HIPAA Compliance Self-Assessment for Medical Practices [2026]
This 50-point self-assessment is designed to help compliance officers, practice administrators, and physicians run a structured gap analysis across all five HIPAA compliance domains. Unlike a general checklist, each item is scored on a 0–2 scale so you can quantify your practice's compliance posture, benchmark against peers, and build a prioritized remediation roadmap.
This tool incorporates all current HIPAA requirements plus the proposed changes from the December 2024 HIPAA Security Rule NPRM (published in the Federal Register January 6, 2025), which is expected to be finalized in mid-2026. Requirements from the NPRM are flagged so you can begin gap analysis now before enforcement begins. If you need a broader starting point before diving into scoring, our HIPAA compliance checklist covers the foundational requirements by category.
Companion resource: For a foundational overview of HIPAA obligations by category, see our HIPAA Compliance Checklist for Medical Practices. This self-assessment is the structured scoring tool — use both together for a complete compliance program review.
Section 1: How to Use This Assessment
This assessment covers 50 items across five compliance domains. Each item is evaluated on a three-point scale. Complete the assessment as a team — your HIPAA Security Officer, Privacy Officer, IT lead, and practice administrator should each contribute to ensure accuracy.
Scoring Methodology
Calculating Your Score
Score Calculation Formula
Your Score = (Sum of all Yes/Partial/No points ÷ Maximum possible points excluding N/A items) × 100
Example: Practice scores 78 points on 45 applicable items (max 90 points) → Score = (78 ÷ 90) × 100 = 87 — Strong Compliance
Tip: Track your score quarterly. OCR rewards documented improvement over time — a rising score with action plans is a meaningful mitigating factor during investigations.
Score Interpretation
Well-documented program with minor gaps. Focus on continuous improvement, annual reviews, and 2026 NPRM readiness.
Core controls exist but documentation or coverage is incomplete. Address priority items within 90 days.
Substantial compliance gaps that create meaningful OCR enforcement exposure. Engage consultant support within 30 days.
Foundational HIPAA requirements are missing. Immediate remediation is required. Engage legal/compliance counsel today.
GetPracticeHelp.com is an independent comparison platform. Some of the services referenced in this guide are affiliate partners — we may earn a commission if you sign up through our links, at no extra cost to you. Our evaluations are based on publicly available information and verified product details, and affiliate relationships do not influence our rankings or recommendations.
Section 2: Administrative Safeguards
| # | Assessment Item | Score Options |
|---|---|---|
| A-1 |
HIPAA Security Officer Designation
Has your practice formally designated a HIPAA Security Officer and documented that designation in writing with defined responsibilities?
45 CFR §164.308(a)(2) — Required specification
|
Yes (2)
Partial (1)
No (0)
|
| A-2 |
HIPAA Privacy Officer Designation
Is a separate Privacy Officer (or combined role) formally designated, documented, and reachable by patients for Privacy Rule complaints?
45 CFR §164.530(a)(1) — Required specification
|
Yes (2)
Partial (1)
No (0)
|
| A-3 |
Risk Analysis — Current and Documented
Has the practice conducted a formal, written risk analysis within the past 12 months that identifies all ePHI systems, threats, vulnerabilities, and assigns risk levels?
45 CFR §164.308(a)(1)(ii)(A) — OCR #1 enforcement target 2024–2025
|
Yes (2)
Partial (1)
No (0)
N/A
|
| A-4 |
Risk Management Plan
Is there a written risk management plan with specific remediation actions, owners, deadlines, and documented evidence of completion for identified risks?
45 CFR §164.308(a)(1)(ii)(B) — Required specification
|
Yes (2)
Partial (1)
No (0)
|
| A-5 |
HIPAA Workforce Training Program
Do all workforce members with access to PHI receive documented HIPAA training at hire and at least annually, with records retained?
45 CFR §164.308(a)(5) — Addressable (effectively required)
|
Yes (2)
Partial (1)
No (0)
|
| A-6 |
Access Authorization Policies
Are there written policies governing who can access ePHI systems, how access is granted, and what role-based permissions apply?
45 CFR §164.308(a)(4) — Information access management
|
Yes (2)
Partial (1)
No (0)
|
| A-7 |
Access Termination Procedures
Is there a formal process to terminate system access within a defined timeframe when employees leave or change roles, with documentation of each termination?
