How Much Does a HIPAA Risk Assessment Cost? An Honest Breakdown for 2026

Three independent practices on the same block can pay $0, $2,400, and $18,000 for the same HIPAA risk assessment requirement. None of them are necessarily wrong. They are buying different things — and most are over- or underbuying without realizing it.

The HIPAA Security Rule (§164.308(a)(1)(ii)(A)) requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information. It does not specify who must perform the assessment, how long it must take, or how much it must cost. The price range across the market reflects that ambiguity.

This guide breaks down what you actually get at each price tier, the hidden costs the quote rarely includes, and how to evaluate whether a $4,000 proposal is a fair deal or a stretch.

The Four Price Tiers

Tier 1: Free — HHS Security Risk Assessment Tool ($0)

The U.S. Department of Health and Human Services publishes a free Security Risk Assessment Tool through ONC and OCR. It runs as a desktop application (Windows, Mac, iOS). Walks you through approximately 150 questions across administrative, physical, and technical safeguards.

What you get: a structured questionnaire, a written report at the end, and a satisfied legal-minimum if the assessment is genuinely thorough.

What you don't: no automation, no continuous monitoring, no integration with your actual systems, no professional sign-off, and a user experience that practices have characterized in OCR interviews as "the reason we stopped doing risk assessments at all." The tool is functional. It is not pleasant.

Best for: solo practitioners with technically capable owners who can dedicate 6-12 hours to working through the questionnaire honestly.

Failure mode: most practices that start with the HHS SRA Tool do not finish it. The half-completed assessment is worse than no assessment in an OCR investigation — it documents that the practice knew the requirement and chose not to satisfy it.

Tier 2: Software-driven — $39 to $99/month

Risk assessment as a software function rather than a one-time deliverable. The assessment runs against your actual systems — vendors, workforce, devices, BAAs, training status — and updates continuously as those change. The HIPAA-required annual deliverable is a documented artifact the software produces; the assessment itself is ongoing.

What you get: a scoped, practice-specific assessment that doesn't rot the day it's signed. Automatic re-assessment when material conditions change (new vendor, new device, terminated employee, new clinical workflow). A documented audit trail that proves the assessment was alive rather than performed once and filed away.

What you don't: a credentialed human signature on the final document. Some OCR investigators prefer to see a named consultant on the assessment. Software-driven assessments do not provide that — they provide a documented methodology and the artifact, but not a person to subpoena.

Best for: practices that want compliance to be operational rather than ceremonial. Particularly strong fit for SMB independent practices that do not have a CISO and cannot justify an annual five-figure consultant engagement.

Tier 3: Consultant-light — $2,000 to $6,000

A one-time engagement with a HIPAA consultant or compliance firm. Remote work, typically 2-4 weeks of elapsed time, 15-30 billable hours. Output is a written assessment, a remediation roadmap, and a signed certification letter on the consultant's letterhead.

What you get: a credentialed professional's name on the document. A point-in-time, defensible assessment that addresses your specific operations. A remediation prioritization that ranks findings by exposure and effort.

What you don't: ongoing coverage. The assessment is accurate the day it's signed. Six months later, when you onboarded a new vendor and three new staff members, the document is stale. The HIPAA requirement to re-assess after material changes does not pause because you have a recent assessment on file.

Best for: a practice that needs the credentialed-signature outcome for board reporting, payer credentialing, or a specific OCR-investigation defense, and that is willing to repeat the engagement annually.

What to verify before signing: the consultant's specific HIPAA credentials (CHPSE, CHPS, HCISPP, or equivalent), whether they carry E&O insurance, sample deliverables from prior engagements, and whether the quoted price includes the remediation roadmap or just the assessment itself. "Just the assessment" without a remediation roadmap is incomplete.

Tier 4: Full consultant engagement — $8,000 to $25,000+

Multi-week consulting engagement, often with on-site days, that covers risk assessment plus deeper compliance program work — policy review, BAA inventory audit, workforce training audit, technical safeguards review, and a remediation work plan. Common output is 50-150 pages of documentation.

What you get: the most thorough version of the deliverable. Defensible against OCR inquiry by a named consultant. Strong fit when a practice is in or recovering from an active OCR investigation, has been notified of an audit, or has just acquired/been acquired and needs a full compliance baseline.

What you don't: cost-effective ongoing monitoring. The engagement is project-shaped. Once the consultant leaves, the practice is back to managing its own compliance until the next annual.

Best for: multi-site practices, practices with revenue >$5M, practices undergoing M&A, practices in active OCR matters, or practices with payer credentialing requirements that demand the deepest version of the deliverable.

Hidden cost watch-out: the bottom of the range ($8,000) usually does not include the on-site days. On-site adds $3,000-$8,000 depending on travel. Verify what's in the base price before assuming the quote covers everything.

What's Actually In a HIPAA Risk Assessment

Knowing what you're paying for matters more than the dollar figure. A thorough HIPAA risk assessment covers seven distinct areas, and a quote that doesn't address all seven is incomplete regardless of price.

