One Guy Consulting
One Guy Consulting
HIPAA Compliance Made Simple

HIPAA Self-Assessment

10 questions. 5 minutes. Find out where you stand.

Here are some areas OCR weights more heavily when opening an investigation than other possible violations. Your aim below is to simply answer the questions as honestly as possible. Any answers of 'No' will become 'Yes' as we progress throughout our process.

1
Have you completed a Security Risk Assessment in the past 12 months?
This is the #1 thing OCR asks for — and the #1 reason organizations get fined.
Yes
No
2
Do you have written HIPAA policies that your staff can actually access?
Not a binder on a shelf — documented, current policies your team knows exist.
Yes
No
3
Has every employee completed HIPAA training this year — with documentation to prove it?
OCR doesn't take your word for it. They want sign-off records and completion dates.
Yes
No
4
Do you have signed Business Associate Agreements with every vendor that handles PHI?
Your EHR, billing company, cloud storage, IT provider, shredding service — all need BAAs.
Yes
No
5
Do you have a documented Incident Response Plan that your team knows how to follow?
When a breach happens, you have 60 days to notify. If you're figuring out your plan after the fact, you're already behind.
Yes
No
6
Is access to patient information restricted based on job role?
The front desk shouldn't see the same records as a clinician. Minimum necessary access is a core HIPAA requirement.
Yes
No
7
Are all devices that store or access PHI encrypted?
Laptops, phones, USB drives, tablets. If a device is lost or stolen and it's encrypted, it's not a reportable breach. If it's not — it is.
Yes
No
8
Do you have a designated Privacy Officer and Security Officer?
HIPAA requires it. In small practices, one person can fill both roles — but someone has to be named and documented.
Yes
No
9
Do you have audit controls that track who accessed what patient information and when?
Most EHRs have this built in — but you need to actually review the logs, not just have them.
Yes
No
10
If OCR knocked on your door tomorrow, could you hand them documentation for all of the above?
Compliance isn't just doing the right things — it's being able to prove you did them.
Yes
No

Count Your "No" Answers

0–1
Strong
You're in good shape. Keep maintaining what you have.
2–4
Gaps Exist
You have exposure. These are the areas OCR targets first.
5+
At Risk
A complaint or breach could trigger an investigation you're not ready for.
No judgment here. Most organizations we work with score in the yellow or red the first time through. That's exactly why we exist — to close these gaps quickly, affordably, and without disrupting your day-to-day operations.

Want to close the gaps? Let's talk about what it takes to get audit-ready.

One Guy Consulting — oneguyconsulting.comhello@oneguyconsulting.com
Based on OCR enforcement priorities and the HIPAA Security Rule (45 CFR Part 164).

Chuck Weiselberg is not an Attorney and always recommends speaking with one regarding important business decisions.