HomeDirectoryBlogGuidesResourcesGet MatchedList Your Firm

HIPAA Readiness · Self-Assessment

A two-minute check on where your practice is actually exposed.

Twelve questions, six domains. You'll see which HIPAA controls your practice has in place, which ones are thin, and which ones are the next thing to fix — before a care coordinator downloads a free AI tool and it turns into a real conversation.

About 2 minutes 12 questions · 6 domains Nothing saved to your browser history
This is a self-assessment, not a HIPAA audit. It's meant to help you spot the gaps that a formal risk analysis would flag — it doesn't replace one, and nothing here is legal advice. If you're actively worried about a situation, talk to a qualified compliance professional.

What we'll walk through

Each question maps to one of the six domains HIPAA expects a small practice to have under control. Answer honestly — there's no one grading this, and the answer "I don't know" counts as a gap.

  • Administrative safeguards
  • Physical safeguards
  • Technical safeguards
  • Privacy practices
  • Breach notification readiness
  • Business Associate Agreements

Your answers stay in your browser. We only capture an email if you ask for the remediation checklist at the end.

Question 1 of 12 Administrative safeguards

Pick the answer closest to today

Readiness score

0%

Tier

Top gaps to close first

Sorted by weight — the ones most likely to matter if someone actually looked.

    Three HIPAA misreadings worth correcting before you talk to a consultant

    These come up in almost every small-practice engagement. They're not score-driven — they're common misreadings of what the rule actually requires.

      Want help closing these?

      We'll match you with vetted HIPAA compliance consultants who work with small practices — not enterprise-scale firms that'll quote you like you're a hospital system.

      Match me with a compliance consultant

      Get the HIPAA readiness remediation checklist (PDF)

      A working checklist of every gap flagged above, in priority order, with what to ask a consultant if you bring one in. Delivered as a PDF.

      Reminder: This result is a self-assessment of HIPAA readiness, not legal advice and not a formal risk analysis. A qualified compliance professional should perform the documented risk analysis HIPAA requires. Treat this as a triage tool — it tells you where to look first, not whether you're officially compliant.

      Questions practice owners ask about this

      Is this a HIPAA audit?

      No. This is a self-assessment — you walk through the six HIPAA domains and answer yes/no on the controls a small practice is expected to have. The result gives you a readiness score and a prioritized list of gaps, not a pass/fail certification. A formal HIPAA risk analysis has to be performed by a qualified compliance professional.

      Do I need HIPAA compliance if I'm not billing insurance?

      Usually yes. HIPAA applies if you're a Covered Entity — which most clinical practices are, cash-pay or not. The narrow cases where HIPAA doesn't apply are things like pure life-coaching with no clinical framing, or certain concierge arrangements structured around membership rather than care. If you're unsure, treat the answer as "probably yes" until a compliance pro confirms otherwise.

      What happens if I had a minor HIPAA slip?

      A near-miss isn't the same as a reportable breach, but the self-assessment covers both: whether you'd know how to tell the difference, whether you document near-misses, and whether you have the breach-notification process ready if it ever does cross the line. The triage here is "what do I do next," not "am I in trouble."

      How do I make Copilot or ChatGPT HIPAA-compliant?

      The short version: you need a Business Associate Agreement (BAA) with the AI vendor, and the enterprise tier (not the free tier) is usually the one that offers a BAA. Copilot for Microsoft 365 and ChatGPT Enterprise both have BAA paths; free ChatGPT and consumer Copilot do not. The assessment flags whether you have BAAs across every vendor that touches patient data, which is where most small practices are quietly exposed.

      Does my practice need a HIPAA audit?

      HIPAA requires a written risk analysis (sometimes called a risk assessment), and it's supposed to be reviewed and updated periodically — not a one-time thing. Most small practices haven't done one, or did one years ago and never touched it again. If the tool flags this gap, it's the single highest-leverage item to address first.

      Is this tool a substitute for a compliance consultant?

      No. This tool surfaces where you're likely exposed and gives you a punch list to work through. A qualified compliance consultant does the formal risk analysis, drafts the policies, reviews your BAAs, and signs off on your documentation. Think of this as triage — the consultant is treatment.