Category 01
Compliance
Assessments
| Service | What You Get | Pricing | |
|---|---|---|---|
|
Risk Snapshot
Start Here · $995
|
Fast diagnostic for 1–10 employee practices. Client completes a CLAS audit tool (HIPAA, ISO 27001, or ISO 42001 — their choice), followed by a 30-minute onsite visit. Delivered in 2–3 business days: 1-page priority matrix, risk summary email, and notes from the visit. | HIPAA · ISO 27001 · ISO 42001 | $995 2–3 days |
| HIPAA Risk Assessment (Security Risk Analysis) |
Comprehensive evaluation of administrative, physical, and technical safeguards. Meets OCR's required Security Risk Analysis standard. Includes SRA spreadsheet, gap findings report, and remediation roadmap. | HIPAA Security Rule 45 CFR §164.308 | From $4,500 2–3 weeks |
|
CLARITY Assessment
Comprehensive · $2,995
|
Comprehensive diagnostic for 1–10 employee practices. Same CLAS audit tool (HIPAA, ISO 27001, or ISO 42001), followed by a 2-hour onsite visit with Fred. Includes a findings report, gap analysis, M365/Apple written guidance, and prioritized remediation roadmap. Delivered in 4–5 business days. | HIPAA · ISO 27001 · ISO 42001 | $2,995 4–5 days |
| ISO 42001 Gap Analysis | Assessment of your AI governance posture against ISO 42001 controls. Identifies gaps in your AI Management System (AIMS), vendor risk exposure, and AI policy framework. Produces a gap register and implementation roadmap. Certification is a client-side cost. | ISO/IEC 42001 · HIPAA AI overlap | From $3,500 3–4 weeks |
| ISO 27001 Gap Analysis | Assessment of your current information security posture against ISO 27001:2022 controls. Produces a gap register, risk treatment plan, and implementation roadmap. Does not include full certification (client-side cost). | ISO/IEC 27001:2022 | From $8,500 4–8 weeks |
Category 02
AI Governance
& ISO 42001
| Service | What You Get | Pricing | |
|---|---|---|---|
|
AI Governance for Healthcare
Most Requested
|
Governance framework for clinical AI tools (scribes, decision support, scheduling AI). Includes vendor risk assessment, Business Associate Agreement review for AI vendors, AI Acceptable Use Policy, and HIPAA-aligned controls for AI-generated PHI. | ISO 42001 · HIPAA · NIST AI RMF | From $3,500 3–4 weeks |
| AI Use Audit | Rapid audit of AI tools currently in use at your organization. Identifies ungoverned AI, vendor risk, data exposure, and compliance gaps. Produces a 1-page AI tool inventory with risk ratings and remediation priorities. | ISO 42001 · HIPAA | $1,500 1–2 weeks |
| ISO 42001 Advisory Starter | Structured advisory engagement to build an AI Management System (AIMS) aligned with ISO 42001. Covers AI risk identification, impact assessment, governance documentation, and internal audit preparation. Full certification is a client-side cost. | ISO/IEC 42001 | From $8,500 4–8 weeks |
| AI Acceptable Use Policy | Custom AI use policy for your staff — written for your environment, not boilerplate. Covers approved tools, prohibited uses, data classification rules, patient/client data handling, and incident reporting procedures. | ISO 42001 · HIPAA · ABA Ethics | $850 5–7 days |
Category 03
Policy & Governance
Documentation
| Service | What You Get | Pricing | |
|---|---|---|---|
| HIPAA Core Policy Library (6-Policy Set) |
Privacy Policy, Security Policy, Breach Notification Policy, Sanctions Policy, Device & Media Controls Policy, and Workforce Security Policy. Each policy is custom-authored for your practice — not pulled from a template library. | 6 HTML/Word policies, editable | Included in Clarity |
| HIPAA Extended Policy Set (8-Policy Core) |
Core 6 plus Incident Response Plan and BAA Management Policy. Included in RESILIENT and SOVEREIGN packages. All policies are version-controlled, signed, and ready for audit review. | 8 policies, full documentation | Included in Resilient pkg |
| HIPAA 12-Policy Full Library | Extended set adds: Third-Party Risk Management, Remote Work & BYOD, AI Acceptable Use, and Data Retention & Disposal. Included in SOVEREIGN package. Suitable for practices with 10+ staff or complex vendor relationships. | 12 policies, full HIPAA compliance | Included in Sovereign pkg |
