SA Saleh A. AbuRumman

Readiness checklist

Find the gaps between HIPAA requirements and daily operations.

Use this pre-assessment before a full HIPAA risk assessment or internal audit. It helps healthcare providers, practices, and business associates see whether HIPAA obligations have become real controls, evidence, and operating habits.

Score it interactively Review gaps with Saleh

Checklist areas

Ten categories that reveal whether the program is operational.

01

Scope and Ownership

  • Do we know where PHI is created, received, maintained, transmitted, and stored?
  • Have we identified all systems, vendors, users, locations, and workflows that touch PHI?
  • Is there a named HIPAA security owner or accountable governance group?
  • Do leaders review HIPAA risk, remediation, and audit status on a recurring schedule?
02

Risk Assessment

  • Have we completed a documented HIPAA security risk assessment within the last year?
  • Does the assessment include technical, physical, administrative, vendor, and workforce risks?
  • Are findings ranked by likelihood, impact, and remediation priority?
  • Is there a tracked remediation plan with owners and due dates?
03

Governance and Policies

  • Are policies current, approved, and mapped to real workflows?
  • Do procedures explain who does what, when, and with what evidence?
  • Are exceptions documented and reviewed?
  • Are policy updates triggered by system, vendor, staffing, or workflow changes?
04

Technical Safeguards

  • Are access controls role-based and reviewed regularly?
  • Is multi-factor authentication enforced for remote access and sensitive systems?
  • Are audit logs enabled, retained, and reviewed for critical systems?
  • Are encryption controls applied to PHI at rest and in transit where appropriate?
  • Are backups tested, protected, and included in incident recovery plans?
05

Physical Safeguards

  • Are workstations, server rooms, network closets, and paper records physically protected?
  • Are device disposal, media reuse, and equipment movement documented?
  • Are screen privacy, unattended workstation, and visitor controls enforced?
  • Are physical access controls reviewed when staff roles change?
06

Vendor and Business Associate Management

  • Do we maintain a current list of vendors and business associates that touch PHI?
  • Are business associate agreements in place before PHI is shared?
  • Do we review vendor security posture, incident reporting expectations, and subcontractor exposure?
  • Is vendor access limited, monitored, and removed when no longer needed?
07

Incident and Breach Response

  • Is there a documented breach response and incident response plan?
  • Does the plan define roles, escalation, investigation steps, communication, and evidence handling?
  • Has the team practiced the plan through a tabletop exercise?
  • Do vendors know how quickly they must report suspected incidents?
08

Workforce Training

  • Do all workforce members receive HIPAA training at onboarding and at recurring intervals?
  • Is training role-specific for staff who handle PHI, administer systems, or manage vendors?
  • Are phishing, email handling, device security, and reporting expectations included?
  • Is training completion tracked and retained as evidence?
09

Audit and Monitoring

  • Are internal audits scheduled rather than improvised?
  • Are logs, access reviews, vendor reviews, training records, and risk remediation tracked?
  • Can we produce evidence for the controls we claim are in place?
  • Are findings documented, corrected, and reviewed for repeat issues?
10

Sustainment

  • Is HIPAA compliance part of operational rhythm, not a once-a-year scramble?
  • Are controls reviewed after technology, vendor, workflow, or staffing changes?
  • Do leadership, IT, compliance, and operations share the same risk picture?
  • Is there a continuous improvement process for policy, safeguards, monitoring, and training?

Scoring

Use the score to decide what happens next.

0-12 yes answers

High-risk posture. Start with scope, risk assessment, and urgent safeguards.

13-25 yes answers

Developing posture. Focus on remediation ownership and evidence.

26-36 yes answers

Maturing posture. Strengthen monitoring, vendor control, and repeatability.

37-40 yes answers

Strong posture. Validate with audit, tabletop exercises, and continuous improvement.

Next step

Turn checklist findings into an implementation roadmap.

The HIPAA Compliance Blueprint is the guide for moving from findings to a structured compliance program with owners, safeguards, evidence, vendor control, training, and continuous assurance.

Use the interactive tool for a faster score, or request help reviewing the highest-risk gaps.

Use interactive scoring Request a consultation