HIPAA consultant or DIY risk analysis: how to decide

A HIPAA consultant is the right call for some practices. DIY risk analysis works well for others. Here is a factual comparison of what each path provides, costs, and requires to produce a defensible result.

By CoreFolio

Published June 2, 2026Verified June 2, 20268-minute read

The HIPAA Security Rule does not specify who must conduct the risk analysis — only that it must be accurate, thorough, and current. A consultant can do that work. So can a practice owner with the right structure, sufficient time, and the discipline to document the methodology. So can guided software designed to walk the process systematically.

What does not satisfy the requirement is a partially completed template, an analysis conducted once and never revisited, or a report that names systems in general terms rather than the practice's actual environment. OCR's investigators read risk analyses, and the failure mode they cite most consistently is not who did the work — it is that the work was either never done or not done with the rigor the regulation requires.

This is a factual comparison of the two primary paths: engaging a Health Insurance Portability and Accountability Act (HIPAA) consultant and conducting the analysis in-house (or with guided software). The aim is to help you match the path to your practice's situation, not to argue that one is superior.

What both paths have in common

The deliverable is the same regardless of who produces it: a written risk analysis report under 45 CFR § 164.308(a)(1)(ii)(A) that identifies the potential risks and vulnerabilities to electronic protected health information (ePHI) held by the covered entity, accompanied by a Risk Management Plan under § 164.308(a)(1)(ii)(B) that documents how those risks will be reduced.

OCR's 2010 final guidance on risk analysis points to National Institute of Standards and Technology (NIST) Special Publication 800-30 as the methodology benchmark.¹ Both a consultant-produced analysis and a DIY analysis are held to the same NIST-aligned standard when OCR evaluates them.

The output — a scoped, structured, dated, methodology-documented analysis — is what matters. The path is how you get there.

The case for a consultant

A HIPAA consultant or compliance firm brings expertise, a defined engagement process, and a defensible methodology that the practice does not have to develop. For specific practice situations, this is the more appropriate path.

When complexity is real

A single-location family practice with one EHR and ten employees has a relatively contained ePHI environment. A multi-location practice — three dental offices on different networks with different imaging systems — has material complexity. So does a behavioral health practice that maintains psychotherapy notes subject to special protections under § 164.508(a)(2), or a practice that accepts Medicare and has recently expanded its telehealth services on a platform the IT vendor selected.

When the environment is complex enough that mapping it accurately requires expertise the practice owner does not have, a consultant's value is immediate and concrete.

Post-incident and post-investigation situations

If a breach has occurred, a ransomware attack has happened, or an OCR investigation is already open, the risk analysis the practice produces will be reviewed by regulators. This is not the time for a first-time, in-house exercise. A consultant in this context provides both the technical depth to conduct a thorough analysis and the documentation discipline that regulatory scrutiny requires.

Significant past gaps

Practices that have operated for years without a compliant risk analysis, without proper business associate agreements (BAAs), or with significant documented gaps in their security posture face a remediation project, not just an annual update. That project often benefits from structured outside help to prioritize the work and document the remediation plan credibly.

When staff capacity is genuinely absent

The office manager is the de facto compliance lead in most small practices. If that person is fully stretched or turns over — a common reality in clinical settings — and there is no viable internal candidate to take the work on, a consultant fills a gap that would otherwise remain open.

The case for DIY (or guided software)

A straightforward, single-location practice with a standard EHR environment, no recent incidents, and a practice owner or office manager who is willing to invest the time can conduct a defensible risk analysis internally. The risk analysis is not conceptually difficult — the methodology is well-documented and publicly available. What it requires is time, discipline, and the willingness to work through it systematically.

Guided compliance software lowers the barrier further. Platforms designed specifically for HIPAA risk analysis provide structured workflows that walk through scope definition, threat identification, vulnerability assessment, likelihood and impact estimation, and documentation — producing a report in a format OCR investigators recognize without requiring the practice to design the process from scratch.

The relevant characteristics of a practice where DIY is appropriate:

Single location with a contained, well-understood ePHI environment
Standard EHR with a signed BAA from the vendor
No recent incidents that would make the resulting analysis subject to regulatory review
Stable operations — not in a period of major system changes or significant vendor turnover
Organizational willingness to invest real time in the work — not a few hours, but a focused block of time to do it accurately

The time investment for a thorough first-pass risk analysis in a small practice is realistic: a focused session to map ePHI systems and identify threats, a second session to assess likelihood and impact, and a final pass to document the methodology and produce the written report. That is three to five hours of concentrated effort for a simple environment — not a trivial commitment, but a manageable one.

For practices with an existing analysis that simply needs an annual update, the ongoing maintenance is lighter: reviewing the previous analysis, updating for system or vendor changes, and confirming that the identified risks are being tracked in the Risk Management Plan.

A factual cost comparison

These figures represent typical ranges based on current market data. Actual costs vary significantly by scope, location, and the specific vendor or consultant.

