Regional Extension Centers (partially funded by CMS I believe) should be able to do it for you:
http://www.healthit.gov/providers-professionals/regional-extension-centers-recsWe had the local one do our security analysis. We didn't get charged because not enough people had signed up for their services and they needed to use the grant money before it expired. They basically asked questions about our policies, put the answers in their analysis spreadsheet and gave us the report.
.png "ACUF Donor I")
