Skip to main content

HIPAA Compliance Checker

The Health Insurance Portability and Accountability Act (HIPAA) establishes national standards to protect sensitive patient health information. This tool evaluates your compliance across data encryption, access controls, audit logging, PHI handling, business associate agreements, breach notification, physical safeguards, and employee training.

United States
25 Questions
8 Categories
Progress: 0/25

Data Encryption

0/3

Access Controls & Authentication

0/4

Audit Logging & Monitoring

0/3

PHI Handling & Data Classification

0/3

Business Associate Agreements

0/2

Breach Notification

0/2

Physical & Administrative Safeguards

0/3

Employee Training

0/5

Data Encryption

Assessment of encryption practices for Protected Health Information at rest and in transit.

15 pts

Q1

Is all Protected Health Information (PHI) encrypted at rest using AES-256 or equivalent in your databases and file storage?

critical
6 pts

Q2

Is all PHI encrypted in transit using TLS 1.2 or higher for every API endpoint, internal service call, and client connection?

critical
5 pts

Q3

Do you have a documented encryption key rotation policy that is executed at least annually?

high
4 pts
VertiComply

Build HIPAA-compliant healthcare applications with AI-powered code generation.

Product

Features

Pricing

Tools

Company

About

Blog

Contact

Legal

Privacy

Terms

Compliance

© 2026 VertiComply. All rights reserved.

Built for HIPAA + SOC 2 Type II

About the HIPAA Compliance Checker

The HIPAA Compliance Checker scores your organization against the technical and administrative safeguards in 45 CFR Parts 160, 162, and 164 — the Privacy Rule, Security Rule, and Breach Notification Rule that the HHS Office for Civil Rights (OCR) enforces. The 25 questions are weighted by what an OCR investigator actually looks at first during a breach response or compliance audit. Encryption, access controls, and audit logging carry the heaviest weights because they account for the majority of the dollar value in recent OCR settlements. Lower-weight questions still matter — they're the items that show up in corrective action plans even when the headline finding was something else. The score is a posture indicator, not a certification: HHS does not certify software or organizations as HIPAA-compliant, and any vendor that claims otherwise is misrepresenting the rule.

What this HIPAA assessment covers

The 25-question assessment scores 100 points across 8 weighted categories. Each category reflects a distinct HIPAA control domain.

Data Encryption · 15 pts · 3 questions

Assessment of encryption practices for Protected Health Information at rest and in transit.

Access Controls & Authentication · 16 pts · 4 questions

Evaluation of access control mechanisms and authentication practices for PHI systems.

Audit Logging & Monitoring · 14 pts · 3 questions

Assessment of audit logging completeness, tamper-proofing, and monitoring capabilities.

PHI Handling & Data Classification · 12 pts · 3 questions

Evaluation of data inventory, classification, and de-identification practices.

Business Associate Agreements · 10 pts · 2 questions

Assessment of BAA coverage and vendor compliance management.

Breach Notification · 10 pts · 2 questions

Evaluation of breach detection, response, and notification procedures.

Physical & Administrative Safeguards · 12 pts · 3 questions

Assessment of physical security, workstation policies, and disaster recovery.

Employee Training · 11 pts · 5 questions

Evaluation of workforce HIPAA training, awareness, and compliance enforcement.

Common HIPAA compliance gaps

The patterns we see most frequently in HIPAA self-assessments and remediation work. Each is the kind of finding an auditor flags first.

Encryption is documented but not enforced everywhere. Most teams have AES-256 on the production database but miss backups, log files, S3 buckets used for exports, and dev/staging environments that contain real PHI for testing. § 164.312(a)(2)(iv) is addressable, not required, but the OCR position since 2024 is that any PHI in storage without encryption is a presumed breach if accessed.

MFA is enabled for users but not for administrators, service accounts, or break-glass roles. The 2024 Change Healthcare incident — the largest healthcare breach in US history — traced back to a single Citrix account without MFA. Privileged access is exactly where MFA gaps cost the most.

Audit logs exist but are mutable. Logs in the same database as the data they log, or logs that admins can edit, fail the tamper-resistance expectation in § 164.312(b). Tamper-evident log storage (append-only, off-system, with hash chains or WORM storage) is the standard auditors now expect.

