HIPAA Gap Analysis Scorecard

A self-assessment scorecard covering the eight administrative safeguard implementation specifications under 45 CFR § 164.308, plus physical and technical safeguards categories. Each section has 3–5 yes/no questions with weighted scoring. Output is a numeric score, color-coded risk level, and prioritized remediation order.

Short answer

A self-assessment scorecard covering all HIPAA Security Rule safeguards: eight administrative implementation specifications, physical safeguards, and technical safeguards. Yes/no questions with weighted scoring produce a numeric gap score, color-coded risk level, and a prioritized remediation order.

What is inside

Full coverage of 45 CFR § 164.308: all eight administrative safeguard implementation specifications including security management, assigned responsibility, workforce security, information access management, security awareness training, incident procedures, contingency plan, and evaluation
Physical and technical safeguards coverage: facility access controls, workstation use and security, device and media controls, access control, audit controls, integrity controls, authentication, and transmission security
Weighted yes/no questions that distinguish between required implementation specifications (higher weight) and addressable ones (contextual weight based on size and risk environment)
Numeric score output with color-coded risk level: green (adequate program), yellow (gaps requiring attention), red (critical gaps requiring immediate remediation) — with specific score thresholds for each level
Prioritized remediation order: gaps are ranked by a combination of risk weight and estimated remediation effort, so you know which to address first rather than which is easiest

We publish the same practical templates and decision tools that clinics use to structure recurring HIPAA work. No enterprise gate. No resource-library gimmicks. Just practical material delivered quickly.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 28, 2026

Best next step: Open the matching product path

Sources

45 CFR § 164.308 — Administrative Safeguards | eCFR
NIST SP 800-66 Rev. 2 | NIST
Guidance on Risk Analysis | HHS

Download the PDF

Find your compliance gaps before OCR does

Enter your email and we will send the PDF.

Questions

How do I use the scorecard results?

The scorecard output has three parts: a numeric score that benchmarks your overall program, a color-coded risk level for each safeguard category, and a prioritized remediation list. Start with any item rated red — these are critical gaps. Work through yellow items in the priority order the scorecard generates. Green items should be reviewed annually to confirm they remain current.

We scored low. How often should we retest?

If your initial score is in the red zone, retest after completing the highest-priority remediation items — typically in 60 to 90 days. The goal is to demonstrate a measurable improvement trajectory, not to reach a perfect score immediately. A documented improvement trajectory is evidence of an active compliance program, which is what OCR looks for. Annual retesting is appropriate once your program reaches the green zone.

What should we prioritize first if we are just starting out?

The scorecard will generate a priority list specific to your answers. But as a general principle: if you have not completed a risk analysis (45 CFR § 164.308(a)(1)(ii)(A)), that is always first — everything else in the Security Rule is supposed to be calibrated to the risks the analysis surfaces. Second priority is assigned security responsibility (§ 164.308(a)(2)): someone must own the program. Third is workforce training (§ 164.308(a)(5)). These three items are the most commonly cited findings in OCR investigations.

Is this free?

Yes. Enter your email and we will send the full resource to your inbox.

Why do you need my email?

We send the resource directly to your inbox. We will not add you to a marketing list without your consent.