What does a HIPAA security risk analysis cover?

The HIPAA Security Rule requires administrative, physical, and technical safeguards: a written risk analysis, a named security officer, workforce training, business associate agreements, backups, access controls, encryption, and more. This free self-assessment walks a small office through the safeguards that most often fall short.

Is this self-assessment a substitute for a HIPAA risk analysis?

No. It is a readiness check that shows where you likely stand and what to prioritize. A formal HIPAA risk analysis is a documented process; this tool helps you prepare for one and fix obvious gaps first.

Free HIPAA security readiness self-assessment for medical offices

Have you completed a written HIPAA security risk analysis in the last 12 months?

The risk analysis is the foundation of the Security Rule and the first thing an auditor asks to see. §164.308(a)(1)(ii)(A)

Yes Partly No

Is one person formally designated as your security/privacy officer?

HIPAA requires a named person accountable for security. §164.308(a)(2)

Yes Partly No

Does your staff get security-awareness training (including phishing) at least once a year?

Most breaches at small offices start with an untrained user clicking a link. §164.308(a)(5)

Yes Partly No

Do you have signed Business Associate Agreements with every vendor that touches patient data (EHR, billing, cloud, IT)?

Sharing PHI with a vendor without a BAA is a violation on its own. §164.308(b)(1)

Yes Partly No

Do you have a written procedure for responding to a breach or security incident?

You must be able to detect, respond to, and report incidents on a clock. §164.308(a)(6)

Yes Partly No

Are patient-data backups automated, encrypted, and stored offsite?

Ransomware-proof backups are your last line of defense. §164.308(a)(7)(ii)(A)

Yes Partly No

Have you actually tested restoring from a backup in the last year?

A backup you've never restored is a guess, not a plan. §164.308(a)(7)(ii)(B)

Yes Partly No

Does every staff member have a unique login (no shared accounts)?

Shared logins make audit trails meaningless and violations untraceable. §164.312(a)(2)(i)

Yes Partly No

Is multi-factor authentication required for email and any remote access?

MFA stops the large majority of account-takeover attacks. §164.312(d)

Yes Partly No

Are workstation and laptop hard drives encrypted (e.g., BitLocker)?

A stolen unencrypted laptop is, by itself, a reportable breach. §164.312(a)(2)(iv)

Yes Partly No

Do workstations lock automatically after a few idle minutes?

Prevents PHI exposure at an unattended front-desk screen. §164.312(a)(2)(iii)

Yes Partly No

Are your server, network gear, and records in a locked area away from patients?

Physical access to a server is full access to everything on it. §164.310(a)(1)

Yes Partly No

Do you securely wipe or destroy old drives, computers, and paper records?

Discarded drives and charts are a common, avoidable breach source. §164.310(d)(2)(i)

Yes Partly No

How HIPAA-ready is your office?