Free interactive tool

HIPAA Security Rule Readiness Checker

Answer 12 questions about your healthcare application's security posture. Get a HIPAA Security Rule readiness checklist mapping your answers to specific safeguard requirements. Identifies gaps + tells you how to close them in code. Download as markdown.

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Question 1 of 120/12 answered

1
Have you identified all locations where Protected Health Information (PHI) is stored, processed, or transmitted in your system?
HIPAA requires a Security Risk Analysis covering all PHI flows. PHI includes name, DOB, address, diagnosis, treatment details, billing info — any individually identifiable health information. This is step 1; you cannot protect what you haven't mapped.
2
Have you completed a formal Security Risk Analysis (SRA) documenting threats, vulnerabilities, and likelihood × impact for PHI?
45 CFR §164.308(a)(1) — the SRA is mandatory and the #1 cited deficiency in HIPAA audits. It must be documented, not just verbal. HHS provides a free SRA tool at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool.
3
Is all PHI encrypted at rest using AES-128 or stronger (NIST-approved algorithm)?
45 CFR §164.312(a)(2)(iv) — encryption at rest is 'addressable' (you must implement it or document why not). In practice, any modern cloud database with encryption-at-rest enabled satisfies this. Unencrypted PHI in a breached database = automatic HIPAA violation.
4
Is all PHI encrypted in transit using TLS 1.2 or higher with no fallback to weaker protocols?
45 CFR §164.312(e)(2)(ii) — transmission security. Same as PCI: disable TLS 1.0/1.1, enforce HTTPS everywhere. PHI sent over unencrypted HTTP = immediate violation.
5
Is access to PHI restricted by role — only users who need PHI for their job function can view it?
45 CFR §164.312(a)(1) — access control. Minimum necessary standard: users see only the PHI they need. In a SaaS context: patient sees their own records, clinician sees their patients, admin sees billing only.
6
Do you log all access to PHI — who read/created/modified/deleted each record, with timestamps?
45 CFR §164.312(b) — audit controls. Every PHI access event must be logged with user identity, action, timestamp, and record identifier. Logs must be retained for 6 years. Critical for breach response and OCR audit.
7
Is multi-factor authentication (MFA) enforced for all workforce members who access PHI?
45 CFR §164.312(d) — authentication. MFA is the single most effective control against credential-based PHI breaches. All admin and clinician accounts must use MFA. Patient-facing MFA is strongly recommended.
8
Have you signed Business Associate Agreements (BAAs) with every vendor who processes PHI on your behalf (cloud hosting, analytics, logging, email)?
45 CFR §164.308(b)(1) — Business Associate Agreements are mandatory. AWS, GCP, and Azure sign BAAs. Twilio, SendGrid, and Datadog sign BAAs. Any vendor touching PHI without a signed BAA = violation. Check your vendor list carefully.
9
Do you have a documented Breach Notification Plan covering the 60-day notification requirement to HHS and affected individuals?
45 CFR §164.400–414 — Breach Notification Rule. Any breach of unsecured PHI must be reported to HHS within 60 days of discovery (breaches affecting 500+ individuals in a state must also notify media). The plan must specify who is notified, in what order, and within what timeframe.
10
Have all workforce members who access PHI completed HIPAA Security Rule training in the last 12 months?
45 CFR §164.308(a)(5) — Security Awareness Training. Annual training is required for all workforce members. Topics: phishing, physical security, password hygiene, PHI handling. Completion must be documented.
11
Do you have controls preventing PHI from being stored on unencrypted personal devices (laptops, phones, USB drives)?
45 CFR §164.310 — Physical Safeguards + Device and Media Controls. Workforce laptops must use full-disk encryption (FileVault, BitLocker). PHI must not be downloaded to personal devices unless a Mobile Device Management (MDM) policy is in place.
12
Does your application implement the 'Minimum Necessary' standard — APIs only return the PHI fields actually needed for each request?
45 CFR §164.502(b) — Minimum Necessary. Your API should not return a patient's full record when only their appointment time is needed. Field-level access control on API responses reduces blast radius of any breach.

