Do we really need a BAA with our AI scribe vendor?

Yes if the scribe processes any audio, transcript, or note that includes PHI — which is essentially every clinical encounter. Abridge, Suki, Microsoft DAX, Heidi, and Augmedix all offer HIPAA-aligned BAAs. The consumer/free tier of any AI scribe is NOT BAA-eligible and using it for clinical encounters likely constitutes an impermissible disclosure under 45 CFR §164.502.

How does an OCR audit actually start?

Most OCR audits in 2024 started from a single patient complaint — typically about a billing dispute or a perceived disclosure to a family member. OCR then sends a data request that captures your entire HIPAA program. The question isn't whether you'll get audited; it's whether the policy binder on your shelf reflects what your workforce actually does day-to-day.

We're a 4-provider clinic. Is this overkill?

Our smallest engaged clinic is 2 providers. We size to the practice — your security stack should fit your charts-per-day volume, not a hospital's. The HIPAA Security Rule applies the same to a solo OB-GYN as to Mayo. The penalties don't scale down with you.

What does an EFROS engagement actually look like?

A 10-day fixed-fee scoping engagement that produces an AI scribe BAA inventory, a Section 1557 audit-readiness summary, a HIPAA Security Risk Analysis refresh, and a 90-day remediation roadmap. If you continue on retainer, the audit fee credits toward your first quarter. Most owner-operated clinics retain at $3,500-7,500/month depending on EHR + AI surface.

What's the one thing we should do this week?

Pull a list of every AI tool any provider or front-desk staff member has used in the last 90 days — paid or free. Then check whether each one has a signed BAA on file. That single exercise surfaces 80% of the AI exposure most clinic owners don't know they have.

For owners of clinics

Cybersecurity built for clinic owners — not hospital CIOs.

You're not Cleveland Clinic. You don't have a CISO. You don't need enterprise tools. You need someone who handles HIPAA plus the AI scribe vendors plus the daily IT — without sending you a 60-page report you don't have time to read.

This page is the owner version of the conversation: the five ways clinics in your size band actually get hit, what it costs when it happens, the regulatory edges that don't care that you're small, and what we do for clinics like yours.

Run the Cost-of-Getting-Hit Calculator →Book 20 min

By Stefan Efros, CEO & Founder, EFROSReviewed by Daniel Agrici, Chief Security Officer, EFROS

Reviewed by CSO · May 13, 2026

The shift

Why owners of clinics are getting hit more, not less

Ten years ago a small clinic was below the radar. Attackers wanted hospital systems and payers. Today the calculation has flipped: small clinics carry the same PHI, depend on the same cloud EHRs, and have a fraction of the security spend. Automated ransomware kits don't care that you're 4 providers — they price the ransom to what they think your weekly billing is, and they're usually right.

The new wave isn't just ransomware. AI scribes adopted in 2024-25 created a generation of clinical software that processes PHI under terms most clinic owners never read. The Section 1557 final rule (effective July 2024) and the Colorado AI Act (effective February 2026) layer documentation and non-discrimination duties on top of HIPAA — even for small practices that thought regulators wouldn't get to them.

Industry stat: HHS-OCR opened 678 audits in 2024 — and 70% were triggered by individual patient complaints, not random selection. Healthcare data breaches averaged $10.93M and grew 18% year-over-year per the IBM 2024 Cost of a Data Breach Report.

The five ways clinics get hit

The 5 ways clinics get attacked

From the incident pattern across the clinics we've worked with and the public OCR resolution agreements published 2022-2025.

Phishing of front-desk and MA staff

A spoofed payer email lands at 8:47am, your scheduler clicks the link, and an attacker is inside your tenant by 9:00. Most clinic breaches start at the front desk — not the EHR.

Ransomware on the EHR or practice-management system

You arrive Monday, the schedule is gone, eClinicalWorks/Athena/NextGen won't load, and a note demands $180k in Bitcoin. Two weeks of paper charts and rebooked appointments — if you're lucky.

AI scribe BAA gaps

Your providers love Abridge, Suki, DAX, Heidi. But did anyone execute the BAA? Did anyone audit whether the free tier sends notes to a model that trains on them? An OCR investigator will ask.

Insider data theft from a departing MA or NP

The MA who gave notice on Friday exported 3,200 patient records to a personal Google Drive on Thursday. You find out six months later when a competitor clinic across town starts calling your patients.

HIPAA breach notification missteps

Something happened. You don't know if it's reportable. The 60-day clock under 45 CFR §164.404 started running the moment a member of your workforce became aware. Most clinics miss the clock because nobody told them it started.

What it costs when it happens

Best, average, worst — the dollar reality

Modeled on the public OCR-published settlements, published incident reports, and the work we've done for clinics in the 2-30 provider range. Your number depends on your size, your insurance, and your preparation. Use the calculator for a personalized estimate.

Best case

Insured + prepared

$15k – $80k

You have current cyber insurance with no AI exclusion. The incident is detected in hours. BAAs are in place. Notification is clean. Deductible + minor downtime + a forensic invoice.

Average case

Partial preparation

$120k – $450k

Insurance covers some. You're closed 5-10 business days. OCR opens a desk audit on a patient complaint. Notification to 8,000 patients + credit monitoring. A handful of patients walk.

Worst case

Unprepared

$650k – $2.2M

No insurance or coverage denied for AI exclusion. Ransomware shuts you for 3+ weeks. OCR resolution agreement + corrective action plan. State AG notification. Class action threatened. 18% of patient base churns.

Ranges are illustrative. For a personalized estimate calibrated to your revenue, headcount, and current insurance, run the Cost-of-Getting-Hit calculator.

The edges that don't care you're small

Clinic-specific risk highlights

1
HIPAA breach notification clock — 60 calendar days from workforce discovery under 45 CFR §164.404, regardless of size
2
HHS-OCR audits — 678 opened in 2024; 70% triggered by patient complaints, not random selection
3
Section 1557 algorithmic non-discrimination — applies to any clinical AI that materially informs treatment for patients in federal programs
4
Departing-staff risk — exit-day account disable is not optional; document it in your sanction policy
5
State breach laws stack on top — CA, NY, TX, WA, IL, CO and 40+ others add their own clocks and AG-notification thresholds

What we actually do

What an EFROS engagement looks like for a clinic

We start with a 10-day fixed-fee scoping engagement. We inventory every AI tool your providers and front desk are using — paid, free, shadow — and surface which ones have BAAs in place and which don't. We pull your last HIPAA Security Risk Analysis and tell you whether it would survive an OCR data request.

We then run a Section 1557 readiness review on any clinical AI you use that materially informs treatment decisions — scribes that auto-generate A&P sections, sepsis scoring, imaging interpretation, risk stratification. The output is a documented bias-testing methodology and a remediation list with owners and dates, not a policy binder that sits on your shelf.

From there you either continue on a retainer or you don't. On retainer we run the operating model: backup verification, endpoint protection, identity and access for joiners/movers/leavers, quarterly tabletop, incident-response runbook tested against your real EHR, and a 1-page board-grade summary every quarter that you can hand to your malpractice carrier.

We're a flat-fee retainer — typically $3,500-7,500 per month for owner-operated clinics depending on EHR, AI surface, and number of locations. We don't charge by ticket. We don't upsell tools. We run the program.

What these incidents actually look like

Three ways to start

Pick whichever fits your hour. The calculator and quiz are anonymous and take under 5 minutes. The 20-minute call is a scoping conversation, not a sales pitch.

Run Cost-of-Getting-Hit Run Are-You-Ready Quiz Book 20 min