| Custom Policy Development | Single policy authored for your specific operational need. Examples: Telehealth Security Policy, Remote Access Policy, Social Media Policy for PHI, Vendor Onboarding Checklist with BAA tracking. | 1 custom policy document | $500 per policy 5–7 days |
| Data Protection Impact Assessment (DPIA) |
Structured assessment for new data processing activities, vendor onboarding, or system changes. Covers data flows, risk identification, and mitigation controls. Aligned with GDPR, CCPA, and HIPAA requirements. | DPIA report with risk register | $1,200 1–2 weeks |
Category 04
Security Hardening
& Technical Governance
| Service | What You Get | Pricing | |
|---|---|---|---|
|
M365 Security Hardening Guidance Document Governance Only
|
Comprehensive written guidance document for securing your Microsoft 365 tenant. Covers MFA enforcement, conditional access policies, DLP rules, secure tenant configuration, and Secure Score improvement roadmap. Guidance only — technical implementation is MSP or IT provider work. | M365 Business / E3 / E5 | Included in pkgs or $1,200 standalone |
| Apple Ecosystem Security Assessment | Security assessment of Apple device usage across your practice or firm. Covers macOS hardening standards, MDM enrollment readiness, FileVault encryption, and iCloud data governance for regulated environments. | macOS · iOS · iPadOS | $950 1 week |
| Security Awareness Training (Annual Program) |
Annual HIPAA security awareness training program for your staff. Includes phishing awareness, password hygiene, device security, and incident reporting. Delivered as documented training sessions with sign-off sheets for audit records. | HIPAA required annual training | $1,200/year 1–2 sessions |
| Vendor Risk Assessment (BAA Review) |
Review of your Business Associate Agreements and third-party vendor risk posture. Identifies missing BAAs, insufficient contractual protections, and high-risk vendor relationships. Produces a vendor risk register with remediation priorities. | HIPAA BAA · Third-Party Risk | $800 1 week |
What CLAS Does Not Provide
CLAS does not provide MSP services, helpdesk support, device repair, 24/7 on-call support, or infrastructure implementation. The M365 and Apple assessments produce governance documentation — your MSP or IT provider implements the technical controls. This is intentional: CLAS is your compliance advisor, not your IT shop. That separation is what keeps our guidance independent and audit-defensible.
Category 05
Fractional vCISO
& Retainer Services
| Package | What's Included | Pricing | |
|---|---|---|---|
|
Risk Snapshot (One-Time) |
Fast diagnostic for 1–10 employee practices. Client completes a CLAS audit tool, followed by a 30-minute onsite visit. Deliverables: 1-page priority matrix, risk summary email, audit tool HTML export, and onsite notes. Converts to CLARITY in 30–40% of cases. | 1–10 employees 2–3 day delivery |
$995 one-time |
| CLARITY Assessment (One-Time) |
Comprehensive assessment for 1–10 employee practices. Client completes a CLAS audit tool (HIPAA, ISO 27001, or ISO 42001), followed by a 2-hour onsite visit. Deliverables: custom findings report, gap analysis, M365/Apple written guidance, 1-page risk summary, and written remediation roadmap with timeline. | 1–10 employees 4–5 day delivery |
$2,995 one-time |
| RESILIENT (Annual) |
Full HIPAA SRA, 8-policy library, two semi-annual onsite check-ins (90 min each), M365 hardening guidance document, risk register with remediation roadmap. Ongoing compliance program for growing practices. | 5–12 employees Ongoing compliance |
$695/month $8,340/year |
| SOVEREIGN (Annual vCISO) Full Partnership
|
Everything in Resilient, plus: fractional vCISO advisory (8–12 hours/month remote), quarterly onsite check-ins, regulatory change monitoring, annual full policy review and refresh across all 12 policies. | 8–20 employees Full vCISO partnership |
$1,995/month $23,940/year |
| Fractional vCISO (Standalone) |
Ongoing strategic security leadership without a package commitment. Minimum 6-month engagement. Covers incident response planning, vendor risk management, regulatory change monitoring, and compliance oversight. | Flexible, custom scope | $2,500–$5,000/mo 6-month min |