1. Asset inventory. Every device, system, server, and vendor that creates, receives, maintains, or transmits ePHI. Most practices underestimate this by 40-60% on first attempt.
2. Threat identification. What could go wrong — environmental (fire, flood), human (insider, attacker, accident), technical (failure, exploit), and structural (vendor failure, regulatory change).
3. Vulnerability assessment. Where your current controls are insufficient against the threats identified. Includes administrative, physical, and technical safeguards.
4. Risk determination. Likelihood × impact for each vulnerability-threat pair. The output is a prioritized risk register.
5. Documentation of current controls. What you already do that mitigates risk. Often the most undervalued section — practices have more controls than they document, and OCR reads undocumented as nonexistent.
6. Remediation roadmap. The plan to close the gaps, with timing and ownership. Without this, the assessment is observation without action.
7. Management approval and sign-off. The leadership-level acknowledgment that the assessment was reviewed and accepted. OCR specifically looks for this.

If a quote does not explicitly cover all seven, ask why. The most common gap is #5 (documentation of current controls), because it's the section that requires the consultant to actually examine your operations rather than work from a generic template.

The ROI Math No Consultant Will Show You

The expected cost of a HIPAA breach for an independent practice is the product of three numbers most people don't have at hand. The average healthcare data breach cost $9.77M in 2024 (IBM/Ponemon Cost of a Data Breach Report) — healthcare has been the costliest industry by breach for 14 consecutive years. The average independent practice holds active ePHI for roughly 2,500 to 8,000 patients depending on specialty. The OCR fine schedule for willful neglect starts at $50,000 per violation and tops out at $1.5M per identical violation per year.

A median independent practice's downside on a notifiable breach event — counting notification costs, credit monitoring, OCR fine, business interruption, and reputational impact on patient retention — runs $400,000 to $1.2M. The right framing for the risk assessment cost isn't "what's in the budget for compliance." It's "what's the insurance premium against an unbudgeted six-figure event."

Even at Tier 4 ($25,000), the assessment cost is roughly 2-6% of the expected loss it helps prevent. That math is why even practices that resent the spend usually do it.

Hidden Costs the Quote Doesn't Mention

Three costs sit outside the assessment itself and routinely surprise practices that focused only on the headline quote:

Remediation work. The assessment identifies gaps. Closing them costs money. Budget 1-3x the assessment cost for the remediation work the assessment will reveal — new policies, new training, new vendor BAAs, new technical controls. The assessment is the diagnostic; the treatment is the spend.

Re-assessment after material changes. Hiring a new clinical staff member, onboarding a new vendor, deploying a new EHR module — all trigger the obligation to re-assess. If the model is one-time consultant engagement, the re-assessment is another engagement. If the model is software-driven, the re-assessment is included.

Documentation retention. The assessment, the remediation plan, the sign-off, and the evidence of remediation must be retained for six years per HIPAA. Practices that produce a written assessment and lose track of it during a system migration or staff turnover have effectively unspent the consultant fee.

How to Evaluate a Risk Assessment Quote

Five questions that produce more signal than any single price comparison:

1. What credentials does the named assessor hold? "HIPAA consultant" is not a regulated credential. CHPSE, CHPS, HCISPP, or equivalent are. Names of certifying bodies matter.
2. What's in the deliverable list? Insist on seeing a redacted prior deliverable. If the consultant won't show one, the deliverable is generic.
3. Does the quote include remediation roadmap? "Just the assessment" without prioritized remediation is incomplete work, regardless of price.
4. What's the methodology? A good answer references NIST 800-30 or NIST 800-66 explicitly. A bad answer references "industry best practices" without citation.
5. What happens if OCR shows up? Will the consultant defend their work product? Are they reachable on short notice? Is the engagement letter clear about post-delivery support?

A consultant who answers all five clearly is worth more than the cheapest quote. A consultant who answers any of them with vague language is worth less than the assessment they're proposing to do.

How Patient Protect Approaches This

Patient Protect runs HIPAA risk assessment as an operational function rather than a project. The assessment is scoped to your specific practice — your vendors, your workforce, your devices, your clinical workflows — and stays current as those change. The annual artifact is the output, but the assessment itself is continuous.

For an independent practice, the question that matters is not "how much for one assessment" but "what's the ongoing cost of staying assessed." At $39 to $99 per month, the platform comes in below the annualized cost of any consultant engagement in tiers 3 or 4, and produces a deliverable that does not rot the day it's signed.

For practices that need a credentialed-signature deliverable for a specific board, payer, or regulatory reason, the platform pairs with a consultant engagement rather than replacing it — the consultant's time is spent reviewing and signing a scoped artifact instead of building one from scratch, which lowers the consultant cost by 30-60% in our customers' experience.

The right answer for any given practice depends on what the assessment is for. The cheapest answer is almost never the right one. The most expensive answer is almost never the right one either.