Skip to main content
For small clinical practices

The first hour after an incident matters most — for patients, partners, and your license to practice.

HackFirstAid Medical walks 1–25 provider practices through it in plain language, with no jargon, no procurement headaches, and a clear path through HIPAA, OCR, and your cyber insurer. Free triage, four shipped playbooks, and a North-American + EU regulatory grid.

No login required No PHI ever leaves your environment BAA included with paid plan US · CA · UK · EU coverage
Small clinical practices, by the numbers
70%

of HHS OCR Wall-of-Shame entries since 2022 trace back to no documented Security Risk Analysis.

$2.13M

OCR's annual cap on penalties per identical HIPAA violation (Tier 4, willful neglect uncorrected). The floor starts at ~$141 per record.

Under 25

providers is our hard ICP ceiling. Hospitals, FQHCs, and chains are out of scope by design.

Triage in under three minutes

Tell us what just happened. We'll point to the right playbook and the right regulators.

The free triage is always free — no signup, no email gate. Use it during an incident or run it as a tabletop with your team.

Open the triage
Answer 2–5 plain-language questions about what you're seeing in the practice.
Get a printable plan
Matching playbook, first-hour actions, regulator hand-offs for your state or province.
Hand it to your team
Email your administrator, print for your insurer, or work straight from the screen.
Built for

Small clinical practices, 1–25 providers.

Family medicine, internal medicine, pediatrics, OB-GYN, dental, optometry, physical therapy, mental health, small surgical specialties. Single location or small multi-site. Owner-operator, practice administrator, or office manager as the buyer — usually with one part-time MSP behind them.

The playbook library

Twelve scenarios. Four shipped, eight on the way.

Written for a Tuesday morning — not for a tabletop binder.

Ransomware in the middle of a clinic day

EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.

Open
Your EHR or practice-management vendor was breached

Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.

Open
A laptop, tablet, phone, or USB with patient data is missing

If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.

Open
The front desk's email account was taken over

Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.

Open
Included in Practice subscription
Your clearinghouse is down

Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.

Included in Practice subscription
A patient's portal account has been taken over

The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.

Included in Practice subscription
A staff member viewed a chart they had no business viewing

Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.

Included in Practice subscription
Your telehealth platform reported a breach

Video, audio, transcripts, chat, and screen-shared documents may have been exposed. Consent, recording, and OCR scope all matter — and patients react more strongly to telehealth breaches because the visit feels personal.

Included in Practice subscription
A connected medical device was flagged in a CISA or FDA alert

The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.

Included in Practice subscription
A vendor that handles your PHI had a breach

Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.

Included in Practice subscription
Coordinating the carrier IR vendor with the OCR portal filing

The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.

Included in Practice subscription
A prescriber's EPCS credentials or hard token were compromised

DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.

Regulatory grid

The frameworks that show up on an insurance application.

HIPAA Security, Privacy, and Breach Notification. HITECH. HHS 405(d) HICP. CMS MIPS Promoting Interoperability. DEA EPCS. 42 CFR Part 2. State medical-records laws. PIPEDA and the provincial health-information acts in Canada. NHS DSPT in the UK. GDPR Article 9 in the EU. Cyber insurer questionnaires that decide whether your claim gets paid.

See the full grid
The MIPS hook

Any Medicare-billing practice needs an annual Security Risk Analysis to avoid a Promoting Interoperability payment adjustment. Almost no small practice does one properly. Most OCR fines for small practices on the Wall of Shame trace back to no documented SRA.

Free lead magnet

5-Minute HIPAA Risk Self-Check.

Ten questions. One page. Tells you in five minutes whether you would survive an OCR information request or whether you have a documentation hole that needs closing this quarter. No email gate.

Pricing

Designed to fall under most single-quote thresholds.

Free forever for the triage tool and HIPAA self-check. Annual subscriptions for the full library.

Free
$0forever
  • Triage tool
  • HIPAA self-check
  • Phase 1 playbooks (4)
Start free triage
Most popular
Practice
US$597/ year · or US$59 / month
  • Everything in Free
  • All 12 playbooks (4 available now, remainder rolling out through 2026)
  • Regulatory updates
  • Annual SRA checklist
  • BAA included
See plan details →
Practice + Retainer
US$1,997/ year · or US$199 / month equivalent
  • Everything in Practice
  • BAA included
  • Annual tabletop exercise
  • Priority incident response (4-hr SLA)
  • Insurer questionnaire help
  • Named point of contact
Book a call →

Multi-location: location 2 at 60% of base, locations 3+ at 50%. See full pricing →

From the field

What practices say.

"We had ransomware on a Friday afternoon and no IT lead in the building. The triage walked our office manager through the first three hours — who to call, what not to touch, and exactly what the 60-day clock meant. Our attorney said the documentation was cleaner than most breaches she sees."
Practice Administrator 8-provider primary care, Ohio
"I run IT for a dozen small clinics. The HIPAA self-check gave me a one-page gap list I could actually hand to a physician-owner without translating it. It's the first vendor tool I've used that respects how thin our staffing really is."
MSP Owner Healthcare-focused MSP, Midwest
"Our cyber-insurer asked for an incident response plan at renewal. We pulled the playbooks, customized two pages, and the underwriter accepted it. Took an afternoon instead of a $9,000 consulting engagement."
Office Manager 3-provider dermatology clinic
"The BEC playbook caught a wire-fraud attempt against our billing manager the same week we read it. Everyone on staff now knows the dual-approval rule. That alone paid for the year."
Managing Partner 5-provider OB/GYN group, Texas

Composite examples drawn from practitioner conversations. Identifying details changed.

The HackFirstAid family

One cyber-readiness stack. Twelve audiences.

You run a small practice. HackFirstAid also covers your staff at home, the law firms and businesses you work with, your municipality, your schools, the pension administrators and family offices handling lifelong records and real money, and the boards, executives, and IT teams behind them — and the Household portal your paid plan includes for every staff member's family.