HIPAA Security Rule Safeguards

HIPAA Security Rule Safeguards Assessment Matrix for Audit-Ready ePHI Protection

Use this working matrix to review administrative, physical, technical, organizational, and documentation safeguards, identify HIPAA Security Rule gaps, capture evidence, and prioritize remediation.

46Matrix rows preserved for safeguard review
19Audit planning and evidence columns
3Administrative, physical, and technical safeguard areas
ePHIFocused on protected health information risk
Why this matters

HIPAA compliance needs evidence, ownership, and repeatable security review.

HIPAA compliance is not just a policy binder. It is a repeatable security program that proves your organization protects electronic protected health information, understands where risks exist, and documents what was reviewed, who reviewed it, when it was reviewed, and what will be fixed next.

Executive Risk Clarity

See risk clearly. Know whether access, encryption, logging, vendor oversight, contingency planning, and incident response are working across your organization.

  • Leadership oversight
  • Budget planning
  • Audit readiness

Defensible Control Ownership

Document defensible controls. Track required and addressable implementation specifications, evidence, responsible owners, audit dates, findings, and remediation status.

  • Risk analysis
  • Evidence tracking
  • Control ownership

Technical Safeguard Execution

Translate HIPAA into daily technical work across identity, access, logging, endpoint, network, backup, facility, vendor, and incident response safeguards.

  • MFA and access reviews
  • Audit logs
  • Backups and encryption
Practical note: "Addressable" does not mean optional. It means the organization must assess whether the implementation specification is reasonable and appropriate, then implement it, implement an equivalent alternative, or document why it is not reasonable and appropriate.
HIPAA security readiness

Connect safeguards to real healthcare systems, users, and evidence.

Covered entities and business associates need more than a checklist. The matrix helps map HIPAA safeguard expectations to EHR systems, billing platforms, Microsoft 365, cloud storage, endpoints, servers, network devices, backups, vendors, remote access, and the people responsible for protecting ePHI.

Use it during internal audits, risk assessments, executive reporting, vendor reviews, remediation planning, and technical control reviews.

HIPAA security readiness assessment for healthcare compliance and ePHI safeguards
How to use the matrix

Turn HIPAA safeguard review into assigned, trackable remediation.

1

Identify ePHI systems

List EHR, billing, email, cloud storage, endpoints, servers, network devices, backups, vendors, and remote access systems.

2

Document safeguard status

Record whether each safeguard is implemented, in progress, not started, needs review, or has a gap.

3

Capture audit evidence

Add the reviewer, last audit date, evidence location, findings, risk rating, and next review date.

4

Assign remediation

Prioritize gaps by business risk and assign corrective action owners, target dates, and executive notes.

Working assessment matrix

HIPAA Security Rule Safeguards Assessment Matrix

Use this spreadsheet-style working document to update status, risk rating, asset scope, audit owner, last audit date, evidence, findings, remediation plan, and next review date before copying the results into your internal risk register or audit workbook.

