Score Your HIPAA Security Rule Safeguards in 5 Minutes

HIPAA Risk Assessment Tool

The HIPAA Security Rule holds every covered entity and business associate responsible for protecting electronic protected health information (ePHI) across Administrative, Physical, and Technical safeguards — and a documented Security Risk Analysis is the foundational, most-cited requirement in OCR enforcement. Most practices assume their EHR vendor has it handled and find out otherwise after a breach. This free interactive tool walks you through 18 safeguard questions, scores your readiness in real time, flags every gap with its §164 citation, and highlights the four high-leverage moves — SRA, MFA, PAM, and encryption at rest — that cut your risk fastest. It is a self-assessment, clearly labeled — not a formal SRA and not legal advice.

Get a Real SRA888.792.8080
SOC 2 Compliant
24/7 Support
30+ Years Experience
HIPAA Security Rule Risk Assessment

HIPAA Risk Assessment

18 questions across the HIPAA Security Rule's Administrative, Physical, and Technical safeguards. Mark each as In Place / Partial / No. Get a live compliance score, per-safeguard breakdown, flagged gaps, and prioritized next steps. 100% browser-only — nothing is sent to LayerLogix.

This is a self-assessment, not a formal Security Risk Analysis (SRA) and not legal advice. The HIPAA Security Rule requires a documented, organization-wide SRA. Use this as a readiness gut-check, then complete a real SRA.

Administrative Safeguards

§164.308(a)(1)(ii)(A)High-leverage

Security Risk Analysis (SRA) completed

An accurate, thorough, organization-wide risk analysis of confidentiality, integrity, and availability of ePHI has been conducted and documented within the last 12 months.

§164.308(a)(1)(ii)(B)

Risk management plan in place

Security measures are implemented to reduce risks and vulnerabilities found in the SRA to a reasonable and appropriate level.

§164.308(a)(1)(ii)(C)

Sanction policy for violations

A documented sanction policy applies appropriate penalties against workforce members who fail to comply with security policies and procedures.

§164.308(a)(2)

Security & Privacy Officer assigned

A named Security Official (and Privacy Official) is responsible for developing and implementing required policies and procedures.

§164.308(a)(5)

Security awareness & training program

All workforce members receive recurring security awareness training, including phishing, malware, and password/login monitoring.

§164.308(a)(6)

Incident response & breach procedures

Documented procedures exist to identify, respond to, mitigate, and report suspected or known security incidents and breaches.

§164.308(a)(7)

Contingency plan (backup & DR)

A data backup plan, disaster recovery plan, and emergency-mode operation plan exist and have been tested.

§164.308(b)(1)

Business Associate Agreements (BAAs)

Signed BAAs are in place with every vendor that creates, receives, maintains, or transmits ePHI on your behalf.

Physical Safeguards

§164.310(a)(1)

Facility access controls

Physical access to systems and facilities housing ePHI is limited to authorized personnel (locks, badges, visitor logs).

§164.310(b)-(c)

Workstation use & security

Policies govern proper workstation use and physical safeguards restrict access to workstations that access ePHI.

§164.310(d)(1)

Device & media controls / disposal

Policies govern receipt, removal, reuse, and secure disposal/sanitization of hardware and media containing ePHI.

Technical Safeguards

§164.312(a)(1)

Unique user IDs & access control

Each user has a unique identifier; access to ePHI is restricted to those who need it (least privilege), with emergency access procedures.

§164.312(a)(1)High-leverage

Privileged Access Management (PAM)

Privileged accounts are managed, application allowlisting/ringfencing limits what can run, and least-functionality is enforced.

§164.312(d)High-leverage

Multi-factor authentication (MFA)

MFA is enforced for remote access, email, EHR, and all privileged accounts that can reach ePHI.

§164.312(b)

Audit controls / logging

Hardware, software, and procedural mechanisms record and examine activity in systems containing ePHI.

§164.312(c)(1)

Integrity controls

Mechanisms protect ePHI from improper alteration or destruction (e.g., checksums, version control, change monitoring).

§164.312(a)(2)(iv)High-leverage

Encryption at rest

ePHI on endpoints, servers, databases, and backups is encrypted at rest (a recognized addressable safe harbor).

§164.312(e)(1)

Encryption in transit

ePHI transmitted over networks (email, EHR, portals, file transfer) is encrypted using TLS or equivalent.

Compliance readiness
0%
High Risk
Core safeguards are missing. Prioritize a Security Risk Analysis and the high-leverage technical controls immediately.
By safeguard
Administrative0%
Physical0%
Technical0%
High-leverage gaps

Close these first — they deliver the most risk reduction per dollar:

  • Security Risk Analysis (SRA) completed
  • Privileged Access Management (PAM)
  • Multi-factor authentication (MFA)
  • Encryption at rest
Get a Real SRA

What We Offer

Comprehensive solutions tailored for Houston-area businesses

18 Safeguard Questions

Covers all three HIPAA Security Rule safeguard categories — Administrative, Physical, and Technical — mapped to their 45 CFR §164 citations so you know exactly which requirement each question answers.

Live Compliance Score

Your overall readiness percentage and per-safeguard breakdown recompute in real time as you answer In Place / Partial / No. See where you stand at a glance.

