System · Risk Intelligence

Your risk profile, the way risk actually behaves.

Risk recalculates the moment a gap closes. Not at quarter-end. Not when you remember to run a report. The picture is always current.

Start 14-day free trial Or book a demo

Included in Core·Starting at $39/mo

Patient Protect — Risk Intelligence

HIPAA mapping

What this satisfies in the Security Rule.

4 citations, each with the specific Risk Intelligence behavior that satisfies it. The mapping is the receipt — what you can show an auditor without assembling anything new.

§164.308(a)(1)(ii)(A)

Risk analysis

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Risk Intelligence is that analysis, always current.

§164.308(a)(1)(ii)(B)

Risk management

Implement security measures sufficient to reduce risks to a reasonable and appropriate level. Live risk visibility drives the prioritization of those measures.

§164.308(a)(8)

Evaluation

Perform periodic technical and non-technical evaluations of security safeguards. Risk Intelligence evaluates continuously, exceeding the periodic requirement.

§164.316(b)(2)

Documentation retention

Six-year retention of risk-analysis documentation. Every score change is logged with timestamp and triggering event.

What it does

Risk that moves at the speed risk actually moves.

Periodic risk analysis treats risk as a static thing — assessed, recorded, filed, revisited next quarter. The reality is that risk moves continuously. Workforce changes, vendors come and go, devices arrive, threats emerge. A risk profile that updates quarterly is wrong most of the time.

Risk Intelligence treats risk as the live signal it is. Every SRA response, every closed task, every new device, every BAA state change feeds the risk model. Your three-category score — Administrative, Physical, Technical — recalculates immediately. The picture is always now.

The trend matters. Compliance gets harder when the program goes backward without anyone noticing. Risk Intelligence makes backward movement visible the day it happens — and forward movement just as visible.

How it works

5 mechanisms keep Risk Intelligence working.

Three-category modeling aligned to the Security Rule.

The score breaks into Administrative (§164.308), Physical (§164.310), and Technical (§164.312) safeguards. Each category is scored independently against its specific requirements; the composite weights them appropriately. The structure makes the score auditable.

Continuous recalculation.

Inputs feed the model in real time. Closing an Advice item updates the score within seconds. Adding a workforce member or device updates within seconds. The dashboard reflects current state, not last-batch-job state.

Trend analysis.

The platform retains the score history with daily granularity. The dashboard shows where you are now and where you've been — 30 days, 90 days, 12 months. Practices preparing for audit can demonstrate sustained improvement; practices catching slippage can act before it compounds.

Risk events.

Specific actions register as risk events with explicit impact — “Closed: Encryption-at-rest policy adoption (-2.1 risk score)” or “New: Workstation added without disk encryption (+1.4 risk score).” Every score movement is attributed and explainable.

Category-specific drill-down.

Click a category and see what's driving the score. Open Advice items, current SRA responses, recent risk events, the workforce or systems contributing most to the category's risk. From there, one click to act on any of them.

Who this is for

Built for the practices that need it most.

Practices who've been “compliant” but never sure how compliant.

Compliance status is binary in spreadsheets — yes or no. Live risk scoring shows you the spectrum. You can be 78% with clear priorities to reach 85%, rather than guessing whether yes is holding.

Practices preparing for OCR investigation or audit.

When an investigator asks about your risk analysis, the answer is the dashboard plus its history. The §164.308(a)(1)(ii)(A) documentation is live, dated, and demonstrably continuous.

Practices managing a transition.

A new clinician, a new vendor, an office move, a system migration. Each transition introduces risk that's invisible until something goes wrong. Risk Intelligence makes the transition's risk impact visible the day it lands.

Connected to

No module is an island.

Risk Intelligenceworks because it's connected. Every signal feeds another module; every closure becomes evidence somewhere else.

System layer

Autonomous Compliance Engine

The engine generates tasks from current risk findings; risk scores drive task prioritization.

Learn more

System layer

Live Diagnostics

Your composite compliance score reflects current risk state; the two scores converge as gaps close.

Learn more

Intelligence layer

Financial Exposure Tracker

Risk scores feed the penalty exposure model — risk reduction translates directly into dollar exposure reduction.

Learn more

What you get

5outcomes you'll feel in week one.

Live, not periodic.

Risk picture is always current. No quarterly batch process, no out-of-date reports.

Three-category clarity.

Administrative, Physical, Technical — the same structure auditors expect.

Movement attribution.

Every score change is traceable to a specific event.

Trend visibility.

See where you're improving and where you're slipping before it becomes an issue.

Audit-ready documentation.

§164.308(a)(1)(ii)(A) and §164.316(b)(2) handled architecturally.

FAQ

What people ask first.

6 questions cover most first-time evaluations. See all FAQs →

How is the score calculated?

A weighted aggregation across SRA responses, Advice item state, workforce records, system inventory, BAA state, and incident history. Weights are derived from quantitative risk frameworks and tuned for independent practice contexts. The methodology is documented in the platform's research papers.

Can I customize the weights?

Not in the core algorithm — auditability requires that the methodology be consistent across practices. You can apply practice-specific overrides in specific areas (for example, flagging a vendor as higher-risk than the default), and the overrides are documented in the audit trail.

What if my SRA isn't complete?

The score reflects what's known. Incomplete SRA sections show as “insufficient data” rather than skewing the score upward or downward artificially. The dashboard surfaces the missing sections so completion improves accuracy.

How often does it update?

Continuously. Triggering events update the score within seconds of being recorded.

Is risk score the same as compliance score?

Related but distinct. Risk score measures exposure; compliance score measures program completeness. A practice can be 85% complete on its compliance program but still carry meaningful risk because of vendor or workforce factors. Both scores are visible; both inform decisions.

Can I export the risk history?

Yes. CSV and PDF export both include the score history with attributable events. Useful for board reporting, compliance review meetings, and audit documentation.

Continue exploring

Related features in the platform.

System

Autonomous Compliance Engine

Auto-generates work from your SRA. Closes when conditions are met. No manual check-offs. No missed deadlines.

Learn more

System

Live Diagnostics

A single composite score across every module on the platform. Updated in real time. Present it to auditors, board members, your team — it's always now.

Learn more

Intelligence

Financial Exposure Tracker

Models penalty exposure from your specific gaps against actual enforcement patterns. Compliance translated into the language boards and owners actually plan around.

Learn more

Next step

Risk that's measured the way risk actually moves.

Most practices see their first three-category score within 60 minutes of starting their SRA. The trend line begins from there.

Start 14-day free trial →or book a demo

No contracts. No consultants. Starting at $39/mo.