Before you spend $50K on a compliance audit, answer these 10 questions honestly. Each "No" represents a real vulnerability — a specific violation that regulators have cited in enforcement actions against companies in your exact situation.
This isn't a comprehensive audit. It's a quick diagnostic. It will tell you within 5 minutes whether you have compliance gaps that need immediate attention, and which ones are highest risk.
ℹ How to Score This Checkup
Answer Yes or No to each question. Count your No answers. Scoring guide is at the bottom. A perfect score doesn't mean you're fully compliant — it means you're not in immediate danger. For a deeper analysis, use our interactive compliance quiz.
Section 1: Documentation & Policies
1
Do you have a written privacy/information security policy that has been reviewed in the last 12 months?
If No: HIGH RISK — OCR cites this in virtually every enforcement action. Outdated or missing policies are a baseline HIPAA violation. GDPR requires a privacy policy for any organization handling EU personal data.
2
Have you completed a formal risk assessment in the last 12 months that documents where sensitive data lives and what threats exist?
If No: HIGH RISK — A current risk analysis is the foundation of HIPAA compliance. Its absence has been cited in the majority of OCR enforcement actions since 2020. Without it, you cannot demonstrate good-faith compliance.
3
Have all employees who handle sensitive data received compliance training in the last 12 months, with documentation?
If No: MEDIUM RISK — Workforce training is required under HIPAA. The 2026 Security Rule update increases penalties for training failures. More importantly, most breaches are caused by employee error — phishing, improper disposal, accidental disclosure.
Section 2: Technical Controls
4
Are all devices that access sensitive data encrypted (laptops, workstations, mobile devices)?
If No: HIGH RISK — Under the proposed 2026 HIPAA Security Rule update, encryption becomes mandatory (not "addressable"). An unencrypted stolen laptop containing PHI is an automatic reportable breach under current rules — and a direct violation under 2026 rules.
5
Does every account that accesses sensitive systems require multi-factor authentication (MFA)?
If No: HIGH RISK — Single-factor authentication (password only) is the primary attack vector in healthcare data breaches. MFA eliminates 99.9% of password-based attacks and is required under the 2026 HIPAA Security Rule update.
6
Do you have a process to remove access when employees leave the organization?
If No: HIGH RISK — Access termination failure is a Top 5 HIPAA violation. Former employees with active credentials are a significant breach risk. OCR found this issue in several of the 21 enforcement actions settled in 2025.
Section 3: Vendors & Third Parties
7
Do you have signed Business Associate Agreements (BAAs) with every vendor that handles PHI on your behalf?
If No: HIGH RISK — Every vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate and requires a signed BAA. This includes cloud storage (Dropbox, Google Drive, OneDrive), email providers, billing services, EHR vendors, and transcription services.
8
Have you reviewed your vendor BAAs for key provisions (breach notification timelines, return/destruction of PHI, subcontractor requirements)?
If No: MEDIUM RISK — Many BAAs are boilerplate templates that don't meet HIPAA requirements. Review for: 60-day breach notification, prohibition on unauthorized use, return or destruction of PHI on contract termination.
Section 4: Incident Response
9
Do you have a documented incident response plan that specifies what to do within the first 72 hours of a potential breach?
If No: MEDIUM RISK — HIPAA requires breach notification to affected individuals within 60 days of discovery. GDPR requires notification to the supervisory authority within 72 hours. Without a plan, you will almost certainly miss these deadlines — which compounds the original violation.
10
Do you maintain an audit log of who accessed which systems and data, and are logs retained for at least 6 years?
If No: MEDIUM RISK — Audit logs are required under the HIPAA Security Rule. Without them, you cannot investigate incidents, demonstrate access controls, or defend against OCR investigations. HIPAA documentation must be retained 6 years from creation or last effective date.
How to Interpret Your Score
✅ 0–2 No Answers
Low immediate risk. You have baseline controls. Focus on documentation depth and testing your incident response plan.
⚠ 3–5 No Answers
Moderate risk. You have real gaps that regulators would find in an investigation. Prioritize High Risk items first.
🚨 6+ No Answers
High risk. Multiple enforcement-level violations present. A breach or investigation today would result in significant fines. Act now.
What to Do Next
If you scored 3 or more No answers, here's the priority order for fixing them:
- Enable MFA everywhere — This is free (most platforms have it built in) and eliminates the single largest attack vector. Do this today.
- Encrypt all devices — Windows BitLocker and Mac FileVault are built-in and free. Turn them on this week.
- Audit and terminate ex-employee access — Pull a list of all current system users and cross-reference with HR. Terminate any access that shouldn't exist.
- Verify your BAAs — List every vendor that touches sensitive data, then verify you have a current, signed BAA with each.
- Conduct a risk assessment — Use our free HIPAA Risk Calculator or our compliance quiz for a guided risk analysis.
- Document everything — Create or update your policies and start logging actions. OCR cares about evidence.
✓ Good News: Most Gaps Are Fixable
The majority of compliance violations are not expensive to fix. MFA is free. Encryption is built-in on modern devices. Policy templates are available. The hard part is deciding to act — not the action itself. Start with the High Risk items and work down.
Get a Deeper Analysis
The full compliance quiz covers 40+ questions across 6 risk domains and gives you an industry-specific risk score with prioritized recommendations.