics ask us most — about risk assessments, OCR audits, costs, and how compliance actually works for a busy practice without an IT department.

About HIPAA Requirements

Is a HIPAA Security Risk Assessment required for small dental practices? +

Yes — regardless of size. Under 45 CFR §164.308(a)(1), every HIPAA covered entity is required to conduct and document a Security Risk Assessment. Dental practices are covered entities, which means the requirement applies whether you have 1 provider or 20.

The risk analysis is also the most commonly cited deficiency in OCR audits. When an investigator opens a case — whether from a complaint or a proactive audit — the first thing they ask for is your documented risk analysis. If you don't have one, or it's outdated, the conversation escalates quickly.

OCR fines for missing or inadequate risk analyses have reached into the hundreds of thousands of dollars for small practices. We help Maryland dental offices complete an OCR-quality risk assessment with a written remediation plan. Book a free consult →

Do therapy and counseling practices need HIPAA compliance? +

Yes — therapy practices, counseling offices, and behavioral health clinics face the same HIPAA requirements as any other covered entity. This includes the annual Security Risk Assessment requirement under 45 CFR §164.308, workforce training, Business Associate Agreements with every vendor touching patient data, and written policies and procedures.

Mental health practices often have fewer resources to manage compliance than larger healthcare organizations. That's exactly why we built our services the way we did: fixed pricing, no long-term contracts, and deliverables designed for a practice without an IT department. We serve therapy practices across Maryland, DC, and Baltimore. Book a free consult →

How often should a healthcare practice update its HIPAA risk assessment? +

HIPAA requires the risk assessment to be reviewed and updated periodically — and OCR's guidance consistently interprets "periodically" as at least annually for most practices.

You should also update your risk assessment whenever there's a significant change to your environment: adding new systems or devices, switching EHR platforms, onboarding new staff with ePHI access, moving to a new location, or adding remote work capabilities.

Our Managed Security & Monitoring retainer clients receive continuous monitoring plus an annual assessment refresh as part of the service. One-time assessment clients can book an annual refresh at a returning-client rate. Book a free consult →

What does OCR look for during a HIPAA audit of a small practice? +

OCR audits and investigations consistently focus on the same core areas:

  • Security Risk Analysis — a documented assessment of risks to ePHI (the #1 missing item in most audits)
  • Policies and procedures — written administrative safeguards under 45 CFR §164.530
  • Workforce training — documented evidence that all staff received HIPAA security training
  • Business Associate Agreements — signed BAAs with every vendor that touches patient data
  • Access controls — who has access to patient records, and how that access is managed
  • Incident response — a documented plan for what happens when something goes wrong

Most small practices in Maryland have none of these fully documented. At Kemeski Systems, we build all of this for you. Book a free consult →

Can a dental or therapy practice be fined without a data breach? +

Yes — and this surprises most practice owners. OCR's Right of Access initiative has levied fines against practices that simply failed to give patients timely access to their records. No breach, no hacker, no stolen laptop — just a missed deadline and a complaint.

Fines range from $100 to $50,000 per violation. For a small dental office or therapy practice, a single OCR investigation can cost more than a full year of compliance support. The practices that avoid this aren't the ones with the best IT — they're the ones with documented policies, a completed risk analysis, and trained staff. Book a free consult →

About Our Services

What deliverables do I receive from a HIPAA Security Risk Assessment? +

Our HIPAA Security Risk Assessment produces four concrete deliverables:

  • Written Risk Analysis Document — OCR-ready, documenting every identified risk to your ePHI across administrative, physical, and technical safeguard categories.
  • Prioritized Remediation Plan — every finding ranked by severity, with clear guidance on what to fix, in what order, and what "done" looks like.
  • 1-Hour Findings Walkthrough — we sit down with your team, walk through every finding in plain English, and answer questions. No jargon, no 40-page reports nobody reads.
  • 30-Day Follow-Up — we check back in on your highest-priority remediation items to confirm progress.

Everything is written for a practice owner and office manager to understand and act on. Book a free consult →

What is the HIPAA Starter Bundle? +

The HIPAA Starter Bundle is our entry offer for new clients — the fastest path from "we think we're compliant" to a documented, defensible HIPAA posture.

It includes: a full HIPAA Security Risk Assessment, an external vulnerability scan, a written remediation plan, a 1-hour findings walkthrough with your team, and a 30-day follow-up check-in. Fixed price. No long-term contract required.

