At minimum. After major changes (new EHR, M&A, breach) — repeat immediately.

Any unauthorized acquisition, access, use, or disclosure of unsecured PHI. 60-day notification rule applies.

Yes with every vendor that touches PHI — IT, billing, shred, cloud, voicemail. Penalties for missing BAAs are severe.

HIPAA Risk Assessment 2026 — The Real Standard

The HIPAA Security Rule (45 CFR 164.308(a)(1)) requires every covered entity and business associate to conduct an accurate and thorough assessment of risks to ePHI. The assessment is the foundation of every other security control.

Related Services

How PF Consulting Firm can help

Healthcare Consulting

Keep reading

More in Healthcare

How to Start an Adult Day Care Center

Opening an Adult Day Care Center requires state licensing, a compliant facility, qualified staff, and (usually) Medicaid enrollment. Here is the complete roadmap.

Read

How to Start a MedSpa

A MedSpa blends esthetic services with medical procedures like Botox and laser. The legal structure matters more than the building — here is how to do it right.

Read

What Is CAQH Credentialing and Why Does It Matter?

CAQH is the universal credentialing database almost every commercial payer uses. A stale profile blocks enrollment.

Read

HIPAA Security Risk Assessment — What's Actually Required

Frequently Asked Questions

How PF Consulting Firm can help

More in Healthcare

How to Start an Adult Day Care Center

How to Start a MedSpa

What Is CAQH Credentialing and Why Does It Matter?

Ready to get started?

Frequently Asked Questions

Annual?

What's a breach?

BAA required?

How PF Consulting Firm can help

More in Healthcare

How to Start an Adult Day Care Center

How to Start a MedSpa

What Is CAQH Credentialing and Why Does It Matter?

Ready to get started?