Right-sized engagements for healthcare practices that want straight answers.
From a $500 vendor scorecard to a full HIPAA Risk Analysis to ongoing vCISO support — every engagement is independent, plain-language, and delivered through a GRC platform you keep using.
TIER 1
START HERE
Six entry offers from $500 to $900. Designed for practices that want a focused look at one specific question without committing to a larger engagement.
TIER 2
GO DEEP
The flagship Defensible HIPAA Risk Analysis and Governance Implementation Sprint. For practices ready to do the substantive work of putting a real program in place.
TIER 3
KEEP IT GOING
The vCISO Retainer. Steady oversight, monthly tracking, and quarterly reporting for practices that want sustained progress between formal engagements.
TIER 1 — ENTRY OFFERS
Most engagements with Northline start here. Each entry offer answers one specific question and gives you something tangible to act on — a written deliverable you can take to your owner, your insurer, or your next leadership meeting. They’re priced under $1,000 so you can say yes without a procurement conversation, and they’re scoped tightly so you’re not buying a generalist’s wandering opinion.
01. HIPAA SECURITY SNAPSHOT
$750 flat fee | Same-day written summary
A 90-minute structured conversation plus a same-day written summary of your top three security gaps and immediate next steps.
Best for: Practices with no formal security program, those newly concerned after a local incident, or owners uncertain where to start.
What you get: Written Security Snapshot Memo (2–3 pages): top gaps identified, risk level (High / Medium / Low), and 3–5 prioritized next steps.
Natural next step: Defensible HIPAA Risk Analysis
02. MSP / IT VENDOR SCORECARD REVIEW
$500 flat fee | Delivered within 5 business days
An independent review of your current MSP contract and practices — so you know if they’re actually protecting you.
Best for: Practices relying fully on an MSP for IT and security, unsure if the MSP is doing what they say, or facing insurance and payer questions about security.
What you get: MSP Scorecard (1-page summary with ratings across 8–10 critical areas) plus a written narrative memo highlighting gaps, missing protections, and 2–3 questions to bring to your MSP.
Natural next step: HIPAA Security Snapshot or full Risk Analysis
03. CYBER INSURANCE READINESS CHECK
$650 flat fee | Delivered within 5 business days
Prepare for your renewal — know what you’ll be asked and whether your current controls support your answers.
Best for: Practices facing cyber insurance renewal, rising premiums, or insurers requiring updated documentation.
What you get: Cyber Insurance Readiness Summary: current posture vs. insurer expectations, flagged gaps that could affect coverage or claims, and a short list of quick wins to improve position before renewal.
Natural next step: HIPAA Security Snapshot or Governance Sprint
“One gap on a policy application can void a claim. Better to find it now than at the worst possible moment.”
04. INCIDENT RESPONSE TABLETOP (LITE)
$900 flat fee | Summary delivered within 3 business days
A facilitated 2-hour walk-through of your practice’s response to a ransomware or data breach scenario — so the first time isn’t the real thing.
Best for: Practices that have heard about a local ransomware hit and want to stress-test their readiness, or those entering an ongoing retainer relationship.
What you get: Post-Tabletop Summary Memo: scenario overview, key gaps surfaced, roles and decisions that broke down, and 3–5 prioritized recommendations. Suitable for board or owner review.
Natural next step: vCISO Retainer or full Risk Analysis
05. HIPAA WORKFORCE AWARENESS BRIEFING
$750 flat fee | Scheduled at your convenience
A 60-minute staff training session on real-world HIPAA security risks — tailored to how your practice actually operates.
Best for: Practices that have never done formal security awareness training, are onboarding new staff, or are responding to an insurer or payer request for training documentation.
What you get: Customized 60-minute staff briefing (on-site or virtual) covering phishing, device handling, password hygiene, and breach reporting. Includes attendance log template, a 1-page staff reference card, and a facilitator summary memo.
Natural next step: MSP Scorecard Review, Snapshot, or Governance Sprint
06. PAYMENT SECURITY READINESS REVIEW
$650 flat fee | Delivered within 5 business days
A focused conversation about how your practice accepts and handles payment card data — and whether that process creates risk for your patients or your network.
