HIPAA Self-Assessment — BITS Business IT Solutions

Category 1

Administrative safeguards

Policies, procedures, and workforce practices that govern how the practice handles PHI.

A formal HIPAA Security Risk Analysis was completed in the last 12 months — with written findings.
A written risk management plan tracks remediation of identified vulnerabilities.
All workforce members complete HIPAA & phishing-aware security training annually, with records kept.
A written sanction policy exists for staff who violate HIPAA, and it has been communicated.
A formal process governs how access to PHI is granted, reviewed, and revoked — onboarding, role change, termination.
A current, signed BAA is on file with every vendor that touches PHI (IT, EHR, cloud, billing, shredding).

Category 2

The technology controls protecting electronic PHI. Several of these are now mandatory under the 2026 rule.

MFA is enforced on every system that accesses, stores, or transmits PHI — EHR, email, remote access, admin portals.
PHI is encrypted at rest on workstations, servers, and mobile devices.
PHI is encrypted in transit — secure email, TLS-protected portals, encrypted file sharing.
Audit logs record who accessed PHI and when, and the logs are reviewed on a defined cadence.
The network is segmented so PHI systems are isolated from general staff/guest traffic (2026 mandatory).
Monitoring tools are deployed to detect unauthorized access or data exfiltration.
Workstations have endpoint protection and a documented patch cadence.

Category 3

How the physical environment and the hardware itself protect PHI.

A written workstation use policy defines where and how PHI can be accessed.
A documented disposal process securely wipes or destroys devices that contained PHI.
Mobile devices used for practice work are enrolled in MDM with remote-wipe capability.
Physical access to servers, networking gear, and PHI storage is restricted & logged.

Category 4

What happens when something goes wrong — before, during, and after an incident.

PHI is backed up on a defined schedule, off-site/cloud, and backups have been tested for restorability in the last 12 months.
A written incident response plan exists, covers detection through post-incident review, and has been tested in the last 12 months.
A written breach notification policy meets the HIPAA Breach Notification Rule requirements.
The practice carries cyber liability insurance that explicitly covers HIPAA breaches.
Periodic technical testing (vulnerability scanning, penetration test, or equivalent) is documented — required by the 2026 rule.
An asset inventory lists every system containing PHI — EHR, email, remote access, cloud, imaging.
The 2026 Security Rule changes have been reviewed against the practice's current controls.