📋
§164.308
Administrative Safeguards
Risk analysis, workforce training, security incident procedures, and access management per §164.308.
Q1 · Area 1
A risk analysis of ePHI has been performed and documented per §164.308(a)(1).
Q2 · Area 1
A risk management plan with implemented security measures is in place.
Q3 · Area 1
Security awareness and training is conducted for all workforce members.
Q4 · Area 1
Security incident response procedures are defined and assigned to responsible staff.
Q5 · Area 1
An access authorization process controls who may access ePHI systems.
🏥
§164.310
Physical Safeguards
Facility access controls, workstation use policies, device and media controls per §164.310.
Q1 · Area 2
Facility access controls limit physical access to systems housing ePHI.
Q2 · Area 2
Workstation use policies define proper functions and physical surroundings.
Q3 · Area 2
Device and media controls govern the receipt and removal of hardware storing ePHI.
Q4 · Area 2
Visitor access logs are maintained for areas where ePHI is accessible.
Q5 · Area 2
Physical safeguard implementation is periodically tested and reviewed.
🔒
§164.312
Technical Safeguards
Unique user identification, automatic logoff, encryption, and audit controls per §164.312.
Q1 · Area 3
Unique user identification is assigned and enforced for all ePHI system users.
Q2 · Area 3
An emergency access procedure enables authorised access during system failures.
Q3 · Area 3
Automatic logoff is configured to terminate sessions after inactivity.
Q4 · Area 3
ePHI is encrypted at rest and in transit using industry-standard protocols.
Q5 · Area 3
Audit logs capture activity on systems containing ePHI and are regularly reviewed.
📢
§164.400–414
Breach Notification
Breach discovery, 60-day notification SLA, HHS reporting, and media notice procedures per §164.400–414.
Q1 · Area 4
Breach definition and discovery criteria are formally documented.
Q2 · Area 4
The 60-day notification SLA to affected individuals is tracked and met.
Q3 · Area 4
The HHS Secretary reporting process is established and tested.
Q4 · Area 4
Individual breach notification templates are prepared and legally reviewed.
Q5 · Area 4
Media notice procedures are ready for breaches affecting 500 or more individuals.
🤝
§164.314
Organizational Requirements
Business Associate Agreements, group health plan provisions, and downstream flow-down requirements per §164.314.
Q1 · Area 5
Business Associate Agreements (BAAs) are in place for all Business Associates.
Q2 · Area 5
BAA provisions meet §164.314 requirements including permitted uses and safeguards.
Q3 · Area 5
Group health plan security provisions are implemented per §164.314(b).
Q4 · Area 5
Downstream Business Associate flow-down requirements are contractually enforced.
Q5 · Area 5
An annual Business Associate inventory review is conducted and documented.
HIPAA SECURITY READINESS SCORE
Critical
Priority Actions
Safeguard areas scoring below 80% require attention to reduce HIPAA enforcement risk.
Strengthen Your HIPAA Security Programme
Explore the complete HIPAA & HC3 toolkit — scenario library, Security Rule gap tracking, and compliance evidence packages.
HIPAA & HC3 Toolkit →
This assessment is self-reported and indicative only. It does not constitute legal or regulatory advice. For formal HIPAA compliance evaluation, consult qualified legal counsel or a certified HIPAA consultant.