Best for: Practices that accept credit or debit payments and have never formally reviewed how card data flows through their environment, especially where a payment terminal may share a network with an EHR or billing system.
What you get: Payment Security Process Review Memo (2–3 pages): how card data currently flows, observed process gaps, risk observations (especially EHR / network adjacency), and 3–5 practical recommendations. Includes clarifying questions for your payment processor and MSP.
Natural next step: HIPAA Security Snapshot or full Risk Analysis
TIER 2 — FLAGSHIP & SPRINT ENGAGEMENTS
When a practice is ready to move beyond a single conversation and put a real program in place, these are the engagements that do the work. Both produce defensible documentation, ranked priorities, and clear ownership — not a stack of generic templates with your name pasted on.
FLAGSHIP. DEFENSIBLE HIPAA RISK ANALYSIS
$12,500 single location • +$5,000 per additional location | 3–4 weeks (single location)
An independent, OCR-defensible HIPAA Risk Analysis that translates where ePHI lives and how it could be exposed into a ranked risk register and a clear 90-day remediation plan.
This is the core engagement most practices come to Northline for. You get decision-ready priorities, owners, timelines, and evidence expectations — so leadership can prove safeguards, reduce downtime risk, and move forward confidently without vendor pressure shaping the answer.
Findings are delivered through a GRC platform you keep access to — not a static PDF that goes in a drawer. So your risk register, evidence binder, and remediation tracking stay live and usable for the next audit, insurance renewal, or governance review.
WHAT’S INCLUDED
HIPAA-aligned Risk Analysis (OCR defensible)
Ranked Risk Register
90-day Remediation Roadmap
Executive Summary
Board / Owner Briefing
Evidence Request and Gap Log
HOW IT RUNS
Engagement runs 40–65 hours of actual work over 3–4 weeks. Discovery and ePHI mapping take the first week. Core analysis against OCR Security Rule requirements takes the second. Risk register, remediation roadmap, and evidence documentation come together in week three. Final week is review, executive summary, and a live briefing with leadership or the board.
Natural next step: Governance Implementation Sprint or vCISO Retainer
SPRINT. GOVERNANCE IMPLEMENTATION SPRINT
$15,000 (paired with Risk Analysis) • $25,000 standalone | 6–8 weeks paired • 10–12 weeks standalone
A governance-first build-out of policies, controls, vendor practices, and the evidence binder that proves your safeguards are actually operating.
A Risk Analysis tells you what’s wrong. The Governance Sprint puts the structure in place to keep it right. The outcome is plain-English findings and a practical governance cadence — metrics, responsibilities, and a prioritized roadmap — so your organization stops relying on assumptions and starts managing security as an ongoing program. Designed to work even with lean internal IT or an MSP arrangement.
WHAT’S INCLUDED
Customized policy set (not template drops — written to how your practice actually operates)
Evidence binder structure
Assigned ownership across roles
Governance cadence setup (meeting and review rhythms)
Quarterly metric dashboard template
HOW IT RUNS
Engagement runs 55–80 hours over 6–12 weeks depending on whether you’re paired with a Risk Analysis or running it standalone. The bulk of the time is the customized policy set — not boilerplate, but policies tailored to your EHR, your MSP arrangement, your vendor mix, and your actual workflows. Throughout, you’re building the muscle to run governance as an ongoing practice, not a one-time deliverable.
Natural next step: vCISO Retainer for ongoing oversight
TIER 3 — ONGOING SUPPORT
A Risk Analysis and Governance Sprint produce documentation. Ongoing support produces results. The vCISO Retainer is for practices that want continued forward motion and someone in their corner between formal engagements.
RETAINER. VCISO RETAINER
$3,500–$4,500 per month | 6-month minimum
Pragmatic cybersecurity and technology strategy support for practices that need steady progress, not a one-time report.
Through a light monthly cadence and quarterly executive reporting, we track remediation, refresh the risk register, strengthen vendor and incident readiness, and turn security work into measurable outcomes and board or owner decisions. This is independent leadership and accountability that complements your MSP — keeping priorities aligned to patient care, uptime, and what’s actually achievable in a small practice.