High-Leverage Items Flagged

The tool highlights the items that deliver the most risk reduction per dollar: a current Security Risk Analysis (SRA), MFA, PAM, and encryption at rest. Fix these first.

Gap List with Citations

Every No or Partial is flagged with its §164 citation and a plain-English recommendation, so your remediation plan writes itself.

Download Your Report

Export a dated text report of your score, per-safeguard breakdown, flagged gaps, and prioritized next steps. Bring it to your compliance officer or your MSP.

100% Browser-Only

Nothing is sent to LayerLogix servers, never logged, never stored. Your answers — and any sense of where your ePHI is exposed — stay on your device.

Why Choose LayerLogix?

Serving businesses throughout the Greater Houston area including Houston, The Woodlands, Sugar Land, Dallas, Fort Worth, Austin, San Antonio.

Know Where Your ePHI Is Exposed

Most practices assume they are covered by their EHR vendor. The tool walks you through what you are actually responsible for under the Security Rule.

Prioritize the SRA First

A documented Security Risk Analysis is the foundational requirement and the most-cited gap in OCR enforcement. The tool puts it front and center.

See the High-Leverage Technical Wins

MFA, PAM, and encryption at rest close the controls breaches exploit most — and the tool flags exactly which you are missing.

Reduce OCR Enforcement Exposure

A documented self-assessment and remediation plan demonstrate good-faith effort if the Office for Civil Rights ever comes knocking.

Free Forever

No email gate, no signup, no upsell on the tool itself. We earn the conversation by giving you a genuinely useful starting point.

Our Process

1
Open the tool — no signup, no email required, nothing tracked
2
Answer 18 questions across Administrative, Physical, and Technical safeguards as In Place / Partial / No
3
Watch your overall compliance score and per-safeguard breakdown update in real time
4
Review the flagged high-leverage gaps — SRA, MFA, PAM, and encryption at rest come first
5
Read the gap list, each tied to its §164 citation and a recommended next step
6
Export your dated report and bring it to your compliance officer or your MSP
7
When you need a documented Security Risk Analysis and the technical controls deployed, contact LayerLogix

Frequently Asked Questions

Does this satisfy the HIPAA Security Risk Analysis requirement?
No. The HIPAA Security Rule (45 CFR §164.308(a)(1)(ii)(A)) requires an accurate, thorough, documented, organization-wide Security Risk Analysis (SRA). This tool is a readiness self-assessment — a gut-check to find obvious gaps before you invest in a formal SRA. It is not legal advice and not a substitute for the SRA itself. LayerLogix can perform a documented SRA for your practice.
What are the three HIPAA safeguard categories?
The Security Rule organizes its requirements into Administrative safeguards (policies, training, risk management, incident response, BAAs), Physical safeguards (facility access, workstation security, device and media disposal), and Technical safeguards (access control, audit logging, integrity, authentication/MFA, and encryption). This tool scores all three so you see your weakest area.
Why does the tool emphasize SRA, MFA, PAM, and encryption?
These are the highest-leverage controls. A current SRA is the foundational, most-cited requirement in OCR enforcement actions. MFA and PAM close the access and execution paths attackers use most. Encryption at rest is a recognized addressable safe harbor that can take an exposed device off the breach-notification table. Fixing these four moves your risk down faster than anything else.
Is my data sent anywhere?
No. The tool runs entirely in your browser. Nothing is sent to LayerLogix servers, never logged, never stored. The download report is generated client-side and saved directly to your device — important when the answers themselves reveal where your ePHI is exposed.
Who needs to comply with the HIPAA Security Rule?
Covered entities (healthcare providers, health plans, and clearinghouses) and their business associates — any vendor that creates, receives, maintains, or transmits ePHI. If you are a covered entity, you also need signed Business Associate Agreements (BAAs) with every such vendor, which this tool checks.
What do I do after I export my report?
Use the flagged gaps and high-leverage items to build a remediation plan. If your score is low or your SRA is missing, contact LayerLogix — a Texas MSP and ThreatLocker partner serving healthcare practices. We perform documented Security Risk Analyses and deploy MFA, PAM, and encryption so you close gaps and reduce OCR exposure. Call 888-792-8080.
Do you provide HIPAA Risk Assessment Tool in Houston and nearby areas?
Yes. LayerLogix is based in the Greater Houston area and delivers hipaa risk assessment tool to businesses across Houston and the surrounding communities, including The Woodlands, Spring, Katy, Sugar Land, Conroe, Cypress, and Pearland. For most Houston-area clients we can be on-site the same day when something needs hands-on attention, and our help desk is available 24/7 the rest of the time. Call 713-571-2390 to check coverage for your specific address.
What does HIPAA Risk Assessment Tool cost for a Houston business?
Pricing depends on your size and what you need, so we do not publish a one-size-fits-all number — but Houston businesses generally pay a flat, predictable monthly fee rather than surprise hourly bills. We start with a free, no-obligation assessment of your current setup, then give you a clear quote in plain English with no hidden costs. That way you know exactly what you are getting and what it costs before you commit.

Related Services

HIPAA Compliance

Privileged Access Management

Managed Security (MSSP)

Cybersecurity Services

Ready to Get Started?

Contact LayerLogix today for a free consultation. We serve businesses throughout Houston, The Woodlands, Sugar Land, and the surrounding Greater Houston area.

Schedule Free ConsultationCall 888.792.8080