Path	Typical cost	What it includes
Consultant (small practice, 1–15 staff)	$5,000–$25,000/year	Risk analysis, policies, training, BAA oversight, advisory access
Consultant (risk analysis only, discrete engagement)	$2,000–$8,000 one-time or annual	Risk analysis and report; may or may not include ongoing support
Guided compliance software	$99–$300/month ($1,200–$3,600/year)	Structured workflows, templates, training modules; no advisory access
In-house / DIY	Staff time only	No external cost; significant internal time investment

The smallest OCR settlement under the Risk Analysis Initiative — Vision Upright MRI, $5,000 in May 2025 — equals roughly four months at the lower end of a software platform subscription, or a few weeks of an office manager's time.² There is no longer a reasonable cost argument for deferring the work.

What neither path guarantees

Two things are worth being explicit about.

A consultant engagement does not substitute for the covered entity's accountability. Under HIPAA, the covered entity is legally responsible for its compliance posture. Engaging a consultant to conduct the risk analysis, develop policies, or provide advisory services does not transfer that responsibility. If OCR investigates, it investigates the covered entity. A consultant who produced a deficient analysis is not a shield against enforcement.

A DIY analysis is only as defensible as its execution. A practice that goes through the motions — downloads a template, fills in some fields, prints and files the result without seriously engaging the methodology — has not conducted a defensible risk analysis. It has produced a document. OCR investigators know the difference. An undated, generic, or incomplete analysis may be treated as no analysis at all.

The standard — accurate, thorough, current — applies to the result, not the method.

A framework for making the decision

Ask three questions about your practice:

1. Is the environment complex? Multi-location, multi-system, behavioral health, substance use, significant past gaps, or recent incident — any of these shifts the needle toward outside help.

2. Is there a person with the time and willingness to own the work? A DIY path requires a designated individual who will actually do it — not delegate it indefinitely, not treat it as something to revisit next quarter. If that person does not exist in the practice right now, an outside engagement is more likely to produce a result.

3. What is the current state? A practice updating an existing, reasonably current analysis is in a different position from a practice that has never done one. The initial production of a compliant analysis from scratch is a larger project than annual maintenance. A consultant adds proportionately more value at the "starting from nothing" stage.

Neither path is inherently superior. A well-executed DIY analysis outperforms a consultant- produced one that was generic, undated, or not specifically scoped to the practice. A consultant adds real value when the complexity or stakes exceed what a self-service approach handles well.

CoreFolio HIPAA produces the work in either case — a guided assessment that produces a dated Risk Analysis Report and Risk Management Plan as downloadable documents, in the NIST SP 800-30 aligned format OCR investigators recognize. That output can stand alone as the practice's documentation, or it can serve as the foundational file a consultant then works from.

Sources

Sources current as of June 2, 2026. This article is educational and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your practice's situation.

National Institute of Standards and Technology, Guide for Conducting Risk Assessments, NIST Special Publication 800-30, Revision 1 (September 2012). OCR's 2010 final guidance on risk analysis — Guidance on Risk Analysis Requirements under the HIPAA Security Rule — cites NIST SP 800-30 as the methodology benchmark. https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final ↩
U.S. Department of Health and Human Services, Office for Civil Rights, Vision Upright MRI HIPAA Enforcement Action, resolution announced May 2025. Settlement: $5,000 for failure to conduct a risk analysis. Covered conduct: never conducted a risk analysis; 21,778 individuals affected. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ ↩

FAQ

Common questions

Is a HIPAA risk analysis something a small practice can do themselves?

Yes, with important caveats. DIY risk analysis is appropriate for a straightforward, single-location practice with a standard EHR environment, no recent incidents, and an owner or office manager willing to invest the time the work requires. The result must be accurate, thorough, and current — those three words from 45 CFR § 164.308(a)(1)(ii)(A) are what OCR evaluates. A partially completed or templated analysis that does not actually reflect the practice's systems is not defensible regardless of who produced it.

What does a HIPAA consultant typically charge for a risk analysis?

For a small practice (one to fifteen staff, single location, standard EHR), full-service consultant engagements typically range from $5,000 to $25,000 per year, with the risk analysis itself often priced at $2,000 to $8,000 as a discrete engagement. Mid-size organizations (25–250 employees) should budget $20,000 to $80,000 annually for comprehensive services. These figures vary significantly by scope, market, and the level of advisory access included.

What makes a DIY risk analysis defensible?

Three things: scope, methodology, and documentation. The scope must cover every system that touches ePHI — the EHR, email, billing platform, backups, portable devices, vendor portals. The methodology must be documented so a reviewer can see how risk levels were determined (OCR points to NIST SP 800-30). The document must be dated and current. A risk analysis that has these qualities, produced in-house, is defensible. A risk analysis produced by a consultant that lacks them is not.

When is a consultant clearly the better path?

When complexity exceeds what an office manager can reasonably navigate: post-breach or post-incident remediation where OCR may be involved; multi-location practices with different system environments at each site; practices with significant past compliance gaps that require methodical remediation; high-risk practice types (behavioral health, substance use disorder) where privacy rule complexities compound; or any situation where legal exposure is already present and the risk analysis will be reviewed by regulators.