HIPAA Security Rule Readiness Self-Assessment
FREE DOWNLOAD
15-page PDF · No email required · Direct download
NO EMAIL GATE
We don't gate this resource. Click the button below and the assessment downloads to your device immediately. If you'd like to discuss your results later, our team is available for a no-cost review.
15 pages · 12 questions · Mapped to 45 CFR 164.308 and 164.312
Updated for the proposed 2026 amendments
Want a 30-minute review with our team when you're done?
For Independent Practices · Mapped to 45 CFR 164
The HIPAA Security Rule update is coming.
A free 12-question self-assessment mapped directly to 45 CFR 164.308 and 164.312, with explicit notes on the proposed 2026 amendments. Built for practice administrators, compliance officers, and physician-owners.
Mapped to 45 CFR 164.308 and 164.312 with regulatory citations
Updated for the proposed 2026 Security Rule amendments
Includes the new AI tool risk assessment question
Scoring guide with specific remediation priorities
Where does your practice stand?
240 Days
COMPLIANCE WINDOW
From publication of the final HIPAA Security Rule amendments (expected May 2026) to required compliance
55%
PENALTIES HIT SMALL PRACTICES
Of OCR HIPAA financial penalties in 2022 targeted small medical and dental practices — not large hospitals
14 Yrs
HEALTHCARE #1
Healthcare has held the top spot in average breach cost across all industries for fourteen consecutive years
WHAT’S INSIDE
Twelve Questions. Regulatory Citations. Specific Remediation.
Each question references the specific regulatory citation (45 CFR 164.308 or 164.312), notes the proposed 2026 amendment changes where applicable, and includes a "what \"yes\" looks like" example with common gaps observed in independent practices.
QUESTION 01 · 45 CFR 164.308(A)(1)(II)(A)
Security Risk Analysis (SRA)
Has your practice completed a documented SRA within the last 12 months covering all ePHI systems — EHR, billing, email, backups, cloud?
QUESTION 02 · 45 CFR 164.308(B)(1)
Business Associate Agreement Matrix
Do you maintain a current inventory of all Business Associates with executed BAAs on file — not just the EHR vendor?
QUESTION 03 · 45 CFR 164.312(A)(2)(IV)
Encryption of ePHI at Rest
Is ePHI encrypted across all storage — workstations, servers, backups, mobile devices? Proposed 2026 rule eliminates the "addressable" flexibility.
QUESTION 04 · 45 CFR 164.312(D)
Multi-Factor Authentication
Is MFA enforced across all ePHI systems — email, EHR, billing, remote access? Proposed 2026 rule makes this mandatory.
QUESTION 05 · 45 CFR 164.312(b)
Audit Logging and Review
Are audit logs enabled across all ePHI systems, retained for 6 years, and reviewed regularly for unusual access patterns?
NEW FOR 2026
AI Tool Risk Assessment
Are audit logs enabled across all ePHI systems, retained for 6 years, and reviewed regularly for unusual access patterns?
Built In Durant. For Texoma.
Why we built this
Button 108 is a Durant-based managed IT and cybersecurity company serving dealerships, healthcare practices, construction firms, and small businesses across Texoma. HIPAA documentation and security are core service offerings — not adjacent capabilities. We sign a comprehensive Business Associate Agreement and produce documentation in the format your auditor or OCR investigator expects.
We built this assessment becausemost practice administrators we talked to had heard about the proposed 2026 amendments but had no way to know where their practice actually stood against the new requirements. The assessment is what we wish HHS had published when they proposed the rule.
No sales pitch in the document — just the actual assessment
Mapped to 45 CFR 164.308 and 164.312 with explicit citations on every question
Includes scoring guide so you know how serious your gaps are
Optional follow-up: a no-cost 30-minute review with our team
Have your assessment results already?
If you completed the assessment and want an external review of your results, we offer a no-cost 30-minute review with our team. We come prepared with the regulatory references — bring your most pressing questions. No commitment, no proposal pressure.