Mindcore Technologies

First Name(Required)

Last Name(Required)

Email(Required)

Phone(Required)

Job Title(Required)

Company(Required)

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

✅ Select “No” if unsure — these answers determine your risk level.”

1. Administrative Safeguards

These are the safeguards OCR auditors ask for first — and most companies fail right here.

HIPAA Risk Assessment – Have you documented a full assessment in the last 12 months (OCR-required)?(Required)

Yes

No

Risk Management Plan – Do you have an active mitigation plan in writing?(Required)

Yes

No

Security Awareness Training – Are employees trained & re-certified at least annually?(Required)

Yes

No

Policies & Procedures – Are HIPAA-compliant policies up – to – date, documented, and distributed to relevant staff?(Required)

Yes

No

Business Associate Agreements (BAAs) – Do you have signed BAAs on file for every vendor that touches PHI?(Required)

Yes

No

Incident Response Plan – If there’s a breach, do you have a response protocol with timelines and assigned roles?(Required)

Yes

No

HIPAA Risk Assessment A risk assessment is the foundation of HIPAA compliance. It helps organizations identify, evaluate, and prioritize potential threats to patient data and operational systems. Without conducting a thorough risk assessment, your organization may unknowingly leave vulnerabilities unaddressed, which can lead to serious security incidents, regulatory penalties, and loss of trust from patients and partners.

Risk Management Plan A risk management plan outlines how identified risks will be addressed and mitigated over time. Without a defined plan in place, your organization may fail to act on known threats, allowing them to persist and potentially escalate. This exposes your systems and sensitive health information to unnecessary risk, undermining both your operational integrity and regulatory compliance.

Security Awareness Training Employees are the first line of defense against cyber threats. Security awareness training ensures that staff can recognize phishing attempts, handle data securely, and respond appropriately to suspicious activity. Without regular training, human error becomes a significant vulnerability, increasing the likelihood of data breaches and HIPAA violations.

Policies & Procedures Clear, up-to-date policies and procedures provide a framework for consistent operations and responses to incidents. When these are missing or outdated, staff may act inconsistently or inappropriately during critical situations, exposing your organization to legal risks, operational disruptions, and compliance failures.

Business Associate Agreements (BAAs) BAAs are legally required contracts with third-party vendors who access protected health information (PHI). These agreements ensure that business associates also comply with HIPAA regulations. Without BAAs, your organization assumes full liability for any breaches or mishandling of data by external vendors, significantly increasing compliance and security risks.

Incident Response Plan An Incident Response Plan (IRP) provides a structured approach for detecting, responding to, and recovering from security incidents. Without an IRP, your team may lack clarity and coordination during a breach, leading to delayed response times, greater data loss, higher fines, and reputational damage that could have been mitigated with proper planning.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

✅ Select “No” if unsure — these answers determine your risk level.”

3. Physical Safeguards

These controls prevent physical theft and insider breaches — often overlooked but legally required.

Facility Access Controls – Is every entry to PHI-secured areas logged and monitored?(Required)

Yes

No

Device Disposal – Is there a formal policy for destroying/recycling PHI-containing hardware?(Required)

Yes

No

Workstation Security – Are PHI workstations locked down and isolated from public/staff areas?(Required)

Yes

No

Facility Access Controls Facility access controls are designed to prevent unauthorized individuals from physically entering areas where sensitive systems or protected health information (PHI) are stored. Physical breaches — such as someone walking into a server room or accessing paper records — can be just as harmful as cyberattacks. Without adequate measures like locks, access badges, surveillance cameras, and visitor logs, your organization is at increased risk of data theft, tampering, or loss due to physical intrusion.

Device Disposal Device and media controls govern the handling, transfer, disposal, and reuse of devices and media that store PHI, such as USB drives, hard disks, and backup tapes. If these items are not properly sanitized or securely destroyed, sensitive information can be unintentionally exposed or fall into the wrong hands. Implementing strict controls ensures that PHI is protected throughout the entire lifecycle of any storage device or physical medium.