We built it for dental offices and therapy practices that haven't done a formal risk assessment, recently switched EHR systems, added new staff or devices, or just want to know where they actually stand. Book a free consult →

How much does a HIPAA Risk Assessment cost? +

Our HIPAA Security Risk Assessment is flat-fee, scoped to the size and complexity of your practice. We don't publish a single price because a solo therapy practice and a 5-provider dental group have different environments — but there are no surprise charges and no hourly billing.

The assessment includes a full administrative, physical, and technical safeguard review; a written OCR-ready risk analysis document; a prioritized remediation plan; and a 1-hour findings walkthrough with your team.

For practices starting from scratch, our HIPAA Starter Bundle combines the risk assessment with an external vulnerability scan at a bundled fixed price. Book a free consult → and we'll give you a clear number for your specific practice.

Are your services month-to-month or do you require a long-term contract? +

All of our ongoing plans are month-to-month — no long-term contracts, no pressure. You can cancel any time with written notice.

We believe trust is earned through integrity, not lock-in. Our goal is to be the firm you keep because the service is worth it, not because you're stuck.

One-time services like our HIPAA Risk Assessment and Vulnerability Assessment are flat-fee with no ongoing commitment unless you choose one. Our Managed Security & Monitoring retainer starts after an initial 90-day onboarding period and then goes month-to-month. Book a free consult →

Objections & Misconceptions

Our practice already has an IT provider. Do we still need HIPAA compliance support? +

Almost certainly yes — and most IT providers will tell you the same thing.

General IT support keeps your systems running: computers, internet, email, backups. HIPAA compliance is a separate layer that most IT firms are not hired, trained, or equipped to handle. What your IT provider typically doesn't deliver:

  • A documented Security Risk Analysis under 45 CFR §164.308 (required annually)
  • Business Associate Agreement reviews for every vendor touching patient data
  • Simulated phishing training with HIPAA-specific content and audit certificates
  • OCR-ready written policies and procedures
  • Incident response planning and breach notification readiness

We're not here to replace your IT provider. We work alongside them — handling the compliance and security documentation layer they were never hired to do. Book a free consult →

Doesn't our EHR software make us HIPAA compliant? +

No — and this is one of the most common misconceptions we encounter.

Your EHR vendor is responsible for making their software HIPAA-compliant. You are responsible for making your practice HIPAA-compliant. Those are two different things.

HIPAA compliance for your practice includes: conducting and documenting your own Security Risk Assessment, training your entire workforce on security awareness, reviewing and signing Business Associate Agreements with every vendor including your EHR, controlling who has access to patient data and how, and having a written breach notification and incident response plan.

None of that comes packaged with your EHR subscription. Your EHR signs a BAA with you — that makes them your business associate. It doesn't make your practice compliant. Book a free consult →

About Kemeski Systems

Is Kemeski Systems a local company? +

Yes — we're based in Annapolis, Maryland at 1125 West St, Suite 200, Annapolis, MD 21401.

Kemeski Systems is a veteran-owned cybersecurity and HIPAA compliance firm founded by professionals with backgrounds in military intelligence and national security cybersecurity. We serve small healthcare practices across Maryland, DC, and Baltimore — and when a client needs an on-site visit, we can be there.

We're not a national platform with a call center. When you work with us, you work directly with our team. Call us at (410) 498-4353 or book a free consult →

What is the first step to working with Kemeski Systems? +

The first step is a free 30-minute discovery consult — no obligation, no sales pressure.

In that call we'll ask about your practice type, size, current systems, and whether you've had a previous HIPAA risk assessment. From there we give you a clear picture of where you stand and what we'd recommend.

Most new clients start with our HIPAA Starter Bundle: a full risk assessment, external vulnerability scan, written remediation plan, and 1-hour findings walkthrough — all at a fixed price. After that, many practices add our monthly Managed Security & Monitoring retainer.

You can book directly at kemeskisystems.com or call us at (410) 498-4353. We typically schedule consults within 48 hours.

Still have questions?

Ask us directly — the consult is free.

Twenty minutes on a call is faster than reading every FAQ. We'll answer your specific questions and tell you exactly what your practice needs.

Book free consult
Free · No obligation

Not sure where your practice stands? Let's find out.

Book a free 30-minute discovery consult. We'll tell you exactly what your practice needs — in plain English, with no upsell.

Book free consult