The first hour after an incident matters most — for patients, partners, and your license to practice.
HackFirstAid Medical walks 1–25 provider practices through it in plain language, with no jargon, no procurement headaches, and a clear path through HIPAA, OCR, and your cyber insurer. Free triage, four shipped playbooks, and a North-American + EU regulatory grid.
of HHS OCR Wall-of-Shame entries since 2022 trace back to no documented Security Risk Analysis.
OCR's annual cap on penalties per identical HIPAA violation (Tier 4, willful neglect uncorrected). The floor starts at ~$141 per record.
providers is our hard ICP ceiling. Hospitals, FQHCs, and chains are out of scope by design.
Tell us what just happened. We'll point to the right playbook and the right regulators.
The free triage is always free — no signup, no email gate. Use it during an incident or run it as a tabletop with your team.
Small clinical practices, 1–25 providers.
Family medicine, internal medicine, pediatrics, OB-GYN, dental, optometry, physical therapy, mental health, small surgical specialties. Single location or small multi-site. Owner-operator, practice administrator, or office manager as the buyer — usually with one part-time MSP behind them.
Twelve scenarios. Four shipped, eight on the way.
Written for a Tuesday morning — not for a tabletop binder.
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.
Claims pipeline stalls, eligibility checks fail, and your downtime billing posture is being tested in real time. A cash-flow event that becomes a regulatory event if it lasts long enough.
The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.
Curiosity is the most common motive, and curiosity is still a HIPAA violation. There is no attacker, the staff member meant no harm, and the patient may never find out unless you tell them — which is exactly the problem.
Video, audio, transcripts, chat, and screen-shared documents may have been exposed. Consent, recording, and OCR scope all matter — and patients react more strongly to telehealth breaches because the visit feels personal.
The device may be vulnerable, exploitable, or already compromised. This is a clinical safety event before it is a security event — and the manufacturer's FDA-cleared status constrains what you can do.
Billing service, MSP, transcription vendor, answering service, cloud backup, marketing agency, interpreter service. The 60-day clock starts on you, the covered entity, the moment they tell you. Attribution, BAA enforcement, and patient notification are the next 60 days.
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.
DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.
The frameworks that show up on an insurance application.
HIPAA Security, Privacy, and Breach Notification. HITECH. HHS 405(d) HICP. CMS MIPS Promoting Interoperability. DEA EPCS. 42 CFR Part 2. State medical-records laws. PIPEDA and the provincial health-information acts in Canada. NHS DSPT in the UK. GDPR Article 9 in the EU. Cyber insurer questionnaires that decide whether your claim gets paid.
See the full gridAny Medicare-billing practice needs an annual Security Risk Analysis to avoid a Promoting Interoperability payment adjustment. Almost no small practice does one properly. Most OCR fines for small practices on the Wall of Shame trace back to no documented SRA.
5-Minute HIPAA Risk Self-Check.
Ten questions. One page. Tells you in five minutes whether you would survive an OCR information request or whether you have a documentation hole that needs closing this quarter. No email gate.
Designed to fall under most single-quote thresholds.
Free forever for the triage tool and HIPAA self-check. Annual subscriptions for the full library.
- Everything in Free
- All 12 playbooks (4 available now, remainder rolling out through 2026)
- Regulatory updates
- Annual SRA checklist
- BAA included
- Everything in Practice
- BAA included
- Annual tabletop exercise
- Priority incident response (4-hr SLA)
- Insurer questionnaire help
- Named point of contact
Multi-location: location 2 at 60% of base, locations 3+ at 50%. See full pricing →
What practices say.
"We had ransomware on a Friday afternoon and no IT lead in the building. The triage walked our office manager through the first three hours — who to call, what not to touch, and exactly what the 60-day clock meant. Our attorney said the documentation was cleaner than most breaches she sees."
"I run IT for a dozen small clinics. The HIPAA self-check gave me a one-page gap list I could actually hand to a physician-owner without translating it. It's the first vendor tool I've used that respects how thin our staffing really is."
"Our cyber-insurer asked for an incident response plan at renewal. We pulled the playbooks, customized two pages, and the underwriter accepted it. Took an afternoon instead of a $9,000 consulting engagement."
"The BEC playbook caught a wire-fraud attempt against our billing manager the same week we read it. Everyone on staff now knows the dual-approval rule. That alone paid for the year."
Composite examples drawn from practitioner conversations. Identifying details changed.
One cyber-readiness stack. Twelve audiences.
You run a small practice. HackFirstAid also covers your staff at home, the law firms and businesses you work with, your municipality, your schools, the pension administrators and family offices handling lifelong records and real money, and the boards, executives, and IT teams behind them — and the Household portal your paid plan includes for every staff member's family.