The law itself is not one big rule. It is a stack of small ones. Walk down this list and check only the boxes you could actually back up with a document, a screenshot, or a setting. The blanks are your starting point.
Administrative
- A risk assessment done in the last 12 months, in writing.
- A named person who owns HIPAA compliance at the practice.
- Staff security training on record, with dates.
- A written breach response plan you could follow under pressure.
- Signed business associate agreements with every vendor that handles patient data.
Physical
- Screens that lock automatically and are not visible to the waiting room.
- Servers and network gear in a locked, access-controlled space.
- A documented way that old drives and devices are wiped before disposal.
- Paper records with patient data stored and shredded securely.
Technical
- A unique login for every user. No shared passwords.
- Multi-factor authentication on email, the records system, and remote access.
- Encryption on every laptop, phone, and drive that leaves the building.
- Audit logging on the systems that hold patient data.
- Backups that have been tested and would actually restore.
What the blanks are telling you
Most practices check more boxes than they expect in one column and fewer in another. The administrative ones tend to be the quiet failures: the risk assessment that was never written down, the training nobody logged, the vendor agreement that was always going to get signed later. None of it feels urgent until someone official asks to see it.
The technical boxes are usually the most fixable. Unique logins, multi-factor authentication, encryption, and tested backups are all concrete settings someone can turn on and verify. The hard part is rarely the technology. It is having someone whose job it is to keep the list current.
Turn the blanks into a plan
A HIPAA risk assessment takes this rough self-check and makes it real. It walks your actual setup, confirms what is genuinely in place, and turns the blanks into an ordered plan with the highest-risk items first. You stop guessing and start knowing.
Turn the blanks into a plan.
Talk to our team about a HIPAA risk assessment. We will walk your list with you and tell you what to close first.
A self-assessment aid, not a substitute for a formal HIPAA risk analysis. For general information only, not legal advice.