45 CFR §164.308(a)(3)(ii)(C) — Termination procedures
|
Yes (2)
Partial (1)
No (0)
|
| A-8 |
Business Associate Agreement (BAA) Inventory
Has the practice identified all vendors and contractors who handle PHI on its behalf, and has a signed, current BAA been executed with each one?
45 CFR §164.308(b)(1) — Business associate contracts
|
Yes (2)
Partial (1)
No (0)
|
| A-9 |
Security Incident Response Plan
Is there a written security incident response plan with documented procedures for identifying, reporting, containing, eradicating, and recovering from security incidents involving ePHI?
45 CFR §164.308(a)(6) — Security incident procedures
|
Yes (2)
Partial (1)
No (0)
|
| A-10 |
Contingency Plan (Disaster Recovery)
Does the practice have a written contingency plan covering data backup, disaster recovery, emergency mode operations, and testing/revision procedures?
45 CFR §164.308(a)(7) — Contingency plan
|
Yes (2)
Partial (1)
No (0)
|
| A-11 |
Contingency Plan Testing
Has the disaster recovery/contingency plan been tested within the past 12 months, with results documented and lessons incorporated into plan revisions?
45 CFR §164.308(a)(7)(ii)(D) — Testing and revision
|
Yes (2)
Partial (1)
No (0)
|
| A-12 |
Sanction Policy
Does the practice have a written sanction policy for workforce members who violate HIPAA policies, and has it been applied consistently?
45 CFR §164.308(a)(1)(ii)(C) — Sanction policy
|
Yes (2)
Partial (1)
No (0)
|
| A-13 |
Information System Activity Review
Are audit logs and system activity reports reviewed on a regular schedule, with reviews documented and anomalies investigated?
45 CFR §164.308(a)(1)(ii)(D) — Information system activity review
|
Yes (2)
Partial (1)
No (0)
|
| A-14 |
Periodic Evaluation
Has the practice conducted a formal evaluation of its Security Rule compliance program in the past 12 months, producing documented findings and remediation items?
45 CFR §164.308(a)(8) — Evaluation
|
Yes (2)
Partial (1)
No (0)
|
| A-15 |
Technology Asset Inventory
Does the practice maintain a current inventory of all hardware, software, and systems that store, process, or transmit ePHI, updated at least annually and when changes occur?
Proposed NPRM 2025 — New mandatory requirement under final rule
|
Yes (2)
Partial (1)
No (0)
|
In both 2024 and 2025, the majority of OCR settlements involved failure to conduct a compliant risk analysis. Notable examples:
- Montefiore Medical Center (2024): $4,750,000 penalty for multiple Security Rule failures including risk analysis and access controls.
- PIH Health, Inc. (2025): $600,000 settlement for risk analysis failure and impermissible disclosure affecting 189,763 individuals.
- Syracuse ASC (2025): $250,000 settlement for risk analysis failure plus breach notification failures affecting 24,891 individuals.
- Comprehensive Neurology (2025): $25,000 penalty despite affecting only 6,800 records — small practices are not exempt.
Section 3: Physical Safeguards
| # | Assessment Item | Score Options |
|---|---|---|
| P-1 |
Facility Access Controls
Are there documented policies and physical controls (key cards, locks, alarms) restricting access to areas containing servers, workstations, or paper PHI to authorized personnel only?
45 CFR §164.310(a)(1) — Facility access controls
|
Yes (2)
Partial (1)
No (0)
|
| P-2 |
Facility Contingency Operations
Are there documented procedures to allow authorized personnel to access facilities to support restoration of lost data under a disaster recovery scenario?
45 CFR §164.310(a)(2)(i) — Contingency operations
|
Yes (2)
Partial (1)
No (0)
N/A
|
| P-3 |
Visitor Access and Log
Is there a documented process for validating, escorting, and logging visitors to areas containing ePHI systems or paper PHI?
45 CFR §164.310(a)(2)(iii) — Visitor access validation
|
Yes (2)
Partial (1)
No (0)
|
| P-4 |
Workstation Use Policy
Is there a written policy governing the proper use of workstations that access ePHI, including physical surroundings (screen visibility, session locking, clean desk requirements)?