# Safeguard Category HIPAA Reference Standard / Implementation Specification Required / Addressable Plain-English Control Objective Technical Terms to Validate Systems / Assets in Scope Current Status Risk Rating Evidence / Artifact Needed Control Owner Auditor / Reviewer Last Audit Date Findings / Gap Notes Remediation Plan Target Date Next Review Date Executive Notes
1Administrative45 CFR §164.308(a)(1)(ii)(A)Risk AnalysisRequiredIdentify potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.ePHI inventory, threat modeling, vulnerability assessment, likelihood, impact, residual risk, risk registerEHR, billing, cloud storage, email, endpoints, network, backupsNeeds ReviewHighRisk assessment report, asset inventory, vulnerability scan, data flow diagramSecurity Officer / IT ManagerUpdate risk analysis and document risk decisions.Board or ownership should review major ePHI risks.
2Administrative45 CFR §164.308(a)(1)(ii)(B)Risk ManagementRequiredImplement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.risk treatment plan, compensating controls, mitigation, acceptance, transfer, avoidanceAll systems handling ePHIIn ProgressHighRemediation tracker, risk treatment approvals, project ticketsIT ManagerPrioritize high-risk safeguards first.Leadership should approve risk exceptions.
3Administrative45 CFR §164.308(a)(1)(ii)(C)Sanction PolicyRequiredApply appropriate sanctions against workforce members who fail to comply with security policies.disciplinary process, workforce accountability, acceptable use, policy acknowledgmentWorkforce, contractors, privileged usersNeeds ReviewMediumHR policy, signed acknowledgments, incident recordsHR / Compliance OfficerAlign sanctions with HR procedures.
4Administrative45 CFR §164.308(a)(1)(ii)(D)Information System Activity ReviewRequiredRegularly review records of system activity, including audit logs, access reports, and security incident tracking reports.SIEM, audit trail, log retention, anomaly detection, access report, security event, alert triageEHR, Microsoft 365, VPN, firewalls, servers, databasesGap IdentifiedHighLog review records, SIEM reports, access review sign-offsSecurity Analyst / IT ManagerDefine frequency and ownership for log reviews.Create monthly log review workflow.Executives should know whether suspicious activity is reviewed.
5Administrative45 CFR §164.308(a)(2)Assigned Security ResponsibilityStandardDesignate a security official responsible for developing and implementing HIPAA Security Rule policies and procedures.security officer, governance, RACI, accountability, compliance ownershipOrganization-wideNeeds ReviewMediumAppointment memo, job description, governance chartBusiness Owner / Executive SponsorFormally assign security responsibility.A named owner improves audit readiness.
6Administrative45 CFR §164.308(a)(3)(ii)(A)Authorization and/or SupervisionAddressableAuthorize and supervise workforce members who work with ePHI or locations where ePHI may be accessed.least privilege, manager approval, workforce supervision, access request workflowEHR, shared drives, cloud apps, clinics, remote accessIn ProgressMediumAccess request tickets, manager approvals, onboarding checklistDepartment Manager / ITStandardize access approvals.
7Administrative45 CFR §164.308(a)(3)(ii)(B)Workforce Clearance ProcedureAddressableDetermine that workforce access to ePHI is appropriate before granting access.role-based access control, clearance, job function, access provisioningUser accounts and privileged accessNeeds ReviewMediumRole matrix, access approval evidence, background check policy if applicableHR / ITMap roles to minimum necessary access.
8Administrative45 CFR §164.308(a)(3)(ii)(C)Termination ProceduresAddressableTerminate access to ePHI when employment or engagement ends.offboarding, account disablement, token revocation, shared account review, device returnIdentity provider, EHR, email, VPN, mobile devicesNeeds ReviewHighOffboarding checklist, disabled account evidence, device return recordsHR / ITTest recent terminations for timely access removal.Delayed termination creates avoidable breach risk.
9Administrative45 CFR §164.308(a)(4)(ii)(A)Isolating Health Care Clearinghouse FunctionsRequired, if applicableIf a clearinghouse is part of a larger organization, protect ePHI from unauthorized access by the larger organization.network segmentation, logical separation, data segregation, access boundaryClearinghouse systems, shared infrastructureNot ApplicableLowApplicability analysis, network diagram, access control listCompliance Officer / ITDocument applicability.
10Administrative45 CFR §164.308(a)(4)(ii)(B)Access AuthorizationAddressableImplement policies and procedures for granting access to ePHI.RBAC, access authorization, privileged access, approval workflow, minimum necessaryEHR, billing, file shares, databasesIn ProgressHighAccess control policy, role matrix, approval ticketsIT ManagerReview who can approve sensitive access.