Frequently asked

Is this a real HIPAA compliance certification?: No. This is a self-assessment checklist for the HIPAA Security Rule technical safeguards. Real HIPAA compliance requires a formal Security Risk Analysis signed by your Security Officer, signed Business Associate Agreements, annual workforce training, and legal review of your Privacy Rule obligations. Use this to identify gaps before engaging a HIPAA consultant.
Who needs to be HIPAA compliant?: Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates (any vendor that creates, receives, maintains, or transmits PHI on their behalf). If your SaaS product stores or processes patient health data for a covered entity, you are a Business Associate and must comply.
What is PHI?: Protected Health Information is individually identifiable health information in any format. It includes: name, address, DOB, phone, email, SSN, medical record numbers, health plan numbers, account numbers, certificate/license numbers, photos, and any other unique identifier — combined with health, treatment, or payment information.
What does the HIPAA Security Rule actually require in code?: The Security Rule has three safeguard categories: (1) Administrative — risk analysis, training, BAAs, incident response plan; (2) Physical — workstation controls, device encryption; (3) Technical — access control (RBAC), audit logs, MFA, encryption at rest and in transit. The 'required' standards are mandatory; 'addressable' standards must be implemented or the decision documented.
How does Archiet relate to HIPAA?: Archiet generates production-ready apps with HIPAA technical safeguards pre-built: httpOnly JWT cookies (not localStorage), RBAC with tenant-scoped queries, audit_event log middleware, TLS-enforcing nginx configs, AES-256 encryption-at-rest settings, and a docs/compliance/hipaa-risk-assessment.md template. It closes the application-code gaps this tool identifies. Administrative safeguards (BAAs, training, SRA) remain your responsibility.
Where does my data go?: Nowhere. The checker runs entirely in your browser. There is no signup, no telemetry, no server call. Refresh the page and your answers are gone.

Loading…

HIPAA Security Rule Readiness Checker

5 minutes. No signup. Runs entirely in your browser — your answers never leave the page.

Frequently asked

Is this a real HIPAA compliance certification?

No. This is a self-assessment checklist for the HIPAA Security Rule technical safeguards. Real HIPAA compliance requires a formal Security Risk Analysis signed by your Security Officer, signed Business Associate Agreements, annual workforce training, and legal review of your Privacy Rule obligations. Use this to identify gaps before engaging a HIPAA consultant.

Who needs to be HIPAA compliant?

Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and their Business Associates (any vendor that creates, receives, maintains, or transmits PHI on their behalf). If your SaaS product stores or processes patient health data for a covered entity, you are a Business Associate and must comply.

What is PHI?

Protected Health Information is individually identifiable health information in any format. It includes: name, address, DOB, phone, email, SSN, medical record numbers, health plan numbers, account numbers, certificate/license numbers, photos, and any other unique identifier — combined with health, treatment, or payment information.

What does the HIPAA Security Rule actually require in code?

The Security Rule has three safeguard categories: (1) Administrative — risk analysis, training, BAAs, incident response plan; (2) Physical — workstation controls, device encryption; (3) Technical — access control (RBAC), audit logs, MFA, encryption at rest and in transit. The 'required' standards are mandatory; 'addressable' standards must be implemented or the decision documented.

How does Archiet relate to HIPAA?

Archiet generates production-ready apps with HIPAA technical safeguards pre-built: httpOnly JWT cookies (not localStorage), RBAC with tenant-scoped queries, audit_event log middleware, TLS-enforcing nginx configs, AES-256 encryption-at-rest settings, and a docs/compliance/hipaa-risk-assessment.md template. It closes the application-code gaps this tool identifies. Administrative safeguards (BAAs, training, SRA) remain your responsibility.

Where does my data go?

Nowhere. The checker runs entirely in your browser. There is no signup, no telemetry, no server call. Refresh the page and your answers are gone.