Aegis AI™ · HIPAA Security Risk Analysis

The risk analysis HIPAA requires.
Done, documented, in your inbox.

45 CFR §164.308(a)(1)(ii)(A) makes a Security Risk Analysis Required, not addressable, not optional, for every covered entity and every business associate. Risk-analysis failures appear over and over in OCR enforcement actions. This produces the document: every safeguard in the Security Rule accounted for, your risks prioritized, and a plan you can act on.

What you receive

  • Full Security Rule accounting: all 68 safeguards in 45 CFR §164 Subpart C, each one addressed in the analysis or explicitly listed as not-asserted-compliant. Nothing un-measured is ever counted as passing.
  • ePHI scope summary: where ePHI is created, received, maintained, and transmitted in your environment, grounded in your intake.
  • Per-safeguard risk register: threat × vulnerability, likelihood, impact, current measures, the remediation step, and the evidence that would validate it.
  • Risk-management plan: the §164.308(a)(1)(ii)(B) follow-on, sequenced 0–30 / 31–60 / 61–90 days.
  • Required vs. Addressable, stated correctly: "Addressable" means implement or document a reasoned alternative. The report never treats it as optional.
  • Board-readable executive summary: plain language an owner, administrator, or compliance officer can hand to counsel or an auditor.

How it works

PurchaseStripe checkout, two minutes. Your intake link arrives by email immediately.
Answer short questions about your environment, never patient dataYour HIPAA role, where ePHI lives, your EHR and major systems, last documented SRA, locations, business associates. About five minutes. The form collects environment details only: no PHI, ever.
Your SRA arrives in your inboxThe analysis runs against the full Security Rule catalog and the PDF lands within minutes of a clean intake.

Who this is for

Covered entitiesPractices, clinics, health plans, and clearinghouses that need the named §164.308 artifact, current, documented, and defensible, without a consulting engagement.
Business associatesVendors and service providers handling ePHI for covered entities. The SRA requirement applies to you directly, and your customers' auditors increasingly ask to see it.
$995 one-time

Subscribe to any Aegis AI™ tier within 30 days and the full $995 credits toward your first month. Month-to-month, no long-term contract.

Get your Security Risk Analysis →
Checkout by Stripe. Intake link arrives immediately after purchase.

Common questions

Is this the document HIPAA actually requires?Yes, the Security Risk Analysis required by 45 CFR §164.308(a)(1)(ii)(A), shaped to the elements OCR's guidance describes: scope, threats and vulnerabilities, current measures, likelihood, impact, and documented results, plus the §164.308(a)(1)(ii)(B) risk-management follow-on.
Do you need access to patient data?No. The intake collects environment details only: where ePHI lives, never what's in it. The welcome email and the form both say this explicitly.
What if our posture is rough?Then the SRA is exactly the place that gets documented honestly. Every safeguard is either addressed in the analysis or listed as not-asserted-compliant, and the 90-day plan sequences the fixes by impact. An honest baseline beats an optimistic one in front of any auditor.
How current does it stay?The SRA is a point-in-time analysis. HHS expects it to be reviewed as your environment changes. Aegis AI™ subscription tiers keep the underlying posture monitored continuously; the $995 credits toward your first month within 30 days.

Aegis AI™ is a vCISO platform delivered as Agent-as-a-Service. Aegis AI is not a law firm and does not provide legal advice; the Security Risk Analysis is a compliance work product prepared from your intake (and, when connected, read-only telemetry), not an attestation or audit. Audits and attestations are performed by independent firms. ElasticD3M, LLC is a Texas limited liability company.