11Administrative45 CFR §164.308(a)(4)(ii)(C)Access Establishment and ModificationAddressableEstablish, document, review, and modify user access rights to ePHI systems.joiner-mover-leaver, access recertification, entitlement review, privilege creepIdentity provider, EHR, cloud applicationsGap IdentifiedHighQuarterly access review, change tickets, entitlement exportIT / System OwnersNo formal access recertification evidence.Implement quarterly access review.Privilege creep is a common audit finding.
12Administrative45 CFR §164.308(a)(5)(ii)(A)Security RemindersAddressableProvide periodic security updates to workforce members.security awareness, phishing alerts, policy reminders, micro-trainingAll workforce usersNeeds ReviewMediumTraining emails, LMS records, security newsletter archiveSecurity OfficerSchedule monthly security reminders.
13Administrative45 CFR §164.308(a)(5)(ii)(B)Protection from Malicious SoftwareAddressableTrain users and implement procedures to guard against malicious software.EDR, anti-malware, phishing, macro control, ransomware, endpoint hardeningEndpoints, servers, email, web filteringIn ProgressHighEDR dashboard, malware alerts, user training recordsIT SecurityConfirm endpoint coverage and alert response.Ransomware protection is a business continuity issue.
14Administrative45 CFR §164.308(a)(5)(ii)(C)Log-in MonitoringAddressableMonitor log-in attempts and report discrepancies.failed login, impossible travel, brute force, conditional access, MFA fatigueIdentity provider, EHR, VPN, cloud appsNeeds ReviewHighLogin reports, alert rules, incident ticketsIT SecurityTune alerts for failed and risky logins.
15Administrative45 CFR §164.308(a)(5)(ii)(D)Password ManagementAddressableCreate and manage procedures for creating, changing, and safeguarding passwords.password policy, MFA, password manager, complexity, lockout, credential reuseIdentity provider, EHR, local admin accountsNeeds ReviewHighPassword policy, MFA enforcement report, privileged account listIT ManagerAlign password and MFA controls with current risk.MFA reduces credential-based compromise risk.
16Administrative45 CFR §164.308(a)(6)(ii)Security Incident Procedures: Response and ReportingRequiredIdentify, respond to, mitigate, and document security incidents.incident response plan, containment, eradication, recovery, lessons learned, breach triageAll ePHI systems and security toolsNeeds ReviewHighIR plan, incident tickets, tabletop exercise recordsSecurity Officer / IT ManagerRun annual tabletop exercise.Executives need decision roles during incidents.
17Administrative45 CFR §164.308(a)(7)(ii)(A)Data Backup PlanRequiredCreate and maintain retrievable exact copies of ePHI.backup, immutable backup, recovery point objective, recovery time objective, restoration testingEHR, databases, file shares, cloud storageIn ProgressHighBackup policy, backup logs, restore test evidenceIT OperationsTest backups, not just backup jobs.Backups support patient care continuity.
18Administrative45 CFR §164.308(a)(7)(ii)(B)Disaster Recovery PlanRequiredRestore any loss of data after an emergency or disaster.DR plan, failover, recovery runbook, alternate site, cloud recoveryCritical ePHI systemsNeeds ReviewHighDR plan, restoration test, recovery runbookIT OperationsValidate recovery sequence and dependencies.
19Administrative45 CFR §164.308(a)(7)(ii)(C)Emergency Mode Operation PlanRequiredEnable continuation of critical business processes for protecting ePHI during emergency operations.business continuity, emergency access, downtime procedures, manual workflowsClinical systems, communications, authentication, networkNeeds ReviewHighEmergency operations plan, downtime procedure, contact listOperations / ITTest downtime process with department leaders.This protects both compliance and patient service.
20Administrative45 CFR §164.308(a)(7)(ii)(D)Testing and Revision ProceduresAddressableTest and revise contingency plans.tabletop exercise, backup restore test, DR test, lessons learned, corrective actionBusiness continuity and DR proceduresGap IdentifiedMediumTest schedule, test results, updated plan versionIT / CompliancePlans exist but testing evidence is incomplete.Schedule annual DR and incident response exercises.
21Administrative45 CFR §164.308(a)(7)(ii)(E)Applications and Data Criticality AnalysisAddressableAssess the relative criticality of specific applications and data in support of contingency planning.BIA, criticality tier, system dependency, RTO, RPO, data classificationEHR, billing, lab systems, imaging, file sharesNeeds ReviewMediumBusiness impact analysis, application inventory, criticality matrixOperations / ITRank systems by patient care and ePHI impact.
22Administrative45 CFR §164.308(a)(8)EvaluationStandardPerform periodic technical and nontechnical evaluations in response to environmental or operational changes.technical audit, nontechnical evaluation, control assessment, policy review, change triggerSecurity program, systems, policies, facilities, vendorsNeeds ReviewHighHIPAA evaluation report, audit checklist, corrective action planCompliance Officer / External AuditorSchedule recurring HIPAA Security Rule evaluation.Useful for owners to confirm program maturity.
