HIPAA ShieldContact
FIXED-FEE ENGAGEMENTS · NO HOURLY BILLING

Four paths, priced for healthcare procurement.

Every engagement begins with a 30-minute scoping call and a mutual NDA. Within 48 hours of that call we deliver a fixed-fee Statement of Work — no hourly rates, no surprise line items, no scope creep.

$15,000
HIPAA Security Risk Assessment
$25,000
Annual HIPAA Pentest
$35,000
Continuous Monitoring
$50,000
BAA-Ready Assessment

HIPAA Security Risk Assessment

$15,000one-time

The formal Risk Analysis required by the Security Rule, documented and defensible.

3-4 weeks from kickoff to final deliverable
Schedule scoping call

This is the formal Risk Analysis that the HIPAA Security Rule requires every covered entity and business associate to conduct. We produce a scoped, documented, and audit-defensible deliverable that satisfies 164.308(a)(1)(ii)(A) outright.

Satisfies

  • 45 CFR § 164.308(a)(1)(ii)(A) — Risk Analysis
  • 45 CFR § 164.308(a)(1)(ii)(B) — Risk Management
  • 45 CFR § 164.308(a)(8) — Evaluation

Deliverables

  • ePHI Asset Inventory
    Complete inventory of systems that create, receive, maintain, or transmit ePHI — including data flow diagrams, storage locations, and transmission channels.
  • Threat & Vulnerability Assessment
    Identified threats mapped to your specific environment. Every vulnerability tied to a likelihood and impact rating using a documented methodology.
  • Risk Register
    Spreadsheet-format risk register with inherent risk, control effectiveness, and residual risk scores. Exportable for your GRC platform.
  • Remediation Roadmap
    Prioritized by residual risk. Quick wins, medium-term engineering, and strategic investments separated out with effort estimates.
  • Executive Summary
    Board-ready 10-page summary for your CEO, Chief Compliance Officer, and external counsel.

Scope

  • One production environment + one staging environment
  • Up to 2 mobile applications (iOS, Android)
  • External + authenticated HTTP testing
  • Static evidence review for administrative and physical safeguards

Who it’s for

Digital health startups, telehealth platforms, EHR vendors at Series A+, and any organization that has never had a formal Risk Analysis completed by a third party.

Most common

Annual HIPAA Pentest

$25,000annual

External + authenticated pentest with evidence-grade reporting for auditors, BAA counterparties, and boards.

2-3 weeks testing + 1 week reporting + retest
Schedule scoping call

The most common engagement. Full external + authenticated penetration test against your production environment, delivered by our 10-agent AI swarm with human review. Output is evidence-grade — suitable for OCR, SOC 2 auditors, HITRUST assessors, and enterprise procurement.

Satisfies

  • 45 CFR § 164.308(a)(8) — Evaluation (periodic)
  • 45 CFR § 164.312(a)(1), (b), (c)(1), (d), (e)(1) — Technical Safeguards
  • SOC 2 CC7.1-CC7.5 — Security evaluation and monitoring
  • HITRUST CSF 09.m — Monitoring system use

Deliverables

  • Full Pentest Report (PDF + Markdown)
    Every finding includes CVSS 4.0 score, CWE mapping, 45 CFR Part 164 citation, reproduction steps, and remediation guidance.
  • Executive Summary
    2-3 page summary written for non-technical stakeholders — suitable for procurement, legal, and board review.
  • Attestation Letter
    Signed letter suitable for sharing with BAA counterparties, payer VMS panels, and hospital procurement teams.
  • Evidence Pack
    Request/response traces, screenshots, and exploit proofs stored in a shareable evidence package.
  • Retest
    One retest round included — remediated findings are re-tested and the report is updated to show remediation confirmed.

Scope

  • One production environment + one staging + one preview
  • Up to 3 mobile applications
  • Up to 5 authenticated roles (admin, clinician, patient, etc.)
  • FHIR / HL7 interface testing included
  • Cloud IAM configuration review included

Who it’s for

Any covered entity or business associate with a production healthcare system, annual renewal obligations, or an active SOC 2 / HITRUST certification process.

