Do you have a designated Privacy Officer responsible for HIPAA compliance?

HIPAA's Privacy Rule (45 CFR 164.530) requires every covered entity to designate a Privacy Officer responsible for the organization's privacy policies and procedures. Without one, accountability for compliance is distributed and audit findings carry no clear owner. Recommended action: Designate a Privacy Officer in writing, document their responsibilities, and publish their contact information internally. Most facilities pair this with a Security Officer (which may be the same person in smaller programs).

Do you have a current Notice of Privacy Practices and provide it to every patient at first encounter?

The Notice of Privacy Practices (NPP) is required by 45 CFR 164.520. Patients must receive it at their first encounter, sign acknowledgment, and have access to it on request. Outdated or missing NPPs are one of the most common HIPAA audit findings. Recommended action: Update the NPP annually and any time policies change. Distribute at first encounter and post conspicuously at every facility. Track signed acknowledgments per patient.

Do you obtain written authorization before disclosing PHI for purposes beyond treatment, payment, or healthcare operations (TPO)?

HIPAA permits PHI disclosure for TPO without authorization but requires written authorization for nearly all other uses (marketing, research, fundraising, court orders not covered by exceptions). Disclosing without authorization is one of the most common breach categories. Recommended action: Build a HIPAA-compliant authorization form and a workflow that gates non-TPO disclosures behind it. Include all required elements: purpose, recipient, expiration, right to revoke.

Do you have a signed Business Associate Agreement (BAA) with every vendor that touches PHI?

If a vendor creates, receives, maintains, or transmits PHI on your behalf, they are a Business Associate and must sign a BAA per 45 CFR 164.502(e). EMRs, billing services, cloud storage, and even some marketing tools fall under this rule. Missing BAAs are the single largest source of HHS fines. Recommended action: Inventory every vendor that handles PHI and confirm a current BAA on file for each. Refuse to send PHI to any vendor without one. Navix Health signs BAAs with every paid customer.

Do you provide patients with access to their medical records within 30 days of their request?

45 CFR 164.524 gives patients the right to access their records. Failure to deliver within 30 days (with one 30-day extension permitted) is a common enforcement target. HHS has fined multiple providers for this exact failure. Recommended action: Document a written process for record-access requests. Track every request with a timestamp. Train front-desk and medical-records staff on the timeline.

Have you conducted a formal HIPAA Security Risk Assessment in the last 12 months?

45 CFR 164.308(a)(1) requires an accurate and thorough risk assessment of potential vulnerabilities to ePHI. Most HHS settlements involve organizations that either skipped this step or last did one years ago. Recommended action: Conduct a written risk assessment annually using the HHS Security Risk Assessment Tool or an equivalent framework. Document findings, planned remediations, and target dates.

Is all electronic PHI encrypted at rest (database, file storage, backups, mobile devices)?

Encryption at rest is an addressable specification under 45 CFR 164.312(a)(2)(iv) but is treated as table stakes in any audit. Unencrypted laptops and unencrypted backup drives are the most common cause of seven-figure HHS settlements. Recommended action: Confirm every system holding PHI uses AES-256 (or equivalent) encryption at rest. Audit endpoints, backups, and any cloud storage. Encrypt mobile devices via MDM.

Is all PHI encrypted in transit (TLS 1.2+ for web, encrypted email/SFTP for file transfer)?

45 CFR 164.312(e) requires technical safeguards to guard against unauthorized access to PHI transmitted over a network. Plaintext fax, unencrypted email, and outdated TLS versions are the recurring failure points. Recommended action: Require TLS 1.2+ everywhere. Use encrypted email (S/MIME, secure portals, or encrypted attachments) for any external PHI. Replace plain-fax with secure-fax or eFax.

Does every staff member with PHI access have a unique user account (no shared logins)?

45 CFR 164.312(a)(2)(i) requires unique user identification. Shared credentials make it impossible to attribute access in audit logs, which is itself a Security Rule violation. Shared logins are also a recurring breach vector. Recommended action: Provision a unique account for every clinician, biller, and admin. Disable any shared accounts in the EMR. Pair with multi-factor authentication for any account with PHI access.

Are PHI access permissions limited by role to the minimum necessary for each staff member's job?

45 CFR 164.502(b) requires reasonable efforts to limit PHI to the minimum necessary. Open-default access (every staff member can see every chart) is one of the most common gap findings in addiction-treatment audits, especially given Part 2's stricter standards. Recommended action: Define roles and what PHI each role needs. Configure your EMR's access controls to enforce these. Document the role definitions and review them annually.

Does your EMR capture audit logs for every PHI access, modification, and deletion?