45 CFR §164.310(b) — Workstation use
|
Yes (2)
Partial (1)
No (0)
|
| P-5 |
Workstation Physical Security
Are workstations that access ePHI physically secured (cable locks, restricted areas, privacy screens) to prevent unauthorized access or shoulder surfing?
45 CFR §164.310(c) — Workstation security
|
Yes (2)
Partial (1)
No (0)
|
| P-6 |
Device and Media Controls — Disposal
Is there a documented process for securely disposing of hardware and electronic media (hard drives, USB drives, tablets) that contain or have contained ePHI, using NIST SP 800-88 or equivalent standards?
45 CFR §164.310(d)(1) — Device and media controls
|
Yes (2)
Partial (1)
No (0)
|
| P-7 |
Device and Media Controls — Movement
Are there documented procedures for tracking the movement of hardware and media containing ePHI, including accountability logs for laptops, tablets, and removable storage?
45 CFR §164.310(d)(2)(iii) — Accountability
|
Yes (2)
Partial (1)
No (0)
N/A
|
| P-8 |
Data Backup Before Equipment Movement
Is there a documented process to create retrievable exact copies of ePHI before moving equipment, and are those backups verified?
45 CFR §164.310(d)(2)(iv) — Data backup and storage
|
Yes (2)
Partial (1)
No (0)
|
| P-9 |
Paper PHI Disposal
Is there a documented and enforced policy for the secure disposal of paper PHI (cross-cut shredding or locked shred bins), and are all staff aware of and trained on it?
45 CFR §164.310 — Physical safeguards (applies to paper PHI)
|
Yes (2)
Partial (1)
No (0)
|
| P-10 |
Remote Work / Telehealth Physical Controls
Does the practice have documented policies governing physical security requirements for remote workers accessing ePHI (private workspace, screen privacy, secure device storage)?
45 CFR §164.310 — Extended to remote work environments
|
Yes (2)
Partial (1)
No (0)
N/A
|
University of Rochester Medical Center (2019): $3,000,000 penalty after an unencrypted flash drive containing PHI for 43 patients was lost — a foundational reminder that physical media controls and encryption are inseparably linked. Encryption renders lost/stolen devices a non-reportable incident.
Section 4: Technical Safeguards
| # | Assessment Item | Score Options |
|---|---|---|
| T-1 |
Unique User Identification
Does every user accessing ePHI systems have a unique user ID, and is shared or group login prohibited and technically enforced?
45 CFR §164.312(a)(2)(i) — Unique user identification
|
Yes (2)
Partial (1)
No (0)
|
| T-2 |
Emergency Access Procedure
Is there a documented and tested emergency access procedure that allows authorized personnel to access ePHI during system outages or emergencies, without compromising audit trails?
45 CFR §164.312(a)(2)(ii) — Emergency access procedure
|
Yes (2)
Partial (1)
No (0)
|
| T-3 |
Automatic Logoff
Are all systems containing ePHI configured to automatically log off or lock after a defined period of inactivity (15 minutes or less is best practice)?
45 CFR §164.312(a)(2)(iii) — Automatic logoff
|
Yes (2)
Partial (1)
No (0)
|
| T-4 |
Encryption at Rest
Is ePHI encrypted at rest across all applicable systems — including databases, file servers, laptops, mobile devices, backups, and cloud storage — using AES-256 or equivalent standards?
45 CFR §164.312(a)(2)(iv) — Proposed NPRM: Mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-5 |
Encryption in Transit
Is all ePHI transmitted over networks encrypted using TLS 1.2 or higher, including email, API connections, telehealth platforms, and patient portal communications?
45 CFR §164.312(e)(2)(ii) — Proposed NPRM: Mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-6 |
Multi-Factor Authentication (MFA)
Is MFA enforced for all remote access to ePHI systems, privileged accounts, and EHR/practice management system logins? Is "vendor doesn't support MFA" documented as a gap with a remediation timeline?
45 CFR §164.312 — Proposed NPRM: MFA mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-7 |
Audit Controls — Logging
Are audit logs enabled and retained for all systems that contain or access ePHI, capturing user access, login/logout events, queries, and modifications?
45 CFR §164.312(b) — Audit controls (required specification)
|
Yes (2)
Partial (1)
No (0)
|
| T-8 |
Integrity Controls
Are there technical controls in place to ensure ePHI has not been altered or destroyed in an unauthorized manner (hash verification, checksums, digital signatures, access control lists)?
