Switch from HIPAA Vault | Free Audit

What you get in the free audit

This is the audit Petronella Technology Group runs before quoting any HIPAA hosting migration. We are giving it away because the conversation surfaces things most healthcare practices want to know whether or not we end up working together.

The audit is a 30-minute discovery call with Craig Petronella or Scott Hendrix on our team. You bring your current HIPAA Vault contract, your last Security Risk Assessment (or what you have in lieu of one), and a rough picture of how PHI moves through your practice. We bring the regulatory checklist and the questions an OCR auditor will ask.

What we review on the call

• Your current HIPAA Vault Business Associate Agreement (BAA) terms, scope, and the boundary line between what HIPAA Vault is responsible for and what your organization is responsible for under that contract.
• Performance and operational metrics: uptime history, response times on the last incident, log retention you can actually retrieve, whether you have ever pulled a BAA-required report.
• What HIPAA Vault's "True HIPAA Compliance" program covers (encryption at rest and in transit, 24/7 monitoring, 6-year log retention, multi-tenant isolation, BC/DR, WAF, IDS/IPS, SIEM, anti-DDoS, hardened OS) and what it does not.
• A side-by-side gap map against the seven program-layer controls hosting plans typically don't include: HIPAA Security Risk Assessment under 45 CFR 164.308(a)(1)(ii)(A), policy and procedure authoring scoped to your workforce, HIPAA training delivery with workforce attestation tracking, BAA inventory and management with your other vendors, in-house penetration testing, incident response plan with breach notification workflow and forensics, and board or executive compliance reporting.
• Whether your current setup actually answers the five questions an OCR investigator opens with after a complaint or a breach notice.

What you walk away with

• A one-page written summary of the gaps and the priority order to close them, delivered within 5 business days of the call.
• A 1-page side-by-side comparison PDF of HIPAA Vault and Petronella Technology Group, built from verified facts only (their published pages and our verifiable credentials, no marketing puffery).
• If we are a fit, a fixed-price migration proposal covering hosting, BAA chain, the program layer, and the cutover plan with downtime expectations.
• If we are not a fit, an honest recommendation about who is. Sometimes that recommendation is "stay with HIPAA Vault and add the program layer separately." We will say so.

Why the audit is free

Most HIPAA Vault customers don't realize the gap between hosting compliance and organizational compliance until something forces the issue. That something is usually an OCR audit notice, a breach incident drill that goes sideways, a board cyber report that asks for evidence the team can't produce, or an upstream payer or partner that demands a current Security Risk Assessment under 45 CFR 164.308(a)(1)(ii)(A).

By the time one of those moments arrives, you don't have time for a discovery process. You need an answer that day. The free audit exists so the conversation happens before the deadline lands on your desk, not after.

It is also a calibration call for us. Petronella Technology Group runs a small, capped HIPAA practice (10 to 25 healthcare tenants total) bundled with the program layer. We are not for everyone. If your need is genuinely hosting-only and your contracts don't require a working program layer behind it, HIPAA Vault is a perfectly reasonable choice and we will tell you so. The audit is how we both find out which conversation we are actually having.

For a deeper read on the underlying issue, see our explainer on why HIPAA hosting alone isn't HIPAA compliance, and the parent service page on HIPAA hosting with the compliance program built in.

Who is delivering the audit

The audit is run by people who actually deliver the work, not a sales engineer reading a script. Verifiable credentials only:

For the full vertical and deliverable comparison, see the HIPAA Vault alternative for 2026 page or the parent HIPAA compliance hub.

What we will tell you that most vendors won't

We don't currently hold a SOC 2 Type II attestation on our own infrastructure, and we will say so on the call. Most healthcare practices don't actually need one (HIPAA is the binding regulation; SOC 2 is a separate optional attestation). For the rare situations where an upstream contract genuinely requires a SOC 2-audited hosting layer, we route the hosting through an audited partner stack and own the program layer ourselves. You get the attestation chain your contract requires, plus the program layer that most attested hosts don't deliver. One BAA with us covers the rest.

We also cap our HIPAA practice at 10 to 25 healthcare tenants. This is on purpose. It is the reason the free audit ends with a real recommendation instead of a quote-bot output, and it is the reason we say no to roughly half of the audits we run.

Quick answers before you book

What happens after you submit

• Within 1 business hour: You get a confirmation email from [email protected] acknowledging the request and naming who will run the call (Craig or Scott).
• Within 24 to 48 hours: We send a calendar link with three or four 30-minute slots that fit your time zone. You pick one. No phone tag.
• Within 5 business days of the call: You receive the written one-page gap summary, the 1-page side-by-side comparison PDF, and (if we are a fit) the fixed-price migration proposal. If we are not a fit, you still receive the gap summary and the comparison PDF.

If your situation is time-sensitive (active OCR inquiry, breach in progress, contract renewing inside 14 days), say so in the form and we will route the request to a same-day slot.