Are you audit-ready?
Answer 12 quick questions (about 2 minutes) for a free, no-sign-up read on how audit-ready you are.
It's a readiness indicator for educational use, not a guarantee, a certification, or legal advice.
These questions are about your organization, not patients. Please don't enter patient information (PHI).
Answer honestly. Not sure on a question? Choose No. If you have part of it, choose Partly. Nothing is sent while you answer.
Security risk analysis
Have you completed a documented HIPAA security risk analysis covering everywhere you handle electronic patient information?
Have you written down a plan to fix the risks the analysis found, and started working through it?
Has your risk analysis been reviewed or refreshed in the last year, or after a big change (new system, move, breach)?
Workforce training
Does every workforce member (employees, volunteers, contractors) complete HIPAA privacy and security training when they start?
Do you keep dated records of who was trained, when, and on what, kept for six years?
Do you retrain or send refreshers periodically, and when your policies change in a meaningful way?
Policies and procedures
Do you have written HIPAA privacy and security policies that match how your office actually works?
Do you have a written breach-response plan, and clear consequences for staff who break the rules?
Are your policies reviewed and updated periodically, not just written once and filed away?
Business associate agreements
A BAA is a signed contract with an outside vendor that handles PHI (protected health information, like your patients' records, billing, and contact details) for you, like your records system, email host, or billing service.
Do you have signed BAAs with every vendor that creates, receives, stores, or sends PHI for you?
If you are a vendor yourself, do you have BAAs in place with your own subcontractors who touch PHI?
Do you keep a current list of the vendors that touch PHI, so you can tell whether each one has a BAA?
Answer the questions above to see your readiness score.
Your HIPAA audit-readiness score
This is a readiness indicator for educational use, not a guarantee, a certification, or legal advice. What HIPAA requires depends on your situation and your state. This scorecard covers 12 common areas, not everything HIPAA requires.
Tool
Common questions about HIPAA audit readiness
What does it mean to be HIPAA audit-ready?
Being audit-ready means you can show, with documentation, that you have the core HIPAA safeguards in place. In practice that usually means a current security risk analysis, trained workforce with dated records, written privacy and security policies that match how you actually work, and signed BAAs with the vendors that touch PHI. No tool can declare you audit-ready, but a self-check like this one helps you see how close you are and where the gaps are.
How do I do a HIPAA self-assessment?
A HIPAA self-assessment walks through each safeguard the rules expect and asks, honestly, whether you have it in place. This scorecard groups the questions into four areas (risk analysis, training, policies, and BAAs), gives each a sub-score, and ranks the biggest gaps to focus on first. It is a starting point for educational use, not a substitute for a formal risk analysis or a review by counsel.
Does a high score mean I am HIPAA compliant?
No. A high score is a good sign, but it is a self-reported readiness indicator, not a finding of compliance. Your answers are not verified, and what HIPAA requires depends on your situation and your state. Only the HHS Office for Civil Rights can determine compliance. Use the score to prioritize, then confirm the details with your own review.
How often should I check my HIPAA readiness?
A good rhythm is at least once a year, and again after any big change. New systems, a move, a merger, or a breach can all shift where your gaps are. Your security risk analysis in particular should be reviewed or refreshed periodically and kept current, since regulators look for an up-to-date analysis rather than a one-time document filed away.
What do HIPAA auditors usually look for?
Documentation is the through-line: auditors want to see that your safeguards exist on paper and in practice. Common focus areas include a current risk analysis and a plan to fix what it found, dated training records for everyone who touches PHI, written and reviewed policies, a breach-response plan, and signed BAAs with a current vendor list. This is general guidance, not legal advice.