45 CFR §164.312(c)(1) — Integrity controls
|
Yes (2)
Partial (1)
No (0)
|
| T-9 |
Malware Protection / Endpoint Security
Is anti-malware software deployed, updated, and monitored on all workstations and servers that access ePHI, including endpoint detection and response (EDR)?
45 CFR §164.312 — Proposed NPRM: Anti-malware mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-10 |
Network Segmentation
Are ePHI systems isolated on a segregated network segment, preventing lateral movement between clinical systems and guest/administrative networks?
45 CFR §164.312 — Proposed NPRM: Network segmentation mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
N/A
|
| T-11 |
Vulnerability Scanning
Is vulnerability scanning performed on ePHI systems at least twice per year by a qualified internal or external party, with results documented and remediation tracked?
45 CFR §164.308 / Proposed NPRM: Biannual scans mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-12 |
Penetration Testing
Has a formal penetration test (human-led, not just automated scanning) been conducted on ePHI-connected systems within the past 12 months, with findings documented and remediated?
45 CFR §164.308 / Proposed NPRM: Annual pen testing mandatory under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-13 |
Patch Management
Is there a documented patch management program that applies security patches to all ePHI-related systems within a defined timeframe (e.g., critical patches within 30 days), with compliance tracked?
45 CFR §164.312 — Proposed NPRM: Configuration management controls required
|
Yes (2)
Partial (1)
No (0)
|
| T-14 |
Backup and Recovery — Technical Controls
Are ePHI backups automated, encrypted, stored off-site or in a separate cloud tenant, tested for restorability at least annually, and can critical systems be restored within 72 hours?
45 CFR §164.308(a)(7) / Proposed NPRM: 72-hour restoration requirement under final rule
|
Yes (2)
Partial (1)
No (0)
|
| T-15 |
Role-Based Access Control (RBAC) / Least Privilege
Is access to ePHI limited to the minimum necessary — enforced through role-based access controls — so users can only access the data required for their job function?
45 CFR §164.312(a)(1) — Access control; §164.514(d) — Minimum necessary standard
|
Yes (2)
Partial (1)
No (0)
|
Warby Parker, Inc. (2025): $1,500,000 civil monetary penalty for multiple failures including failure to conduct a risk analysis AND failure to monitor activity in information systems containing ePHI. The OCR cited lack of audit log review as a key failure — 198,470 individuals were affected. Audit controls are not optional for any covered entity.
Section 5: Privacy Rule Compliance
| # | Assessment Item | Score Options |
|---|---|---|
| PR-1 |
Notice of Privacy Practices (NPP)
Does the practice have a current, compliant NPP provided to patients at first service delivery, posted prominently in the facility and on the website, and updated within 60 days of material changes?
45 CFR §164.520 — Notice of privacy practices
|
Yes (2)
Partial (1)
No (0)
|
| PR-2 |
Patient Right of Access — Process and Timeliness
Is there a documented process to fulfill patient requests for copies of their PHI within 30 days (15 days under proposed NPRM), with tracking of all requests and responses?
45 CFR §164.524 — Right of access; 2025 NPRM proposes 15-day deadline
|
Yes (2)
Partial (1)
No (0)
|
| PR-3 |
Minimum Necessary Standard
Are policies and technical controls in place to ensure that PHI uses and disclosures are limited to the minimum information necessary to accomplish the permitted purpose?
45 CFR §164.502(b) — Minimum necessary standard
|
Yes (2)
Partial (1)
No (0)
|
| PR-4 |
Patient Amendment Rights
Is there a documented process for patients to request amendments to their PHI, with procedures for accepting, denying (with written rationale), and appending disagreements?
45 CFR §164.526 — Amendment of protected health information
|
Yes (2)
Partial (1)
No (0)
|
| PR-5 |
Authorization Requirements for Non-TPO Disclosures
Are valid HIPAA authorizations obtained before disclosing PHI for purposes outside of treatment, payment, or healthcare operations (e.g., marketing, research, sale of PHI)?
