How often does your organization conduct a comprehensive HIPAA-mandated risk analysis?
A. At least once a year and whenever there is a significant change to our systems.
B. Only when required (e.g., by a new business associate agreement) or rarely.
C. Never, or not sure what this is.
Administrative & Security Safeguards
Do you have multi-factor authentication (MFA) enabled for all critical systems that access ePHI?
A. Yes, organization-wide for all ePHI access points.
B. On some systems only, or for some employees.
C. No, or not sure what that is.
Administrative & Security Safeguards
How confident are you in your organization's compliance with the HIPAA Privacy and Security Rules?
A. Fully confident—we audit regularly and have a designated Privacy and Security Officer.
B. Somewhat confident—we have some policies but are not formally audited.
C. Not confident—unsure of what applies or what we are doing.
Administrative & Security Safeguards
If you had a data breach involving ePHI today, do you have a tested incident response and Breach Notification plan in place?
A. Yes—we have a documented plan and have tested it.
B. We have a plan, but it’s outdated or untested.
C. No, or not sure how we would respond.
Administrative & Security Safeguards
How do you protect your organization's devices (laptops, mobile phones, etc.) that access or store ePHI?
A. All devices are encrypted, and access is managed via strong controls.
B. Only some devices have encryption, or we have basic access controls.
C. Devices are not encrypted, and there are no specific policies.
Physical & Technical Safeguards
How are your software and hardware systems that handle ePHI updated or patched?
A. Regularly and systematically to address new vulnerabilities.
B. Occasionally, when a known issue arises.
C. Rarely or never.
Physical & Technical Safeguards
Do you have a documented data backup and recovery plan for all ePHI?
A. Yes, with regular backups that are tested and documented.
B. We have some backups, but they are not formally tested or documented.
C. No, or not sure if we have one.
Physical & Technical Safeguards
Does your organization have a designated HIPAA Privacy Officer and Security Officer?
A. Yes, we have a clear chain of command for HIPAA compliance.
B. We have a person responsible for some aspects, but not officially designated.
C. No, the responsibility is not assigned to a specific individual.
Workforce Security & Business Associates
Do employees receive training on HIPAA policies and cybersecurity best practices?
A. Yes—as part of onboarding and through ongoing, documented education.
B. Occasionally, or training is not required for all staff.
C. No, employees do not receive formal training.
Workforce Security & Business Associates
Do you have Business Associate Agreements (BAAs) in place with all vendors who handle PHI on your behalf?
A. Yes, all vendors who access PHI have a signed and reviewed BAA.
B. We have some BAAs, but not for all of our vendors.
C. No, we don't use BAAs or are not sure what they are.
Workforce Security & Business Associates