Back to News

Is Your Practice HIPAA-Ready? A Five-Minute Self-Check

HIPAA is a federal law, enforced by a government agency called the Office for Civil Rights, or OCR, part of the U.S. Department of Health and Human Services. OCR is who investigates breaches and reviews practices for compliance.

The law itself is not one big rule. It is a stack of small ones. Walk down this list and check only the boxes you could actually back up with a document, a screenshot, or a setting. The blanks are your starting point.

Administrative

  • A risk assessment done in the last 12 months, in writing.
  • A named person who owns HIPAA compliance at the practice.
  • Staff security training on record, with dates.
  • A written breach response plan you could follow under pressure.
  • Signed business associate agreements with every vendor that handles patient data.

Physical

  • Screens that lock automatically and are not visible to the waiting room.
  • Servers and network gear in a locked, access-controlled space.
  • A documented way that old drives and devices are wiped before disposal.
  • Paper records with patient data stored and shredded securely.

Technical

  • A unique login for every user. No shared passwords.
  • Multi-factor authentication on email, the records system, and remote access.
  • Encryption on every laptop, phone, and drive that leaves the building.
  • Audit logging on the systems that hold patient data.
  • Backups that have been tested and would actually restore.
Any blank box is a gap.
You do not have to fix all of them at once, and you should not try. A risk assessment puts them in order, tells you which carry the most risk, and gives you a plan you can actually work through.

What the blanks are telling you

Most practices check more boxes than they expect in one column and fewer in another. The administrative ones tend to be the quiet failures: the risk assessment that was never written down, the training nobody logged, the vendor agreement that was always going to get signed later. None of it feels urgent until someone official asks to see it.

The technical boxes are usually the most fixable. Unique logins, multi-factor authentication, encryption, and tested backups are all concrete settings someone can turn on and verify. The hard part is rarely the technology. It is having someone whose job it is to keep the list current.

Turn the blanks into a plan

A HIPAA risk assessment takes this rough self-check and makes it real. It walks your actual setup, confirms what is genuinely in place, and turns the blanks into an ordered plan with the highest-risk items first. You stop guessing and start knowing.

A straight answer, not a guess

Turn the blanks into a plan.

Talk to our team about a HIPAA risk assessment. We will walk your list with you and tell you what to close first.

Let's connect Request a callback

A self-assessment aid, not a substitute for a formal HIPAA risk analysis. For general information only, not legal advice.