BBAA Atlas
Free self-assessment · no signup

Where do you stand on the HIPAA Security Rule?

Eighteen plain-English questions across the administrative, physical and technical safeguards of 45 CFR Part 164. Answer them and get an instant gap summary plus a downloadable remediation checklist. It runs entirely in your browser — nothing you enter is sent anywhere.

  • ~5 minutes
  • Scored by safeguard family
  • Downloadable report
  • 100% client-side
0 / 18 answered

Administrative Safeguards §164.308

Policies, risk management, and the people side of security.

  1. 1

    Have you completed a documented security risk analysis covering all systems that store or transmit ePHI in the last 12 months?

    §164.308(a)(1)(ii)(A) — Risk Analysis (Required)

  2. 2

    Do you maintain a risk management plan that tracks identified risks through to remediation?

    §164.308(a)(1)(ii)(B) — Risk Management (Required)

  3. 3

    Is there a written sanction policy applied to workforce members who violate security policies?

    §164.308(a)(1)(ii)(C) — Sanction Policy (Required)

  4. 4

    Are access privileges granted by role and promptly revoked when someone changes roles or leaves?

    §164.308(a)(3)–(a)(4) — Workforce Security & Access Management

  5. 5

    Do all workforce members complete documented security-awareness training, with periodic refreshers?

    §164.308(a)(5) — Security Awareness and Training

  6. 6

    Do you have a documented security-incident response and breach-notification procedure?

    §164.308(a)(6) — Security Incident Procedures (Required)

  7. 7

    Do you have a data-backup plan plus a tested disaster-recovery / contingency plan?

    §164.308(a)(7) — Contingency Plan (Required)

  8. 8

    Do you have a signed Business Associate Agreement (BAA) with every vendor that creates, receives, stores, or transmits ePHI on your behalf?

    §164.308(b)(1) — Business Associate Contracts (Required)

Physical Safeguards §164.310

Facility access, workstations, and device & media handling.

  1. 9

    Is physical access to servers and systems that hold ePHI restricted and logged (badge, lock, or equivalent)?

    §164.310(a)(1) — Facility Access Controls

  2. 10

    Do you have policies governing workstation use and positioning to keep ePHI off unattended or public-facing screens?

    §164.310(b)–(c) — Workstation Use & Security

  3. 11

    Is there a documented process for sanitizing or destroying media (drives, paper) before disposal or re-use?

    §164.310(d)(1) — Device and Media Controls (Required)

  4. 12

    Are laptops, phones, and removable media that can hold ePHI encrypted and inventoried?

    §164.310(d)(2) & §164.312(a)(2)(iv) — Device controls + Encryption

Technical Safeguards §164.312

Access control, encryption, audit logging, and integrity.

  1. 13

    Does every user have a unique account (no shared logins) with least-privilege access to ePHI?

    §164.312(a)(1) & (a)(2)(i) — Access Control / Unique User ID (Required)

  2. 14

    Are sessions configured to automatically log off after a period of inactivity?

    §164.312(a)(2)(iii) — Automatic Logoff (Addressable)

  3. 15

    Is ePHI encrypted at rest in your databases, file storage, and backups?

    §164.312(a)(2)(iv) — Encryption and Decryption (Addressable)

  4. 16

    Is ePHI encrypted in transit (TLS) everywhere it moves between users, services, and vendors?

    §164.312(e)(1) — Transmission Security (Required)

  5. 17

    Do you record and periodically review access/activity logs for systems that contain ePHI?

    §164.312(b) — Audit Controls (Required)

  6. 18

    Do you use strong authentication (e.g. MFA) and integrity controls to verify users and protect ePHI from improper alteration?

    §164.312(c)–(d) — Integrity & Person/Entity Authentication (Required)

18 unanswered — these count as gaps in your summary. You can still see results now.

About this self-check

Is this an official risk analysis?

No. The Security Rule requires a documented, enterprise-wide risk analysis under §164.308(a)(1)(ii)(A). This tool is a fast self-check to surface obvious gaps before you commit to that formal process — useful for orienting, not for attesting.

Where does my data go?

Nowhere. Every answer, the score, and the report are computed in your browser. There is no account, no backend, and no analytics on the content of your answers.

What do the safeguard families mean?

Administrative (§164.308) covers risk management, training and policy; physical (§164.310) covers facilities, workstations and devices; technical (§164.312) covers access control, encryption and audit logging.

Next step after the gaps?

The report lists a concrete remediation for each gap. For vendor BAA gaps specifically, use BAA Atlas to check whether a given SaaS vendor will sign a Business Associate Agreement.