HIPAA Compliance Self-Assessment Checklistπ‘
Use this self-assessment guide to evaluate your HIPAA compliance readiness
Answer the questions below to gain insight into how well your current privacy and security practices align with HIPAA requirements, and to identify areas that may require additional effort or improvement. Each question includes examples and explanations to help you make an informed choice
β οΈ
Note: This guide is designed to provide a general overview of your HIPAA preparedness and is not intended to replace a professional
compliance audit β οΈ
β
SECTION 0: ORGANIZATION OVERVIEW
What industry do you operate in?
*
E.g. Medical Biotech, Telemedicine & Digital Health, Consumer-Oriented Digital Health, Health Insurers & Patient Data Platforms, Healthcare IT & Infrastructure, Medical Devices & Digital Therapeutics
What is your companyβs current size?
*
What are your primary geographic target markets?
*
π‘ HIPAA compliance is legally required if your organization handles protected health information (PHI) of U.S. patients; for companies operating outside the U.S., compliance may still be critical for securing partnerships, contracts, and trust within the U.S. healthcare market.
What are your primary geographic target markets?
Does your product/service diagnose, treat, monitor, or influence clinical decision-making?
*
π‘ If your product influences clinical decisions, it may be classified as a medical device under FDA or MDR regulations β triggering stricter HIPAA, security, and regulatory requirements.
β
SECTION 1: HIPAA GENERAL APPLICABILITY
1. Does your organization create, receive, store, or transmit Protected Health Information (PHI or ePHI)?
E.g. you process patient data, lab results, appointment schedules, or health insurance information.
1. Does your organization create, receive, store, or transmit Protected Health Information (PHI or ePHI)?
2. What best describes your organizationβs relationship to PHI?
You may be a medical provider, a software vendor for hospitals, or a cloud storage provider.
2. What best describes your organizationβs relationship to PHI?
π‘ Under HIPAA, if your organisation handles identifiable health information and operates as a Covered Entity or Business Associate, you are subject to the full scope of the Privacy, Security, and Breach Notification Rules. Compliance efforts must be fully established, documented, and maintained.
Not sure whether the data you collect qualifies as PHI? Contact Sekurno for expert guidance. Our team can help you assess your compliance obligations accurately and ensure you're aligned with current HIPAA standards.π‘
π SECTION 2: PRIVACY RULE COMPLIANCE
3. Do you have clear, written privacy policies that govern how you use and share PHI?
Your policies explain what data you collect from patients and how it's used internally or shared with third parties.
3. Do you have clear, written privacy policies that govern how you use and share PHI?
4. Have you officially designated a Privacy Officer?
Example: Someone responsible for managing privacy policies, staff training, and patient rights requests.
4. Have you officially designated a Privacy Officer?
5. How does your organization address the requirement to inform individuals about privacy practices?
Example: A webpage or PDF outlining your data use, user rights, and how to contact you.
5. How does your organization address the requirement to inform individuals about privacy practices?
𧩠SECTION 3: SECURITY RULE COMPLIANCE
6. Have you conducted a formal Risk Assessment for systems handling ePHI?
Example: Youβve identified and documented risks to servers storing patient data, mobile devices, and third-party tools.
6. Have you conducted a formal Risk Assessment for systems handling ePHI?
7. Have you assigned a Security Officer to oversee technical safeguards?
Example: This person manages cybersecurity, access controls, and works with IT to mitigate threats.
7. Have you assigned a Security Officer to oversee technical safeguards?
8. Are your systems protected with access control and authentication protocols?
Example: Logins require usernames and passwords, possibly with MFA, and access is limited by role.
8. Are your systems protected with access control and authentication protocols?
9. Do you monitor and log access to PHI systems?
Example: You can track who accessed what data, when, and from whereβand investigate if needed.
9. Do you monitor and log access to PHI systems?
10. Have you implemented secure software development practices (SSDLC)?
Example: Code is reviewed for vulnerabilities, and apps are tested before deployment.
10. Have you implemented secure software development practices (SSDLC)?
π SECTION 4: TECHNICAL & PHYSICAL SAFEGUARDS
11. Do you encrypt PHI data both at rest and in transit?
Example: Stored data is encrypted using AES-256, and TLS is used for data transmission.
11. Do you encrypt PHI data both at rest and in transit?
12. Are your endpoints protected (e.g., antivirus, firewalls, remote wipe)?
Example: Workstations and mobile devices used to access ePHI are secured.
12. Are your endpoints protected (e.g., antivirus, firewalls, remote wipe)?
13. Do you have backups and disaster recovery plans for ePHI?
Example: Nightly backups of cloud systems and an off-site recovery plan
13. Do you have backups and disaster recovery plans for ePHI?
14. Have you conducted penetration testing or security scans?
Example: An external vendor tested your systems for vulnerabilities
14. Have you conducted penetration testing or security scans?
π©βπΌ SECTION 5: WORKFORCE TRAINING & MANAGEMENT
15. Do you train all employees on HIPAA privacy and security policies?
Example: New hires go through privacy training, and current staff are updated annually.
