Lead magnet · No email required

5-Minute HIPAA Risk Self-Check

Ten questions. Tells you in five minutes whether your small practice would survive an OCR information request, or whether you have a documentation hole worth closing this quarter.

Answered 0 of 10

1
An annual Security Risk Analysis has been completed and is filed.
Required for MIPS Promoting Interoperability and the #1 OCR finding for small practices.
2
Every vendor with PHI access has a signed, current Business Associate Agreement.
Including the EHR, clearinghouse, billing service, MSP, backup, answering service, transcription.
3
Every laptop, tablet, and phone with PHI is encrypted and we can prove it.
BitLocker / FileVault / MDM encryption profile, with management-console evidence.
4
MFA is enforced on the EHR, email, and remote-access tools.
App-based or hardware key. SMS is acceptable as a last resort, not the default.
5
An incident-response contact and process is identified and the staff knows who to call.
Front-desk-readable. Posted somewhere visible. Tested at least once a year.
6
Cyber insurance is current and the renewal questionnaire was answered accurately.
Misrepresentation on the application is the most common reason claims are denied.
7
Breach-notification letter templates are pre-staged for OCR, patient, and state AG.
Drafting under deadline is how clocks get missed. Pre-stage now.
8
All workforce members completed HIPAA training this year and attestations are on file.
Required at hire and annually. Sanction policy referenced in the training.
9
A written Sanction Policy exists and has been applied at least once in the last 24 months.
OCR looks for evidence that the policy is real, not just on paper.
10
The OCR breach portal account has been tested and credentials are stored where the privacy officer can find them.
First-time registration during an active incident is a 4-hour delay you don't have.