23Physical45 CFR §164.310(a)(2)(i)Facility Access Controls: Contingency OperationsAddressableEstablish procedures that allow facility access during disaster recovery and emergency mode operations.emergency access, facility continuity, badge access, physical key controlOffices, server rooms, network closetsNeeds ReviewMediumEmergency access procedure, keyholder list, access logsFacilities / ITConfirm emergency access is controlled and logged.
24Physical45 CFR §164.310(a)(2)(ii)Facility Security PlanAddressableSafeguard facilities and equipment from unauthorized physical access, tampering, and theft.physical security, badge access, cameras, visitor controls, server room locksOffice, clinic, server room, reception, records areaNeeds ReviewMediumFacility security plan, access logs, visitor log, camera policyFacilities ManagerDocument physical security zones.
25Physical45 CFR §164.310(a)(2)(iii)Access Control and Validation ProceduresAddressableControl and validate a person’s access to facilities based on role or function.badge validation, visitor escort, access revocation, key inventoryRestricted areas, network closets, records roomsIn ProgressMediumAccess list, badge review, visitor sign-in recordsFacilities / HRReview facility access quarterly.
26Physical45 CFR §164.310(a)(2)(iv)Maintenance RecordsAddressableDocument repairs and modifications to physical security components.maintenance log, access hardware, lock changes, camera maintenanceDoors, locks, cameras, alarm systems, server roomsNeeds ReviewLowMaintenance records, vendor work orders, change approvalsFacilitiesCentralize facility security maintenance records.
27Physical45 CFR §164.310(b)Workstation UseStandardSpecify proper functions to be performed, how those functions are performed, and physical attributes of workstations accessing ePHI.workstation policy, screen positioning, clean desk, approved use, remote workDesktops, laptops, shared workstations, remote devicesNeeds ReviewMediumWorkstation use policy, training record, device inventoryIT / ComplianceUpdate workstation policy for hybrid work.
28Physical45 CFR §164.310(c)Workstation SecurityStandardImplement physical safeguards for workstations that access ePHI.cable locks, privacy screens, auto-lock, restricted workstation placementWorkstations in clinical and administrative areasNeeds ReviewMediumWalkthrough checklist, auto-lock policy, workstation inventoryIT / FacilitiesPerform workstation security walkthrough.
29Physical45 CFR §164.310(d)(2)(i)Device and Media Controls: DisposalRequiredImplement procedures for final disposition of ePHI and hardware or media containing ePHI.secure disposal, shredding, degaussing, cryptographic erase, certificate of destructionHard drives, laptops, mobile devices, backup mediaNeeds ReviewHighDisposal policy, destruction certificates, asset disposal logIT Asset ManagerRequire documented destruction for all retired media.Uncontrolled disposal can trigger breach exposure.
30Physical45 CFR §164.310(d)(2)(ii)Media Re-useRequiredRemove ePHI from electronic media before reuse.secure wipe, media sanitization, NIST-style purge/clear/destroy, device reassignmentLaptops, USB drives, removable media, serversNeeds ReviewHighSanitization records, imaging logs, device reassignment checklistIT OperationsDocument media sanitization before redeployment.
31Physical45 CFR §164.310(d)(2)(iii)AccountabilityAddressableMaintain a record of hardware and electronic media movement and responsible persons.asset tracking, chain of custody, device assignment, inventory reconciliationLaptops, tablets, mobile devices, backup drivesIn ProgressMediumAsset inventory, custody log, mobile device management exportIT Asset ManagerReconcile device inventory to user list.
32Physical45 CFR §164.310(d)(2)(iv)Data Backup and StorageAddressableCreate a retrievable exact copy of ePHI before movement of equipment.pre-move backup, migration backup, data validation, storage encryptionServers, databases, storage arrays, laptopsNeeds ReviewMediumBackup record, migration plan, checksum/validation evidenceIT OperationsAdd backup verification to hardware move checklist.
33Technical45 CFR §164.312(a)(2)(i)Access Control: Unique User IdentificationRequiredAssign a unique name or number for identifying and tracking user identity.unique ID, identity management, named accounts, shared account eliminationEHR, email, cloud systems, admin toolsGap IdentifiedHighUser account export, shared account review, identity policyIT ManagerShared accounts still exist.Replace shared accounts with named accounts.Named accountability is essential for audit trails.
34Technical45 CFR §164.312(a)(2)(ii)Access Control: Emergency Access ProcedureRequiredEstablish procedures for obtaining necessary ePHI during an emergency.break-glass account, emergency access, privileged access monitoring, audit reviewEHR, identity provider, critical systemsNeeds ReviewHighEmergency access procedure, break-glass logs, approval recordsIT / Clinical OperationsDefine break-glass access and review after use.
35Technical45 CFR §164.312(a)(2)(iii)Access Control: Automatic LogoffAddressableTerminate an electronic session after a predetermined time of inactivity.session timeout, idle lock, screen lock, inactivity thresholdEHR, workstations, cloud apps, VPNIn ProgressMediumConfiguration screenshots, group policy, application timeout settingsIT OperationsValidate timeout settings by system type.