45 CFR 164.312(b) requires hardware, software, and procedural mechanisms that record activity in systems containing ePHI. Without comprehensive audit logs, breach investigation is impossible and HHS can assume the worst. Recommended action: Confirm your EMR logs read, write, update, delete, and export of every PHI record with timestamp and user identity. Retain logs for at least 6 years per 45 CFR 164.316(b)(2).

Do you have a documented incident response and breach notification plan?

45 CFR 164.408 requires breach notification to affected individuals, HHS, and (for breaches of 500+) the media within 60 days. Without a written plan, organizations fumble the timeline and face additional penalties. Recommended action: Document the response workflow: detection, containment, investigation, notification timeline, and post-incident review. Tabletop the plan annually.

Do all employees with PHI access complete annual HIPAA training, with documentation?

45 CFR 164.530(b)(1) requires training on policies and procedures. HHS expects annual refreshers, documented per employee with date and content covered. Lack of training records is a recurring audit finding. Recommended action: Run annual HIPAA training, log completion per employee, and store records for 6 years. Include role-specific modules where roles touch different PHI categories.

Do you have written policies and procedures covering each Privacy and Security Rule requirement?

45 CFR 164.316 requires written policies. Verbal policies do not satisfy the rule. Auditors ask to see the document, dated and signed, with revision history. Recommended action: Maintain a policy binder (paper or electronic) with each required policy, last review date, and approving signature. Update on regulation changes or organizational changes.

Do you have a documented sanctions policy for staff who violate HIPAA, and apply it consistently?

45 CFR 164.530(e)(1) requires a sanctions policy. Inconsistent or undocumented enforcement of HIPAA violations has been the basis of multiple settlements. Recommended action: Document the sanctions framework (verbal warning, written warning, termination). Track every HIPAA-related disciplinary action. Apply consistently across roles.

Do you review system activity logs for inappropriate access at least quarterly?

45 CFR 164.308(a)(1)(ii)(D) requires regular review of records of information system activity. Snooping incidents (staff viewing the chart of a friend, family member, or celebrity) are most commonly caught during these reviews. Recommended action: Schedule quarterly reviews of audit logs by the Privacy Officer or designee. Document findings. Investigate any suspicious access.

Do you obtain Part 2-compliant written consent before disclosing SUD treatment records (with specific recipient, purpose, expiration)?

42 CFR Part 2 is stricter than HIPAA. SUD treatment records can only be disclosed with written consent that names the specific recipient, the specific purpose, an expiration date, and the right to revoke. HIPAA's TPO disclosure rules do NOT apply to Part 2 records. Recommended action: Use a Part 2-specific consent form (separate from HIPAA authorization). Train staff that Part 2 consent is needed even for routine disclosures that HIPAA would allow.

Do all redisclosures of Part 2 records carry the federal notice prohibiting further redisclosure?

42 CFR 2.32 requires a specific notice to accompany any disclosure: that the information is protected by federal law and may not be redisclosed without the patient's written consent. Missing this notice is a frequent audit finding. Recommended action: Embed the redisclosure prohibition notice into every chart export, every faxed record, and every email referencing SUD treatment. Many EMRs (including Navix) inject this automatically.

Do you maintain Part 2 records separately or with technical controls preventing commingling with non-Part 2 records?

Part 2 records require separate handling because their disclosure rules are stricter. Storing Part 2 records in a system that releases records under HIPAA TPO logic (without Part 2 consent) is a violation. Recommended action: Use an EMR that flags Part 2 records and enforces stricter disclosure rules at the record level. Confirm release-of-information workflows distinguish Part 2 from non-Part 2 disclosures.

Do you have a documented process for revoking Part 2 consent, and honor revocations promptly?

42 CFR 2.31(a)(8) requires that Part 2 consents be revocable. If a patient revokes consent, you must stop further disclosure to that recipient (with limited exceptions for actions already taken in reliance on the consent). Recommended action: Document the revocation workflow. Train front-desk and medical-records staff. Confirm your EMR can immediately update the consent record and prevent further disclosures.

Do staff who handle SUD records receive training on 42 CFR Part 2 specifically (not just HIPAA)?

Part 2 has different rules than HIPAA. Staff trained only on HIPAA will incorrectly apply TPO disclosure logic to Part 2 records. Specific Part 2 training is required for any program subject to it. Recommended action: Add Part 2-specific training to your annual training program for any role that handles SUD records. Document completion separately from HIPAA training.

Do you have a documented process for handling subpoenas and court orders for Part 2 records that complies with 42 CFR Part 2?

Part 2 records require a court order (not just a subpoena) for most disclosures, and the order must comply with 42 CFR 2.61–2.67. Releasing records under a regular subpoena is a violation. Recommended action: Train medical records staff to escalate any subpoena or court order for Part 2 records to the Privacy Officer or counsel. Document the review and response process.