45 CFR §164.508 — Uses and disclosures for which authorization is required
|
Yes (2)
Partial (1)
No (0)
|
Oregon Health & Science University (March 2025): $200,000 civil monetary penalty for failure to provide a patient with timely access to medical records. OCR's Right of Access enforcement initiative has resulted in over 50 penalties since 2019, including small practices. Patient access requests are tracked and timelines are non-negotiable.
Section 6: Breach Notification Readiness
| # | Assessment Item | Score Options |
|---|---|---|
| BN-1 |
Breach Assessment Procedure (4-Factor Test)
Is there a documented procedure for assessing whether a security incident constitutes a reportable breach using the four-factor test (nature/extent of PHI, who accessed it, whether PHI was actually acquired/viewed, mitigation extent)?
45 CFR §164.402 — Breach definition and risk assessment
|
Yes (2)
Partial (1)
No (0)
|
| BN-2 |
Individual Notification Timeline — 60 Days
Is there a documented process to notify affected individuals within 60 days of discovering a breach, including procedures for written notification, substitute notice, and tracking delivery?
45 CFR §164.404 — Notification to individuals; current deadline: 60 calendar days
|
Yes (2)
Partial (1)
No (0)
|
| BN-3 |
HHS / OCR Reporting Process
Is there a documented process to notify HHS of breaches? For breaches affecting 500+ individuals: within 60 days of discovery. For smaller breaches: logged and submitted to the HHS annual breach report portal no later than 60 days after the end of the calendar year?
45 CFR §164.408 — Notification to the Secretary
|
Yes (2)
Partial (1)
No (0)
|
| BN-4 |
Breach Documentation and Record Retention
Does the practice maintain documented records of all breach investigations (including incidents determined to not be reportable breaches), with records retained for at least 6 years?
45 CFR §164.414 — Burden of proof and documentation retention
|
Yes (2)
Partial (1)
No (0)
|
| BN-5 |
Media Notice for Large Breaches
Is there a documented process for providing prominent media notice when a breach affects 500 or more residents of a state or jurisdiction, within the same 60-day window?
45 CFR §164.406 — Notification to the media
|
Yes (2)
Partial (1)
No (0)
N/A
|
Breach notification failures compound penalties significantly. Cadia Healthcare Facilities (2025): $182,000 settlement for social media disclosure plus Breach Notification Rule failure. USR Holdings (2025): $337,750 penalty where failure to record system activity AND breach notification failure occurred together. Late or absent breach notifications trigger a secondary violation on top of the underlying breach — always document your discovery date.
Section 7: Score Interpretation and Action Planning
After completing all 50 items, calculate your total score using the formula in Section 1. Use the interpretation guide below to determine your compliance posture and recommended actions.
| Score Range | Compliance Level | OCR Exposure | Recommended Timeline |
|---|---|---|---|
| 80–100 | Strong Compliance | Low — documented program reduces penalty exposure | Annual review cycle; 2026 NPRM gap analysis |
| 60–79 | Moderate Gaps | Moderate — gaps are exploitable and documentable by OCR | Address high-priority items within 90 days |
| 40–59 | Significant Risk | High — multiple required specifications missing | Engage consultant within 30 days; begin formal risk analysis |
| Below 40 | Critical | Very High — foundational violations present | Engage legal/compliance counsel immediately |
Section 8: Remediation Priority Matrix
Not all HIPAA gaps carry the same enforcement risk. This matrix prioritizes remediation actions based on OCR enforcement patterns from 2023–2025, the frequency with which each control type appears in settlement agreements, and the potential financial exposure per violation. Address critical and high-priority items before lower-risk gaps.