WHAT’S INCLUDED EACH MONTH
Monthly remediation tracking with status updates and owner follow-through
Risk register refresh — new vendors, staff changes, system changes flagged and scored
Vendor review (BAAs, new tools, MSP spot-checks)
Incident readiness (tabletop prep, response plan review, backup verification)
Quarterly executive reporting in board-ready language
Async advisory — email questions, quick calls, ad hoc guidance as needed
Typical engagement runs 10–16 hours per month. Light months when things are stable; heavier when something material changes — a new EHR integration, an incident scare, an insurance renewal.
Quick reference for everything above:
| Engagement | Price | Delivery | Best For |
|---|---|---|---|
| HIPAA Security Snapshot | $750 | Same day | First look at security posture; no formal program yet |
| MSP / IT Vendor Scorecard | $500 | 5 business days | Independent check on what your MSP is actually doing |
| Cyber Insurance Readiness | $650 | 5 business days | Renewal prep; ensuring controls match application answers |
| Incident Response Tabletop | $900 | 3 business days | Stress-testing your response before a real incident |
| Workforce Awareness Briefing | $750 | Scheduled | Staff training tailored to how your practice operates |
| Payment Security Review | $650 | 5 business days | How card data flows; risk where payment terminals meet EHR |
| Defensible HIPAA Risk Analysis | $12,500 | 3–4 wks | OCR-defensible analysis with ranked register and 90-day plan |
| Governance Implementation Sprint | $15K–$25K | 6–12 wks | Policies, evidence binder, governance cadence, ownership |
| vCISO Retainer | $3.5K–$4.5K/mo | 6-mo min | Ongoing oversight; quarterly executive reporting |
COMMON QUESTIONS
WHY IS YOUR PRICING VISIBLE? MOST CONSULTANTS HIDE THEIRS.
Because hiding prices forces every visitor into a sales call to find out if they can afford a conversation. That’s not how I want to work, and it’s not how the practices I respect want to buy. The prices on this page are the prices.
HOW ARE YOU DIFFERENT FROM OUR MSP?
Your MSP sells you services and a security stack. I don’t — no referral fees, no vendor partnerships, no commission on anything I recommend. When your MSP audits their own work, you get the answer they’re comfortable giving you. When I audit it, you get the answer.
DO YOU USE ANY TOOLS DURING ENGAGEMENTS?
Yes — and you keep access to them. Risk Analysis and governance work are delivered through an established GRC platform that hosts your risk register, evidence binder, policies, and remediation tracking. That means your findings live in a system you can update, reference for renewals, and hand to an auditor — not in a static report that ages out the day it’s delivered.
What I don’t sell: security products, MSP services, or anything I’d earn a referral fee on. The platforms used during engagements exist to support the work and stay useful to you afterward — not to lock you into a vendor relationship.
DO YOU REPLACE OUR MSP?
No. A good MSP is doing real, valuable work — patching, monitoring, backups, support. My role is independent oversight that complements that work and gives you confidence the right things are actually happening. Most of my clients keep their MSP and run me alongside.
HOW DO YOU HANDLE CONFIDENTIALITY AND BAAS?
Northline executes a Business Associate Agreement with every client before any engagement begins. All work product is yours; nothing is shared with vendors or third parties without your written consent.
CAN YOU WORK WITH PRACTICES OUTSIDE INDIANA?
The base practice is Northern and Central Indiana — roughly a two-hour drive from LaFontaine. Remote engagements with practices elsewhere are case-by-case; reach out and we can talk.
Three ways to start the conversation, depending on where you are:
If you’re new and exploring — Book a 30-minute consultation. No pitch, no pressure. We’ll talk through what you’re actually worried about.
If you have a specific question — Pick the entry offer that fits and we’ll get on a call to scope it.
If you’re ready for a Risk Analysis — Send a note describing your practice (location, EHR, MSP arrangement, staff size) and we’ll talk timing.
© 2026 Northline Advisors. LL