Workstation Security Workstation security involves physical and digital safeguards to prevent unauthorized use of computers and terminals that access PHI. Without proper security protocols — such as screen privacy filters, password protection, secure placement, and user session controls — workstations become easy targets for internal misuse or external threats. Ensuring secure access to workstations is critical for maintaining the confidentiality and integrity of sensitive health data.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

✅ Select “No” if unsure — these answers determine your risk level.”

4. Organizational Controls

No HIPAA enforcement officer? No formal vendor assessments? This is where lawsuits begin.

Appointed Security Officer – Have you designated a HIPAA Privacy & Security Officer with defined responsibilities?(Required)

Yes

No

Vendor Management – Are vendors assessed annually for HIPAA compliance and security posture?(Required)

Yes

No

Docs Readiness – Can you produce your logs, BAAs, and policies within 48 hours of an audit request?(Required)

Yes

No

Appointed Security Officer Assigning a dedicated Security Officer is essential for maintaining accountability and overseeing HIPAA compliance efforts. This individual is responsible for implementing and managing security policies, conducting regular risk assessments, and ensuring that staff are trained and aware of their responsibilities. Without a designated officer, compliance efforts often become fragmented or overlooked, increasing the risk of violations and security gaps.

Vendor Management Any vendor or third-party service provider with access to your systems or PHI introduces potential risk. A strong vendor risk management program includes due diligence, signed Business Associate Agreements (BAAs), and annual security reviews to ensure ongoing compliance. Without these safeguards, your organization is vulnerable to data breaches, operational disruptions, and liability stemming from vendor misconduct or negligence.

Docs Readiness Proper documentation is critical when demonstrating HIPAA compliance during audits, investigations, or incidents. This includes policies, procedures, risk assessments, training logs, and breach response records. If these documents are missing, outdated, or disorganized, your organization could face penalties, fail audits, or be unable to prove compliance when it matters most. Maintaining up-to-date, accessible documentation ensures you’re always prepared.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

✅ Select “No” if unsure — these answers determine your risk level.”

5. Breach & Threat Detection

This is your last line of defense. Failing here means attacks go undetected — and unrecoverable.

Breach Notification Process – Is your breach notification process compliant with HIPAA timelines (≤60 days)?(Required)

Yes

No

Ransomware Preparedness – Do you have ransomware-specific containment & recovery tools in place?(Required)

Yes

No

Security Intelligence – Are you using any SIEM or threat feed to detect and stop anomalies in real time?(Required)

Yes

No

Pen Testing – Has an external pen test been done in the last 12 months to prove resilience?(Required)

Yes

No

Breach Notification Process A well-defined breach notification process is critical for HIPAA compliance and for maintaining patient trust. When a data breach occurs, organizations are legally required to notify affected individuals, the Department of Health and Human Services (HHS), and sometimes the media, depending on the breach size. Delays, incomplete reports, or failure to notify can lead to significant financial penalties and damage to your organization’s reputation. Having a clear, practiced process in place ensures timely, accurate, and compliant breach reporting.

Ransomware Preparedness Ransomware attacks have become increasingly sophisticated and frequent, targeting healthcare organizations due to the high value of protected health information (PHI). Ransomware preparedness involves preventive measures such as backups, incident response planning, and staff training to minimize the impact of an attack. Without these safeguards, recovery becomes more difficult and expensive, and sensitive data may be lost or held hostage, placing both compliance and patient safety at risk.

Security Intelligence Security intelligence refers to the continuous collection, analysis, and monitoring of data related to potential threats and vulnerabilities. This proactive approach allows organizations to detect and respond to threats before they become full-scale breaches. Without security intelligence tools and practices, organizations are left with significant blind spots, increasing their exposure to undetected threats, prolonged system compromises, and delayed incident response.

Pen Testing Third-party penetration testing provides an objective assessment of your organization’s security defenses by simulating real-world attacks. These tests identify vulnerabilities that internal teams may overlook and help validate the effectiveness of existing controls. Without regular external testing, hidden flaws in systems, applications, or configurations may remain exploitable by attackers, putting your data and compliance posture at risk.

HIPAA & Cyber Risk Exposure Report

Uncover Hidden Gaps Before Regulators or Hackers Do.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.

This quickly identifies gaps in your compliance, data security, and audit readiness — aligned with HIPAA, PHI, and NIST/CIS standards.

Select “No” if unsure — these answers determine your risk level.