| Control Area | Priority | Rationale | Estimated Remediation Effort |
|---|---|---|---|
| Risk Analysis (A-3) | Critical | Most common OCR enforcement basis 2024–2025; required specification with no flexibility. Absent risk analysis = automatic finding in any OCR investigation. | 2–4 weeks with consultant; $3,000–$15,000 |
| Encryption at Rest (T-4) | Critical | Mandatory under proposed NPRM. Unencrypted device loss triggers automatic reportable breach. Directly cited in multiple multi-million-dollar settlements. | 2–6 weeks depending on systems; $5,000–$20,000 |
| MFA Everywhere (T-6) | Critical | Mandatory under proposed NPRM. Credential theft is the #1 cause of healthcare breaches. OCR is increasingly citing MFA absence in enforcement investigations. | 1–3 weeks; $1,000–$8,000 depending on systems |
| BAA Inventory (A-8) | Critical | Missing BAAs appear in a majority of OCR settlements. Any vendor touching PHI without a BAA is a required-specification violation. Easy to remediate, high risk if ignored. | 1–2 weeks; low cost (template BAAs available) |
| Audit Controls / Log Review (T-7, A-13) | High | Audit controls are a required specification. Failure to monitor appears repeatedly in 2024–2025 settlements alongside primary violations, amplifying penalties. | 1–2 weeks configuration; ongoing quarterly reviews |
| Incident Response Plan (A-9) | High | Ransomware incidents without a response plan trigger compounding violations. Proposed NPRM makes documented and tested incident response mandatory. OCR routinely scrutinizes response timeliness. | 2–3 weeks to draft; annual tabletop exercise |
| Penetration Testing (T-12) | High | Mandatory under proposed NPRM final rule. Demonstrates recognized security practices, which OCR considers a mitigating factor in enforcement and can reduce audit duration and penalties. | 1–2 weeks; $5,000–$25,000 annually |
| Encryption in Transit (T-5) | High | Mandatory under proposed NPRM. Unencrypted transmission of PHI is a per-occurrence violation. Common in email, fax-to-email workflows, and legacy EHR integrations. | 1–2 weeks; typically low cost via TLS configuration |
| Workforce Training (A-5) | High | Appears in virtually every settlement as a corrective action plan requirement, even when not the primary violation. Documented training provides meaningful mitigation evidence. | Ongoing; $500–$5,000/year depending on platform |
| Patient Right of Access Process (PR-2) | High | Active OCR enforcement initiative since 2019 with 50+ penalties. Timelines are strict; missed deadlines are clear violations. 2025 NPRM may reduce deadline to 15 days. | 1 week to document process; workflow training |
| Backup / 72-Hour Restoration (T-14) | Medium | 72-hour restoration requirement proposed under NPRM. Current ransomware threat environment makes this operationally critical. Backup failures exposed in multiple enforcement actions. | 2–4 weeks; $2,000–$15,000 depending on infrastructure |
| Network Segmentation (T-10) | Medium | Proposed NPRM mandatory requirement. Prevents lateral movement in ransomware attacks. Particularly important for practices with IoT medical devices or point-of-care systems. | 2–8 weeks; $3,000–$20,000 depending on infrastructure |
| Contingency Plan Testing (A-11) | Medium | Untested plans fail during actual incidents. Annual testing is required under current rules and reinforced under proposed NPRM. Low cost, high value for enforcement mitigation. | Annual half-day tabletop exercise; minimal cost |
| Remote Work Physical Controls (P-10) | Medium | Post-COVID telehealth expansion created significant physical safeguard gaps for home offices. Increasingly relevant as OCR begins scrutinizing remote access incidents. See our guide to HIPAA telehealth compliance for platform-specific requirements. | 1–2 weeks for policy; training required |
| Technology Asset Inventory (A-15) | Medium | Mandatory under proposed NPRM. Without a current inventory, risk analysis cannot be comprehensive. Shadow IT and unmanaged devices are invisible attack surfaces. | 1–3 weeks initial inventory; ongoing maintenance |
| Media Notice for Large Breaches (BN-5) | Low | Only applies to breaches affecting 500+ state residents. Important to have documented, but low probability for most small practices. Include in annual policy review. | Hours to document; low ongoing burden |
| Patient Amendment Rights (PR-4) | Low | Rarely the primary basis for enforcement, but failure appears in broader investigations. Simple to implement as a defined workflow. Include in annual policy review. | Hours to document procedure; minimal training |
📋 Closing Telehealth, Forms, Endpoint & Communication Gaps?
If your remediation roadmap includes replacing non-compliant tools: HIPAA Link consolidates video, messaging, and patient portal; HIPAAtizer handles HIPAA intake/consent forms; Bitdefender GravityZone covers endpoint/EDR; NordVPN Teams for encrypted remote access; and NordPass Business for password/access management. Affiliate partners — commission earned at no cost to you.