Do you conduct internal compliance audits at least annually?

Annual self-audits surface gaps before HHS does. Programs that wait for an external audit consistently find more findings, larger fines, and longer corrective action plans. Recommended action: Schedule an annual compliance self-audit (this audit is a starting point but is not a substitute). Document findings, owners, and remediation deadlines.

Do you have a designated point of contact for patient privacy complaints, and document every complaint?

45 CFR 164.530(d) requires a process for receiving complaints. Patients must know how to complain. Undocumented complaint handling is a frequent audit finding. Recommended action: Publish a privacy-complaint contact in the Notice of Privacy Practices and on your website. Log every complaint with date, summary, and resolution. Retain logs for 6 years.

Do you retain compliance documentation (policies, training records, audits, BAAs) for at least six years?

45 CFR 164.316(b)(2) requires retention of policies, procedures, and other documentation for six years from the date of creation or last effective date. Discarding old policies is a recurring finding. Recommended action: Set up retention storage (paper or electronic) that holds compliance documentation for at least 6 years. Audit the retention store annually.

Free tool · No signup

HIPAA + 42 CFR Part 2 Compliance Self-Audit.

Twenty-five yes-or-no questions across the HIPAA Privacy Rule, HIPAA Security Rule, and 42 CFR Part 2. You get a live score, a ranked gap list, and the recommended action for every gap. Designed by a behavioral-health operator for behavioral-health operators. Takes about 5 minutes.

Privacy RuleSecurity RuleAdministrative Safeguards42 CFR Part 2Operational

Heads up: this is operator-grade self-assessment, not legal advice. The audit reflects common best practices for HIPAA and 42 CFR Part 2. Consult qualified behavioral-health compliance counsel before relying on the output for any binding decision. Your answers stay in your browser unless you click one of the contact buttons.

Progress

0 / 25

Live score

Privacy Rule

Q1
Do you have a designated Privacy Officer responsible for HIPAA compliance?
Q2
Do you have a current Notice of Privacy Practices and provide it to every patient at first encounter?
Q3
Do you obtain written authorization before disclosing PHI for purposes beyond treatment, payment, or healthcare operations (TPO)?
Q4
Do you have a signed Business Associate Agreement (BAA) with every vendor that touches PHI?
Q5
Do you provide patients with access to their medical records within 30 days of their request?

Security Rule

Q6
Have you conducted a formal HIPAA Security Risk Assessment in the last 12 months?
Q7
Is all electronic PHI encrypted at rest (database, file storage, backups, mobile devices)?
Q8
Is all PHI encrypted in transit (TLS 1.2+ for web, encrypted email/SFTP for file transfer)?
Q9
Does every staff member with PHI access have a unique user account (no shared logins)?
Q10
Are PHI access permissions limited by role to the minimum necessary for each staff member's job?
Q11
Does your EMR capture audit logs for every PHI access, modification, and deletion?
Q12
Do you have a documented incident response and breach notification plan?

Administrative Safeguards

Q13
Do all employees with PHI access complete annual HIPAA training, with documentation?
Q14
Do you have written policies and procedures covering each Privacy and Security Rule requirement?
Q15
Do you have a documented sanctions policy for staff who violate HIPAA, and apply it consistently?
Q16
Do you review system activity logs for inappropriate access at least quarterly?

42 CFR Part 2

Q17
Do you obtain Part 2-compliant written consent before disclosing SUD treatment records (with specific recipient, purpose, expiration)?
Q18
Do all redisclosures of Part 2 records carry the federal notice prohibiting further redisclosure?
Q19
Do you maintain Part 2 records separately or with technical controls preventing commingling with non-Part 2 records?
Q20
Do you have a documented process for revoking Part 2 consent, and honor revocations promptly?
Q21
Do staff who handle SUD records receive training on 42 CFR Part 2 specifically (not just HIPAA)?
Q22
Do you have a documented process for handling subpoenas and court orders for Part 2 records that complies with 42 CFR Part 2?

Operational

Q23
Do you conduct internal compliance audits at least annually?
Q24
Do you have a designated point of contact for patient privacy complaints, and document every complaint?
Q25
Do you retain compliance documentation (policies, training records, audits, BAAs) for at least six years?

See Navix on your facility's data.

HIPAA and 42 CFR Part 2 compliance is the foundation of every Navix deployment. Audit logs on every PHI access. Encryption at rest and in transit. BAAs signed with every paid customer. The Compliance Agent watches your chart in real time and exports payer-ready packets on demand.

Schedule a demo Read security & compliance

Loading…

See Navix on your facility's data.