1. 1. Has your practice completed a documented HIPAA Security Risk Analysis (SRA) in the last 12 months?Maps to 45 CFR 164.308(a)(1)(ii)(A)
  2. 2. Is ePHI encrypted at rest on every system that stores it (EHR, laptops, backups, file shares)?Maps to 45 CFR 164.312(a)(2)(iv)
  3. 3. Is multi-factor authentication (MFA) enforced on every admin / privileged account that can access ePHI?Maps to 45 CFR 164.312(d)
  4. 4. Do you have a signed Business Associate Agreement (BAA) on file for every vendor that touches ePHI?Maps to 45 CFR 164.308(b)(1)
  5. 5. Has every workforce member completed documented HIPAA security awareness training in the last 12 months?Maps to 45 CFR 164.308(a)(5)(i)

This is a quick directional read. The complete answer — all 68 Security Rule controls, mapped and cited — comes from the full 25-question assessment, free with an account once you see your score.

Administrative documentation aid. Not legal advice and not a certification. This is a quick directional check; the full 25-question assessment and binder are free while we're in beta.