HIPAA Compliance Self-Assessment
How well does your organization meet HIPAA's Security Rule?
HIPAA enforcement has intensified: OCR settled over $14M in cases in 2024 alone, and the proposed 2025 Security Rule updates would make MFA and encryption mandatory for the first time. This free 12-question assessment covers all five HIPAA compliance areas — from risk analysis and access controls to Business Associate Agreements and breach response.
No login required. Instant results. Built for compliance leads, privacy officers, and security teams at covered entities and business associates.
What you'll get
- →A score across all five HIPAA compliance areas
- →A compliance band: Strong Posture / Partial Compliance / Significant Gaps / Non-Compliant
- →A gap breakdown mapped to specific HIPAA rule citations
- →Recommended next steps tailored to your score
Section 1: Administrative Safeguards
1.Has your organization conducted a documented HIPAA security risk analysis covering all ePHI systems, threats, and vulnerabilities?
2.Has your organization designated a named HIPAA Security Officer responsible for developing and overseeing the security program?
3.Does your workforce receive regular HIPAA security awareness training, with completion records maintained?
4.Do you formally manage workforce access to ePHI, including provisioning, periodic review, and prompt de-provisioning on termination?
Section 2: Physical Safeguards
5.Do you have documented controls governing physical access to systems that store or process ePHI and workstation use policies?
6.Do you have formal policies for the use, reuse, and disposal of electronic media and devices that contain ePHI?
Section 3: Technical Safeguards
7.Do you enforce unique user identification and multi-factor authentication for access to systems containing ePHI?
8.Do you collect and review audit logs covering access to and use of ePHI systems?
9.Is ePHI encrypted at rest and in transit across all systems and transmission channels?
Section 4: Organizational Requirements
10.Do you have signed Business Associate Agreements (BAAs) in place with all vendors and service providers that access, store, or process ePHI on your behalf?
Section 5: Breach Response & Privacy
11.Do you have a documented breach response plan with defined processes for detection, investigation, and notification within HIPAA's 60-day deadline?
12.Do you apply the minimum necessary standard when accessing, using, or disclosing PHI? And do you maintain a current Notice of Privacy Practices?
The Five HIPAA Compliance Areas
HIPAA compliance spans three rules — the Security Rule, Privacy Rule, and Breach Notification Rule — organized across five areas. This assessment covers all five.
Need a full HIPAA compliance assessment?
Atumcell's GRC team delivers formal HIPAA gap assessments with a prioritized remediation roadmap — structured for Privacy Officers, legal review, and OCR audit readiness.
Frequently asked questions
Who does HIPAA apply to?
HIPAA applies to two categories of organizations. Covered Entities are health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — including hospitals, clinics, physicians, dentists, pharmacies, health insurance companies, and employer-sponsored health plans. Business Associates are individuals or organizations that perform functions on behalf of a covered entity that involve the use or disclosure of protected health information (PHI) — including cloud storage providers, billing services, IT support firms, EHR vendors, and legal or accounting firms that handle PHI. Both categories face identical penalties for non-compliance. Business Associate status is determined by function, not by contract. Organizations that handle PHI on behalf of a covered entity are BAs regardless of whether a BAA is in place.
What are the main HIPAA Security Rule requirements?
The HIPAA Security Rule requires covered entities and business associates to implement safeguards in three categories to protect electronic protected health information (ePHI). Administrative Safeguards include security risk analysis, designation of a Security Officer, workforce training, access management, and contingency planning. Physical Safeguards include facility access controls, workstation use policies, and device and media controls. Technical Safeguards include access controls with unique user identification, audit controls, integrity controls, and encryption for ePHI in transit and at rest. Each requirement is designated as either 'required' (must be implemented) or 'addressable' (must be implemented or the decision not to implement must be documented and justified). The proposed 2025 HIPAA Security Rule updates would make several previously addressable specifications — including MFA and encryption — required.
What are HIPAA's breach notification requirements?
Under the HIPAA Breach Notification Rule, covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. For breaches affecting 500 or more individuals in a state or jurisdiction, media notification is also required within the same 60-day window. HHS must be notified: for breaches affecting 500 or more individuals, notification must be submitted within 60 days; for smaller breaches, they can be reported to HHS annually within 60 days of the end of the calendar year. Business Associates must notify the covered entity without unreasonable delay and within 60 days. There is a Safe Harbor exception: PHI that is properly encrypted per NIST standards is not considered 'unsecured PHI' and a breach of encrypted data does not trigger notification requirements. This makes encryption one of the highest-value controls available under HIPAA.
What are the HIPAA penalties for non-compliance?
HIPAA civil monetary penalties are tiered by culpability. Tier 1 (lack of knowledge): $100 to $50,000 per violation, annual cap of $25,000. Tier 2 (reasonable cause): $1,000 to $50,000 per violation, annual cap of $100,000. Tier 3 (willful neglect, corrected): $10,000 to $50,000 per violation, annual cap of $250,000. Tier 4 (willful neglect, not corrected): $50,000 per violation, annual cap of $1.9 million. These caps apply per violation category per year. Organizations facing multiple violation types can face much larger aggregate penalties. State attorneys general may pursue additional penalties under state law. Criminal penalties apply for knowing violations: up to 1 year imprisonment for basic violations, up to 5 years for violations under false pretenses, and up to 10 years for violations with intent to sell or use PHI for commercial gain.