Section 9: 2026 HIPAA Security Rule NPRM — What's Changing
On December 27, 2024, OCR issued a Notice of Proposed Rulemaking (NPRM) to significantly overhaul the HIPAA Security Rule. The NPRM was added to the Federal Register on January 6, 2025. The final rule is expected in mid-2026, with a compliance deadline approximately 180–240 days after publication. Begin gap analysis now — the runway is short.
The NPRM had its public comment period in early 2025. The final rule is expected to be published in mid-2026, with an effective date approximately 60 days after Federal Register publication and a compliance deadline of 180 days after the effective date. Small healthcare providers may receive an extended compliance timeline of up to 24 months from the effective date.
The Most Significant Change: End of "Addressable" Safeguards
The single most impactful change in the proposed rule is the elimination of the "addressable" vs. "required" distinction for implementation specifications. Under current rules, covered entities can document why an "addressable" control is not reasonable or appropriate and either implement an equivalent alternative or skip it. Under the proposed rule, all implementation specifications become mandatory — with only limited exceptions. This fundamentally changes the compliance calculus for encryption, MFA, and several other controls that many practices have deferred.
Multi-Factor Authentication
MFA becomes mandatory for all access to ePHI — no more "addressable" opt-out. Must cover remote access, privileged accounts, EHR/practice management systems, cloud platforms, and third-party/vendor access. SMS-based MFA is acceptable but FIDO2/authenticator apps are preferred by NIST.
Encryption at Rest — Mandatory
Encryption at rest for all ePHI is mandatory, closing the addressable loophole. Applies to databases, file servers, laptops, mobile devices, backups, and cloud storage. Recommended standard: AES-256 with proper key management. Encrypted device loss is not a reportable breach.
Annual Penetration Testing
Annual penetration testing by a qualified third party is explicitly required. Biannual vulnerability scanning (automated) is a separate, additional requirement. Results must be documented and remediation tracked. Recognized security practices (NIST CSF, HITRUST) can serve as evidence to reduce enforcement scrutiny.
72-Hour System Restoration
Written procedures must establish the ability to restore critical ePHI systems and data within 72 hours of a disaster or ransomware event. Backup testing and documented RTOs (Recovery Time Objectives) are now effectively required. Current OCR guidance already stresses this, and the NPRM codifies it.
Network Segmentation
Technical network segmentation is required to isolate ePHI systems from general network traffic. This prevents ransomware lateral movement and limits breach scope. Clinical device networks, EHR systems, and billing platforms should operate in segregated VLANs or network zones.
Technology Asset Inventory
A comprehensive, current technology asset inventory and network map must be maintained on an ongoing basis and reviewed at least annually and after any significant change. This is the foundation for a compliant risk analysis under the updated rule — you cannot assess risk to systems you cannot enumerate.
Written Documentation — All Policies
All Security Rule policies, procedures, plans, and analyses must be in writing. Undocumented practices — no matter how well-implemented — do not satisfy the rule. This includes the risk analysis, risk management plan, contingency plan, incident response procedures, and access policies.
Business Associate Verification
Business associates must annually verify technical safeguard compliance through a written analysis by a subject matter expert plus a written certification. Covered entities must obtain and review these certifications. This dramatically increases BAA accountability requirements.
24-Hour Access Revocation Notice
Certain regulated entities must notify relevant parties within 24 hours when a workforce member's access to ePHI or certain systems is changed or terminated. This formalizes and tightens access management timelines significantly.
- Now (Q1–Q2 2026): Complete this self-assessment. Identify gaps in MFA, encryption at rest, penetration testing, and asset inventory.
- Q2–Q3 2026: Engage a HIPAA compliance consultant or IT security firm for formal risk analysis incorporating NPRM requirements. Prioritize MFA deployment, encryption, and network segmentation.
- Q3 2026 (upon final rule publication): Begin formal 180-day compliance countdown. Execute remediation plans with documented milestones.
- Before compliance deadline: Annual penetration test completed, 72-hour recovery procedures tested, BAA verification program in place, all policies updated in writing.
Frequently Asked Questions
How often should a medical practice conduct a HIPAA self-assessment?
OCR requires at least an annual security risk analysis under the current HIPAA Security Rule (45 CFR §164.308(a)(1)). The proposed 2025 NPRM would also require a formal compliance audit at least once every 12 months and effectiveness reviews of security measures annually. For most practices, conducting a structured self-assessment quarterly — with a full formal risk analysis annually — is the appropriate cadence. Any significant change to systems, vendors, or operations should trigger an interim assessment.