Continuous Monitoring

$35,000per year

Monthly scans + quarterly executive briefings + incident response retainer.

Monthly cadence, quarterly reviews, annual renewal
Schedule scoping call

The Security Rule contemplates an ongoing information system activity review — not a point-in-time snapshot. Continuous Monitoring implements that standard as a service: twelve scheduled scans per year, quarterly executive briefings, and an 8-hour incident response retainer.

Satisfies

  • 45 CFR § 164.308(a)(1)(ii)(D) — Information System Activity Review
  • 45 CFR § 164.308(a)(6) — Security Incident Procedures
  • 45 CFR § 164.308(a)(8) — Periodic Evaluation

Deliverables

  • 12 Scheduled Scans Per Year
    Automated scans run monthly. Any critical findings trigger immediate notification. Delta reports show what changed since last scan.
  • Quarterly Executive Briefings
    30-minute video briefing with your compliance leadership. Trend analysis, emerging risks, remediation velocity.
  • Incident Response Retainer
    8-hour SLA for security incidents. Pre-scoped engagement rate for incident investigation work beyond the retainer cap.
  • Annual Pentest Included
    One Annual HIPAA Pentest engagement is included in the annual fee — no additional charge.
  • Slack / Teams Integration
    Findings routed to your security channel with the HIPAA citation, severity, and fix guidance in-thread.

Scope

  • Monthly automated scans against production
  • Delta analysis between scans
  • Quarterly trend reports
  • Incident response retainer: 8-hour SLA, 40 hours annually

Who it’s for

Healthcare organizations with active development, frequent deployments, multi-tenant architectures, or anyone who has been through an OCR corrective action plan.

BAA-Ready Assessment

$50,000engagement

Formal assessment for Business Associates who need to satisfy covered entity diligence.

4-6 weeks from kickoff to attestation letter
Schedule scoping call

When a health system or payer procurement team asks for third-party security evidence before executing a BAA, this is the engagement that produces it. All of the Annual Pentest deliverables, plus an explicit attestation letter, policy evidence review, and procurement-ready documentation format.

Satisfies

  • 45 CFR § 164.308(b)(1) — Business Associate Contracts
  • 45 CFR § 164.314(a) — Organizational Requirements
  • Enterprise procurement diligence standards
  • Optional: HITRUST CSF readiness

Deliverables

  • Everything in the Annual HIPAA Pentest
    Full pentest scope, report, executive summary, evidence pack.
  • Third-Party Attestation Letter
    Formal letter signed by HIPAA Shield attesting to the scope and outcome of the assessment. Formatted for counterparty procurement acceptance.
  • Policy Evidence Review
    Review of your 19 required HIPAA Security Rule policies, with gaps identified and template language provided for remediation.
  • Sub-Processor & BAA Map
    Every sub-processor that touches ePHI mapped to its BAA status and the specific ePHI flows involved.
  • Procurement Support
    Up to 10 hours of support responding to counterparty security questionnaires, VSAQ/CAIQ forms, and follow-up diligence.
  • Optional HITRUST Readiness Add-On
    Gap assessment against HITRUST CSF v11 controls, with remediation roadmap for HITRUST e1 or r2 certification.

Scope

  • Everything in Annual Pentest
  • 19 required policy document review
  • Sub-processor + BAA mapping
  • Procurement diligence support (10 hours)

Who it’s for

Business Associates selling into hospitals, health systems, payers, state Medicaid agencies, or any buyer with a formal third-party risk management program.

What happens next

Our engagement process

01

Scoping call

30 minutes. Mutual NDA signed in advance. We map your architecture and identify which tier fits.

02

Fixed-fee SOW

Within 48 hours of the call. BAA provided if PHI access is in scope. Payment terms: 50% on signature, 50% on delivery.

03

Testing

We execute against production and staging. You get a daily status email with findings rolled up as they are verified.

04

Delivery + retest

Final report delivered within one week of testing completion. Retest included — remediated findings reverified.

Not sure which tier fits?

The scoping call is free. We’ll tell you which tier matches your footprint, your compliance obligations, and your procurement counterparties.

Schedule a scoping call