BAAs are signed but not tracked. Teams sign BAAs at vendor onboarding and forget about them. When a sub-processor changes (your email provider switches to a new infrastructure vendor, your AI vendor adds a new sub-processor for inference), the BAA chain breaks silently. Quarterly BAA inventory review catches this.

Workforce training is annual and generic. Generic HIPAA training drives policy fatigue. OCR has been clear in recent enforcement actions that role-specific training (developers get encryption and access control content, support staff get social engineering and minimum-necessary content) is the expectation.

Incident response is documented but never tested. Most organizations have an incident response plan they wrote once and never exercised. The first time someone runs the plan should not be during a real breach. Annual tabletop exercises with the engineering team are the lowest-effort high-value control here.

Risk analysis is a checkbox, not a process. § 164.308(a)(1)(ii)(A) requires an accurate and thorough risk analysis of confidentiality, integrity, and availability of all ePHI. A one-time analysis from three years ago does not satisfy the rule. Risk analysis is meant to be ongoing, with documented updates as systems and threats change.

What to do with your HIPAA results

Your score is a starting point — these are the steps that convert the assessment into actionable remediation.

Address every Critical-risk gap first. Critical-flagged items in your report are the controls that map directly to the most-cited deficiencies in OCR settlements. Fixing these reduces both audit exposure and breach-cost exposure most efficiently.

Generate or refresh your written risk analysis. Use the gap report as input. The risk analysis is the document OCR asks for first in every investigation — having a current, comprehensive one is the single highest-leverage compliance artifact you can hold.

Inventory every system, service, and vendor that touches PHI. Map data flows end-to-end. Most gaps surface when you draw the actual flow rather than working from memory. Include AI vendors, email, analytics, observability tools, and any third-party integrations.

Confirm BAAs are signed and current for every business associate. Re-check that the BAA terms still match your actual data sharing relationship — many BAAs signed during early scale predate features your platform now offers.

Schedule a tabletop incident response exercise within 90 days. Run a realistic scenario (ransomware on a server containing PHI; a developer accidentally pushing a database backup to a public bucket; a phishing-driven account takeover). Document what the team got right and what processes failed.

HIPAA compliance FAQ

Does a high HIPAA Compliance Checker score mean we are HIPAA certified?

No. HHS does not issue HIPAA certifications, and no third party can certify you as HIPAA-compliant in a legally meaningful sense. A high score on this checker indicates your technical and administrative controls align with the safeguards OCR expects, which materially reduces audit and breach risk — but compliance is an ongoing posture, not a credential.

How often should we run a HIPAA self-assessment?

At minimum annually, and any time a significant change occurs to your systems, vendors, workforce, or data flows. Many regulated organizations run lightweight quarterly check-ins on the highest-risk controls (encryption, access, audit logging) and a full annual assessment for the broader scope.

We use a HIPAA-compliant vendor — does that cover us?

No. HIPAA-compliant infrastructure is necessary but not sufficient. You are still responsible for how your application, your workforce, and your processes handle PHI on top of that infrastructure. A vendor BAA covers the vendor's portion of the shared responsibility; the operational layer remains yours.

Does HIPAA apply if we don't bill insurance or treat patients?

Possibly. If you handle PHI on behalf of a covered entity — a clinic, hospital, health plan, or another business associate that does — you are a business associate and HIPAA applies fully. Many SaaS companies discover they're business associates after their first healthcare customer asks them to sign a BAA.

What is the difference between addressable and required HIPAA controls?

Required controls must be implemented as written. Addressable controls must be implemented if reasonable and appropriate; if not, the rationale and an equivalent alternative must be documented. Encryption is the most well-known addressable specification — you must either implement it or document a defensible reason you did not and what compensating controls you use instead.

How long should HIPAA audit logs be retained?

Six years from the date of creation or the date when last in effect, whichever is later, per § 164.316(b)(2)(i). Some states impose longer retention for specific record types. Six years is the floor — many organizations retain audit logs for seven years to match standard tax and IRS retention.

Build it instead of buying it

Generate a HIPAA-compliant healthcare app with the controls built in

VertiComply generates production-ready healthcare applications with HIPAA controls scaffolded from the first commit — no add-on tier, no platform lock-in, code exported to your GitHub.

Start free