HIPAA Compliance Self-Assessment for Small Medical Practices
TLDR
98% of practice managers believe their practice is HIPAA-compliant. Only 35% have completed a risk analysis. This 20-question self-assessment measures where you actually stand — not where you think you stand.
Why This Assessment Exists
Survey data from Paubox (2025) found that 98% of practice managers believe their practice is fully HIPAA-compliant. A separate survey from NueMD and Compliancy Group found that only 35% of small practices have completed a Security Rule risk analysis, only 24% have evaluated all their Business Associate Agreements, and only 55% have any written compliance plan at all.
Both cannot be true. The gap between perception and reality is the problem this assessment addresses.
HIPAA compliance is a set of documented controls, written policies, trained staff, technical safeguards, signed agreements, and current risk assessments, that you can produce on demand when OCR asks. Practices that believe they are compliant because their staff is well-intentioned and they use a reputable EHR are in a different legal position than practices with written procedures, documented training, and a current risk analysis on file.
The four most commonly penalized compliance gaps in OCR enforcement records:
- No Security Rule risk analysis (cited in 75%+ of 2025 penalties)
- No written workforce training documentation
- Missing or unreviewed Business Associate Agreements
- No documented breach response procedure
This assessment tests all four.
How to Score Yourself
For each question, assign a score of 0, 1, or 2:
- 0 points — Not done or don’t know: no documented policy, procedure, or control exists, or you are unsure whether it does
- 1 point — Partially done: practice exists informally, is partially implemented, or exists but is not current or documented
- 2 points — Fully done: control is documented, current (reviewed within 12 months), and staff are aware of it
Maximum score: 40 points.
Grade scale:
| Score Range | Assessment | What It Means |
|---|---|---|
| 36–40 | Strong foundation | Controls exist and are documented. Focus on maintaining currency. |
| 26–35 | Significant gaps | Documentation gaps create real legal exposure. Priority: document existing practices. |
| 16–25 | High risk | Multiple control failures. You share the profile of practices that received $20,000–$35,000 OCR penalties. |
| Below 16 | Critical exposure | Foundational safeguards are absent. A complaint or incident is likely to produce a significant penalty. |
If you score below 26, you are in the same documented position as practices OCR has penalized in the $20,000–$35,000 range. The gap between “we do this informally” and “we have this documented” is the gap enforcement turns into a penalty.
HIPAA Compliance Self-Assessment for Small Medical Practices
A scored 20-question assessment covering administrative safeguards, technical safeguards, and vendor/BAA management. Includes a scoring rubric and remediation guide by score range. Takes under 10 minutes.
No spam, ever. Unsubscribe anytime.
Q&A
How many questions are in the HIPAA compliance self-assessment?
The self-assessment has 20 questions across three sections: 8 administrative safeguards, 7 technical safeguards, and 5 vendor and BAA management questions. Each question is scored 0 (not done), 1 (partially done), or 2 (fully documented and current), for a maximum score of 40. Scores below 26 indicate significant gaps consistent with practices that have received $20,000–$35,000 OCR penalties.
Q&A
What does a score below 26 mean on the HIPAA self-assessment?
A score below 26 out of 40 indicates significant compliance gaps. Practices scoring in this range share the same documented vulnerabilities as those that received $20,000–$35,000 OCR penalties. The priority action is completing a formal Security Rule risk analysis, which is cited in over 75% of recent OCR enforcement cases.