15. Do you train all employees on HIPAA privacy and security policies?
16. Do you have any measures or policies in place for handling employee violations of HIPAA?
Example: Violations like sharing credentials or accessing patient data without reason are disciplined.
16. Do you have any measures or policies in place for handling employee violations of HIPAA?
β οΈ SECTION 6: BREACH NOTIFICATION
17. How does your organization handle breach notification?
Example: A written procedure for what to do if PHI is leaked or stolen
17. How does your organization handle breach notification?
18. Do you track and document all security incidents and breaches?
Example: You log and store all suspected and confirmed security events
18. Do you track and document all security incidents and breaches?
π SECTION 7: BUSINESS ASSOCIATES & VENDORS
19. What agreements do you have with vendors or partners who handle PHI?
Example: You use a cloud platform or analytics tool that accesses PHI
19. What agreements do you have with vendors or partners who handle PHI?
20. Do you review vendor security policies and compliance status?
Example: You review their data handling, encryption, and incident response processes
20. Do you review vendor security policies and compliance status?
π SECTION 8: DOCUMENTATION & AUDITS
21. Do you maintain HIPAA-related documentation for at least 6 years?
Example: Policy changes, risk assessments, training logs, incident reports
21. Do you maintain HIPAA-related documentation for at least 6 years?
22. Have you ever undergone a third-party HIPAA audit or readiness assessment?
Example: A certified firm reviewed your HIPAA posture and provided a gap analysis
22. Have you ever undergone a third-party HIPAA audit or readiness assessment?
π SECTION 9: POLICIES & DOCUMENTATION INVENTORY
Which of the following HIPAA-required or best-practice policies does your organization already have?
Please check all that apply. This helps identify your current documentation maturity and the effort needed to become fully compliant.
23. Notice of Privacy Practices (NPP)
*
User-facing document informing individuals about their rights and your data use practices (required for Covered Entities).
23. Notice of Privacy Practices (NPP)
24. Information Security Policy
*
Overview of technical and administrative safeguards protecting PHI
24. Information Security Policy
25. Risk Analysis & Risk Management Plan
*
Risk register, threat modeling, and remediation plans for ePHI-related systems
25. Risk Analysis & Risk Management Plan
26. Access Control Policy
*
Explains role-based access, account creation, password strength, and MFA enforcement
26. Access Control Policy
27. Password Management Policy
*
Requirements for password strength, expiration, reuse, and MFA enforcement
27. Password Management Policy
Standards for encrypting PHI in transit (TLS) and at rest (AES-256)
29. Secure Software Development Policy
*
S-SDLC, code reviews, SAST/DAST, and vulnerability tracking in development
29. Secure Software Development Policy
30. Malware Protection Policy
*
Endpoint protection, antivirus, real-time scanning, and remediation workflows
30. Malware Protection Policy
31. Vulnerability Management Policy
*
Automated scans, critical patch timelines, and remediation plans
31. Vulnerability Management Policy
Backup frequency, storage, testing, and restoration documentation
33. Business Continuity & Disaster Recovery Policy
*
Wider resilience plan including infrastructure recovery and business continuity
33. Business Continuity & Disaster Recovery Policy
34. Physical and Environmental Security Policy
*
Facility access control, secured areas, and visitor logging
34. Physical and Environmental Security Policy
35. Mobile Devices Usage Policy
*
Device encryption, remote wipe, mobile device management (MDM)
35. Mobile Devices Usage Policy
36. Asset Management Policy
*
Inventory tracking, assignment, and device lifecycle management
36. Asset Management Policy
37. Clear Desk and Clear Screen Policy
*
Reduces exposure risk by protecting data in physical and digital formats
37. Clear Desk and Clear Screen Policy
38. Incident Response Policy
*
Roles, procedures, and notification timelines in the event of a breach
38. Incident Response Policy
39. Breach Notification Policy
*
Defines internal and external breach handling per HIPAA timelines
39. Breach Notification Policy
40. Workforce Sanctions Policy
*
Disciplinary actions for privacy violations or security negligence
40. Workforce Sanctions Policy
41. Workforce Training Records
*
Proof of HIPAA onboarding and annual training completions
41. Workforce Training Records
42. Business Associate Agreement (BAA) Template
*
Contract for PHI-handling vendors and partners
42. Business Associate Agreement (BAA) Template
43. Vendor Risk Management Policy
*
Due diligence process, compliance reviews, and vendor inventory
43. Vendor Risk Management Policy
44. Data Retention & Disposal Policy
*
Defines timelines and destruction methods for ePHI and backups
44. Data Retention & Disposal Policy
45. Security Testing Reports
*
Results from penetration tests, vulnerability scans, or SAST/DAST audits
45. Security Testing Reports