36Technical45 CFR §164.312(a)(2)(iv)Access Control: Encryption and DecryptionAddressableImplement a mechanism to encrypt and decrypt ePHI when appropriate.encryption at rest, key management, full-disk encryption, database encryption, KMSLaptops, servers, databases, backups, cloud storageNeeds ReviewHighEncryption reports, key management policy, device compliance exportIT SecurityDocument where encryption is used or justify alternative controls.Encryption decisions should be documented, not assumed.
37Technical45 CFR §164.312(b)Audit ControlsStandardImplement hardware, software, or procedural mechanisms that record and examine activity in systems containing or using ePHI.audit log, SIEM, log retention, user activity, admin activity, database audit, alertingEHR, databases, servers, firewalls, identity provider, emailGap IdentifiedHighLogging configuration, SIEM dashboards, retention settings, log review evidenceIT SecurityLogging is enabled but review evidence is inconsistent.Define log sources, retention, alerting, and review cadence.Audit logs are a core evidence source after a suspected incident.
38Technical45 CFR §164.312(c)(2)Integrity: Mechanism to Authenticate ePHIAddressableCorroborate that ePHI has not been altered or destroyed in an unauthorized manner.hashing, checksum, digital signature, database integrity, file integrity monitoringDatabases, file storage, backups, interfacesNeeds ReviewMediumIntegrity control design, backup validation, database controlsApplication Owner / ITIdentify where integrity validation is required.
39Technical45 CFR §164.312(d)Person or Entity AuthenticationStandardVerify that a person or entity seeking access to ePHI is the one claimed.MFA, SSO, identity proofing, service account, certificate authentication, API authenticationIdentity provider, EHR, VPN, APIs, third-party portalsIn ProgressHighMFA policy, authentication logs, SSO configuration, service account reviewIT SecurityExpand MFA to all remote and privileged access.Authentication failures often become breach root causes.
40Technical45 CFR §164.312(e)(2)(i)Transmission Security: Integrity ControlsAddressableEnsure electronically transmitted ePHI is not improperly modified without detection.TLS, secure API, message integrity, certificate validation, secure file transferEmail, APIs, EDI, SFTP, portals, interfacesNeeds ReviewHighTLS configuration, API security design, SFTP setup, interface inventoryNetwork / Application OwnerMap ePHI transmissions and validate secure protocols.
41Technical45 CFR §164.312(e)(2)(ii)Transmission Security: EncryptionAddressableEncrypt ePHI whenever deemed appropriate during electronic transmission.TLS 1.2+, encrypted email, VPN, secure messaging, certificate lifecycle, HSTSEmail, remote access, APIs, web portals, file transfersNeeds ReviewHighTLS scan, email encryption policy, VPN configuration, certificate inventoryNetwork SecurityConfirm no ePHI is transmitted over insecure channels.Transmission encryption is highly visible during vendor and client reviews.
42Organizational45 CFR §164.314(a)Business Associate Contracts or Other ArrangementsStandardObtain satisfactory assurances that business associates will appropriately safeguard ePHI.BAA, vendor risk management, subcontractor, security questionnaire, due diligenceCloud providers, billing vendors, MSPs, SaaS, consultantsNeeds ReviewHighExecuted BAAs, vendor inventory, security review recordsCompliance / ProcurementCreate vendor inventory and BAA status tracker.Vendor gaps can become business risk quickly.
43Organizational45 CFR §164.314(b)Requirements for Group Health PlansStandard, if applicableEnsure plan documents provide safeguards for ePHI when group health plan requirements apply.plan sponsor, plan documents, firewall between employer and plan, access limitsGroup health plan administrationNot ApplicableLowApplicability analysis, plan document reviewHR / LegalDocument applicability with counsel or benefits administrator.
44Documentation45 CFR §164.316(a)Policies and ProceduresStandardImplement reasonable and appropriate policies and procedures to comply with the Security Rule.policy lifecycle, procedure, standard, exception, version control, approval workflowSecurity program documentationNeeds ReviewMediumPolicy set, approval records, version history, exception registerCompliance OfficerUpdate policy set to match actual controls.Policies should reflect how the business actually operates.
45Documentation45 CFR §164.316(b)DocumentationStandardMaintain required Security Rule documentation, retain it, make it available to responsible persons, and update it as needed.retention, evidence repository, audit trail, document control, review cadenceAudit evidence, policies, procedures, risk records, vendor recordsNeeds ReviewMediumEvidence repository, retention schedule, review logsCompliance Officer / IT ManagerCreate a central HIPAA evidence folder by safeguard.Good evidence reduces audit stress and improves decision-making.
Technical terms