What is the minimum passing score on this HIPAA self-assessment?
There is no official "passing" threshold in HIPAA regulations — compliance is a continuous obligation, not a pass/fail test. However, this assessment's 80+ threshold correlates with practices that have documented, functional programs across all required specifications. OCR enforcement patterns show that documented, actively improving compliance programs receive more favorable outcomes than static or absent ones. A practice scoring 60–79 has meaningful but addressable gaps; below 60 indicates exposure that warrants consultant engagement.
What are the biggest HIPAA enforcement targets in 2025–2026?
OCR's primary enforcement initiative since 2024 is HIPAA Security Rule risk analysis compliance. The majority of 2024 and 2025 settlements involved failure to conduct a compliant risk analysis, failure to monitor information system activity, and inadequate access controls. OCR announced 21 settlements in 2025 — the second highest annual total — with the majority tied to Security Rule failures. Practices that cannot produce a current, thorough, documented risk analysis are at the highest enforcement risk regardless of size.
When will the new HIPAA Security Rule NPRM requirements take effect?
The HIPAA Security Rule NPRM was published in the Federal Register on January 6, 2025. The final rule is expected to be published in mid-2026, with an effective date approximately 60 days after Federal Register publication and a compliance deadline of 180 days after the effective date. Small healthcare providers may receive an extended compliance timeline. Begin gap analysis immediately — 180 days is not sufficient time to deploy MFA, implement encryption at rest, contract annual penetration testing, and update all documentation from a standing start.
Does this self-assessment replace a formal HIPAA risk analysis?
No. This self-assessment is a structured gap-analysis tool to help identify priorities and track compliance maturity. A formal HIPAA risk analysis — required under 45 CFR §164.308(a)(1)(ii)(A) — must be conducted by a qualified professional, document all ePHI systems and data flows, assess specific threats and vulnerabilities, assign risk levels, and produce a written risk management plan. Use this guide to prepare for, scope, and validate the formal process. Many practices work with specialized compliance consultants — you can browse HIPAA compliance partners on GetPracticeHelp to find qualified firms.
What should we do if we score below 40 on this assessment?
A score below 40 indicates critical compliance gaps. Immediate priorities: (1) Engage a HIPAA compliance consultant or attorney within 30 days, (2) Conduct a formal risk analysis as required under 45 CFR §164.308(a)(1), (3) Designate or confirm your HIPAA Security Officer in writing, (4) Inventory all systems containing ePHI, (5) Implement basic access controls and audit logging on all ePHI systems, and (6) Execute BAAs with all vendors handling PHI. Document every remediation step — OCR credits documented good-faith improvement efforts during investigations. Consider using our Practice Matching tool to find a HIPAA compliance partner quickly.
Your Assessment Summary
Use this reference card to record your scores by section and calculate your total compliance score.
HIPAA Self-Assessment Score Summary Card
Next Steps: Document your score, date, and assessors. Create a remediation log for all items scored 0 or 1. Assign owners, deadlines, and budget. Re-assess quarterly to track improvement. Keep this assessment and all remediation records for at least 6 years (45 CFR §164.414).
Related Resources
- HIPAA Compliance Checklist for Medical Practices [2026] — Foundational overview of all HIPAA obligations by category
- Practice Startup Checklist — Compliance requirements for new practices including initial HIPAA setup
- Payer Contract Negotiation Guide — BAA requirements and data security terms in payer agreements
- Browse Compliance & Regulatory Partners — Verified HIPAA compliance consultants, IT security firms, and legal partners
- Get Matched with a Compliance Partner — Free matching service for finding the right compliance support for your practice
Source references: This guide incorporates requirements from 45 CFR Parts 160 and 164 (HIPAA Rules), the HHS HIPAA Security Rule NPRM Fact Sheet (December 2024), Federal Register NPRM (January 6, 2025), OCR Enforcement Highlights (HHS.gov), and HIPAA Journal 2025–2026 Enforcement Data. This guide does not constitute legal advice. Consult qualified HIPAA counsel for your specific compliance program.
Close compliance gaps with tools built for healthcare — from security training platforms to encrypted communications.
Browse Recommended Partners →