HIPAA Privacy Rule Done In Process Not Started
1. We have practice specific HIPAA Policies and Procedures
2. We have trained our employees and implemented Policies and Procedures
3. We have a written policy regarding use and disclosures of Protected Health Information (PHI)
4. We have a signed Notice of Privacy Practices for each of our patients
5. We have current Business Associate Agreement (BAA) that satisfy the new BAA requirements
HIPAA Security Rule - Administrative Safeguards
1. We have a Risk Analysis that was completed within the past year
2. We have written policies for employees who fail to comply with security policies
3. We have clearly defined procedures for identifying and responding to security incidents
HIPAA Security Rule - Physical Safeguards
1. We have implemented controls and measures to secure the facility from unauthorized access
2. We have implemented physical safeguards to restrict access to devices that access or contain PHI
3. We have written policies for disposal of devices containing PHI
HIPAA Security Rule - Technical Safeguards
1. We have assigned each employee a unique system username or number
2. We have implemented password complexity rules and mandated the use of such rules
3. We have implemented Audit Controls (monitoring and logging) to track user and system activities
4. We encrypt PHI whenever possible and only send encrypted email if it contains PHI
5. We have deployed software to secure the computers and data from viruses and malware
Other Administrative Rules
1. We have a written procedure for conducting an analysis of any suspected breach
2. We have designated a Privacy Officer as required by HIPAA
3. We have an Information Security Official assigned
4. We have a written Disaster Recovery Plan

Overall Score
Privacy    Security    Admin

Become defensibly compliant today! Contact one of our HIPAA Specialists at (800) 592-2919 or email us at