Answer ten yes-or-no questions about your HIPAA Security Rule safeguards and get an instant readiness indicator. Everything runs in your browser: nothing is submitted, stored, or shared. This is a readiness indicator, not a compliance determination or legal advice.
Self-Assessment
Ten Questions on the Core Safeguards.
Answer honestly. If you are not sure whether a safeguard is documented and in place, it usually is not.
1Have you completed a documented security risk analysis in the last 12 months?The risk analysis is a required safeguard and the foundation of the program.
2Do you have written HIPAA security policies and procedures that are current?Administrative safeguards must be documented, not just practiced.
3Do you have signed business associate agreements (BAAs) with every vendor that touches ePHI?Any vendor that creates, receives, maintains, or transmits ePHI needs a BAA.
4Does each workforce member have a unique login, with access to ePHI limited to their role?Unique user identification and least-privilege access are required.
5Is multi-factor authentication enforced on systems holding ePHI and on remote access?Strong access control is expected for systems containing patient data.
6Is ePHI encrypted both at rest and in transit?Encryption is addressable, but in most settings it is the appropriate choice.
7Are audit logs enabled on systems with ePHI and reviewed for inappropriate access?Audit controls let you detect and reconstruct access to ePHI.
8Do you have a contingency plan with tested data backup, disaster recovery, and emergency mode operation?Keeping ePHI available through a disruption is a required safeguard.
9Do all workforce members receive regular security awareness training?Training reduces the human risk that leads to most incidents.
10Do you have a written incident response and breach notification plan?Breach notification has strict timelines you must be ready to meet.
What Comes Next
From Checklist to a Managed Program.
However you scored, the path forward starts with the risk analysis and builds out from there: document what exists, close the gaps, and keep the evidence current for an OCR review or a business partner audit.
A documented security risk analysis and a risk management plan.
Administrative, physical, and technical safeguards mapped to the rule.
Business associate agreements with every vendor that touches ePHI.
Evidence you can hand to an auditor, a partner, or an investigator.