Phase I: Foundational Information Security Advisory Engagement

Phase I establishes the practice’s baseline information security posture and produces the authoritative Security Risk Analysis required under HIPAA/HITECH and supporting Medicare Promoting Interoperability attestation and insurance underwriting.

This engagement is designed to clarify material risk, align expectations, and establish a defensible position that can withstand regulatory, insurance, and health-system scrutiny.

Phase I typically includes:

• Identification of where electronic protected health information (ePHI) exists across systems, workflows, vendors, and access paths

• Analysis of reasonably anticipated threats and vulnerabilities relevant to the practice’s environment

• Assessment of likelihood and potential impact of identified risks

• Review of administrative, technical, and physical safeguards in relation to regulatory and insurance expectations

• Evaluation of third-party and vendor risk as it relates to ePHI handling

• Development of a documented Security Risk Analysis, including risk prioritization and management decisions (mitigation, acceptance, or deferral)

• Summary findings suitable for regulatory inquiry, insurance underwriting, and health-system alignment discussions

Phase I is a fixed-scope engagement and serves as the foundation for our ongoing advisory role.

Phase II: Ongoing Advisory Relationship

Phase II provides continuing advisory oversight to ensure the practice’s information security posture remains current, defensible, and aligned with evolving regulatory, insurance, and operational requirements.

This relationship is intentionally low-touch and judgment-driven, designed to reduce ongoing burden on clinical leadership while preserving continuity and accountability.

Phase II typically includes:

• Ongoing advisory availability for information security, regulatory, and insurance-related inquiries

• Support for cyber insurance renewals and underwriting questionnaires

• Guidance on material changes affecting risk posture, including new systems, vendors, workflows, or affiliations

• Periodic review and update of the Security Risk Analysis as circumstances change

• Advisory support in the event of security incidents, near-miss events, or external inquiries

• Maintenance of documentation sufficient to support audits, attestations, and third-party review

Phase II is structured as a continuing advisory relationship rather than episodic consulting, providing consistent oversight without operational intrusion.