Business leaders should ask about these HIPAA security terms.

ePHI

Electronic protected health information created, received, maintained, or transmitted by covered entities or business associates.

Risk Analysis

A documented process that identifies threats, vulnerabilities, likelihood, impact, and current safeguards affecting ePHI.

Audit Controls

Hardware, software, or procedures used to record and examine activity in systems that contain or use ePHI.

Access Control

Technical controls that limit who can access ePHI and what they can do, including unique user IDs, emergency access, session timeout, and encryption decisions.

Transmission Security

Controls that protect ePHI when it moves across networks, such as TLS, secure portals, VPNs, encrypted email, and secure file transfer.

Integrity Controls

Safeguards that help confirm ePHI has not been altered or destroyed in an unauthorized manner.

Required vs. Addressable

Required specifications must be implemented. Addressable specifications require documented analysis, implementation, equivalent alternative, or documented justification.

Business Associate Agreement

A contract or arrangement that requires a vendor or partner handling ePHI to appropriately safeguard that information.

HIPAA compliance support for healthcare and dental organizations protecting PHI
After the assessment

From HIPAA findings to practical security improvements.

OC Security Audit helps healthcare and dental organizations assess HIPAA Security Rule safeguards, document risk, validate evidence, and prioritize remediation. When findings require implementation, ongoing support, backups, endpoint management, Microsoft 365 hardening, or help desk operations, related IT work can be supported through IT Perfection.

Ali Hassani CISO and cybersecurity consultant for HIPAA security readiness
Experienced HIPAA security guidance

HIPAA safeguard reviews led with real IT, security, and compliance experience.

Ali Hassani is a CISO and cybersecurity consultant with 25+ years of experience across IT operations, cybersecurity, compliance auditing, Microsoft infrastructure, network security, cloud security, and infrastructure leadership. For HIPAA-focused organizations, that background helps connect executive risk, technical safeguards, evidence, remediation priorities, and audit readiness.

CISSPCCISOCCNPCCNAMCSEMCSA SecurityMCITP
HIPAA safeguards FAQ

Common questions about using the HIPAA safeguards matrix.

Does this matrix replace a professional HIPAA risk assessment?

No. The matrix is an organized working document for initial review, internal planning, evidence collection, and remediation tracking. It does not replace a professional cybersecurity audit, HIPAA compliance assessment, penetration test, or legal/compliance review.

Who should complete the matrix?

Most organizations should involve IT leadership, security, compliance, operations, HR, vendor management, and executive ownership. HIPAA safeguards often touch people, process, facilities, technology, and third-party service providers.

How often should HIPAA safeguards be reviewed?

Safeguards should be reviewed on a recurring schedule and after meaningful changes such as EHR migrations, Microsoft 365 changes, new vendors, incidents, staffing changes, facility changes, or major technology projects.

What should executives pay attention to?

Executives should focus on high-risk gaps, unclear control ownership, missing evidence, unresolved remediation, vendor exposure, contingency planning, and whether security review results are being translated into funded action.

HIPAA readiness support

Need help turning this matrix into an audit-ready HIPAA security program?

OC Security Audit helps organizations assess HIPAA Security Rule safeguards, document risk, review technical controls, validate evidence, and prioritize remediation for ePHI protection in Irvine, Orange County, Los Angeles County, and Southern California.

Continue the HIPAA Readiness Review

This page is part of a larger HIPAA readiness path for healthcare practices, dental offices, business associates, and vendors that handle PHI.

Clarify HIPAA scope first

If the team is still defining responsibility, review What Is HIPAA? and Who Must Comply With HIPAA?. These guides explain PHI, ePHI, covered entities, business associates, and why small practices still need a documented security program.

HIPAA Security Rule safeguards assessment matrix for audit ready ePHI protection
Use this pathway to move from HIPAA understanding into evidence, risk decisions, and practical remediation planning.