HIPAA enforcement is escalating. The Security Rule is about to require pentesting.
The HIPAA Security Rule has been enforced since 2005. Penalties have escalated year over year — $12 million in 2024 alone from HHS OCR settlements. The proposed Security Rule update published in December 2024 goes further: it explicitly requires annual penetration testing, specific technical controls, and faster breach response timelines.
Valtik runs HIPAA security assessments for Connecticut healthcare providers recovering from the Yale New Haven Health breach fallout, DFW health-tech SaaS companies handling PHI for thousands of customers, and Business Associates nationwide preparing for OCR audits. Every assessment produces the documents OCR asks for during investigations.
Who this is for
Covered Entities
- Hospitals and health systems
- Physician practices and medical groups
- Dental, vision, and specialty providers
- Health plans and insurers
- Healthcare clearinghouses
- Federally Qualified Health Centers (FQHCs)
- Behavioral and mental health providers
Business Associates
- Telehealth platforms
- Electronic Health Record (EHR) vendors
- Practice management SaaS
- Billing, coding, and revenue cycle services
- Cloud hosting providers handling PHI
- Data analytics and AI platforms processing PHI
- Medical device manufacturers with connected platforms
- Health and wellness apps handling PHI on behalf of Covered Entities
What the assessment includes
Risk analysis (45 CFR 164.308(a)(1)(ii)(A))
The foundation document OCR asks for first during any audit. We produce a documented risk analysis identifying every system processing ePHI, the threats and vulnerabilities to each, and the likelihood and impact of each risk. This is not a one-page executive summary — this is the detailed document OCR investigators read line by line.
Administrative safeguards review (164.308)
- Security management process and workforce training
- Security incident procedures and response planning
- Contingency planning (disaster recovery, emergency operations)
- Evaluation procedures (periodic technical and nontechnical evaluation)
- Business Associate Agreement review and tracking
Physical safeguards review (164.310)
- Facility access controls and validation
- Workstation use and workstation security
- Device and media controls (disposal, re-use, encryption requirements)
Technical safeguards review (164.312)
- Access controls (unique user identification, emergency access, automatic logoff, encryption/decryption)
- Audit controls and log review procedures
- Integrity controls for ePHI
- Person or entity authentication (MFA requirements)
- Transmission security (encryption in transit for ePHI)
Penetration testing of ePHI-handling systems
Active testing of the systems that store, process, or transmit ePHI. Includes patient portals, telehealth platforms, EHR integrations, billing systems, and any third-party integrations that receive PHI. We validate findings with working proof-of-exploit and map them to HIPAA Security Rule requirements.
Breach notification readiness
45 CFR 164.404-164.410 requires notification to affected individuals, HHS, and (for breaches over 500 individuals) media within 60 days. We evaluate your breach detection capabilities, notification procedures, and incident response runbook.
What the proposed 2024-2026 HIPAA update adds
The Notice of Proposed Rulemaking (NPRM) published December 27, 2024 proposes substantial upgrades to the Security Rule. Key provisions we build into current assessments so you are ready when (not if) it becomes enforceable:
- Annual penetration testing — currently discretionary, proposed as mandatory
- Asset inventory — every system handling ePHI documented with owner, classification, support status
- MFA requirement — phishing-resistant MFA required for privileged access and remote access
- Encryption baseline — encryption required rather than "addressable" for ePHI
- Incident response testing — annual tabletop exercises with documented results
- 24-hour notification for certain breaches — faster timeline than current 60 days for specified categories
HIPAA + state privacy laws in Connecticut and Texas
Connecticut's CTDPA and Texas's state laws create additional obligations beyond HIPAA. Health data has special sensitive-data status in most state privacy laws. Our assessments include overlay reviews for:
- Connecticut — CT Public Act 19-196 (breach notification), CTDPA sensitive data category for health data, CT AG enforcement posture
- Texas — SB 2610 safe harbor requirements, Texas Identity Theft Enforcement and Protection Act, Texas Medical Privacy Act additional protections
Timeline and pricing
| Engagement size | Timeline | Price range |
|---|---|---|
| Small practice (under 25 staff, single location) | 3-4 weeks | $8,000 - $18,000 |
| Mid-size practice or group (25-150 staff) | 4-6 weeks | $18,000 - $45,000 |
| Multi-location health system | 6-10 weeks | $45,000 - $120,000+ |
| Health-tech SaaS / Business Associate | 4-8 weeks | $20,000 - $75,000 |
Fixed-price quotes provided after a scoping call. No hourly surprises, no scope creep billing.
Common questions
Is a self-assessment good enough?
OCR's consistent finding in enforcement actions is that self-assessments fail. OCR-qualified third-party assessments produce documentation that survives scrutiny. Self-assessments are better than nothing but do not satisfy the "accurate and thorough" standard in 164.308.
We just had an incident. Can you help with that?
Yes. Post-incident assessments establish root cause, validate remediation, and produce the documentation OCR will request as part of their investigation. We have experience coordinating with breach coaches and HIPAA counsel.
What if we do not have a formal risk analysis yet?
Most practices we work with do not. The assessment produces one. This is the single most important HIPAA document and the most common item OCR cites as missing or inadequate.