Free Assessment · 5 Minutes

Is your AI system
HIPAA compliant?
Find out in 5 minutes.

12 questions mapped to the HIPAA Security Rule (45 CFR Part 164) and HITECH. Get a free personalized gap report with primary-source HHS citations — no signup required.

45 CFR §164.308–316 covered AI/ML PHI governance included PDF gap report emailed instantly
Loading… Built for healthcare AI, digital health, and covered entities HHS OCR primary source citations in every report
🏥

Ready to assess your HIPAA compliance posture?

This assessment covers 12 controls across the HIPAA Security Rule Administrative, Physical, and Technical Safeguards — plus HITECH breach notification and AI/ML governance requirements.

Answer 12 questions about your PHI safeguards
Get HIGH / MED gap severity ratings instantly
Receive a PDF gap report with HHS primary citations
Question 1 of 12 · Administrative Safeguards
📋 45 CFR §164.308(a)(1)

Have you documented all PHI systems and conducted a formal HIPAA risk analysis?

Covers identification of all systems that create, receive, maintain, or transmit ePHI — and a formal risk analysis assessing likelihood and impact of threats to ePHI. Required by HHS OCR as the foundation of all HIPAA compliance programs.

Please select an answer to continue.
Question 2 of 12 · Business Associate Contracts
📄 45 CFR §164.314(a)(1)

Do you have signed Business Associate Agreements with all vendors that handle PHI?

Every vendor, contractor, or cloud provider that creates, receives, maintains, or transmits PHI on your behalf must execute a BAA. This includes AI/LLM API providers, cloud infrastructure (AWS, GCP, Azure), analytics platforms, and any SaaS tool with PHI access.

Please select an answer to continue.
Question 3 of 12 · Technical Safeguards
🔐 45 CFR §164.312(a)(2)(iv)

Is all ePHI encrypted at rest using AES-256 or equivalent?

Encryption at rest is an addressable specification — meaning you must either implement it or document why an equivalent alternative is in place. Critically: encrypting PHI at rest triggers the HITECH Safe Harbor provision, exempting encrypted data from breach notification requirements even if the storage media is lost.

Please select an answer to continue.
Question 4 of 12 · Technical Safeguards
🔐 45 CFR §164.312(e)(2)(ii)

Is ePHI encrypted in transit using TLS 1.2+ on all network paths?

Covers all ePHI transmission: APIs, web applications, internal service-to-service calls, email containing PHI, and AI model API requests. TLS 1.0 and 1.1 must be disabled. Applies to every network segment carrying ePHI — including between microservices in the same VPC.

Please select an answer to continue.
Question 5 of 12 · Technical Safeguards
🔑 45 CFR §164.312(a)(1) + §164.514(d)

Is role-based access to PHI enforced with the minimum necessary standard applied?

The HIPAA Minimum Necessary standard requires that staff access only the PHI required for their job function. This includes unique user IDs, MFA enforcement, RBAC policies, and quarterly access reviews. For AI systems: models should access only the specific PHI fields required for the clinical task.

Please select an answer to continue.
Question 6 of 12 · Technical Safeguards
📊 45 CFR §164.312(b)

Do you maintain automated audit logs of all PHI access, modification, and deletion?

Audit Controls (§164.312(b)) is a required specification — no alternative implementation is permitted. Logs must record: who accessed PHI, what action was taken, timestamp, and from which system. Logs must be retained for at least 6 years (§164.316(b)(2)) and reviewed regularly for anomalous activity.

Please select an answer to continue.
Question 7 of 12 · Breach Notification
🚨 HITECH §13402 · 45 CFR §164.402

Do you have documented breach notification procedures with 60-day HHS OCR reporting capability?

HITECH requires notification to affected individuals within 60 days of discovering a PHI breach. Breaches affecting 500+ individuals in a state also require media notification. A formal 4-factor breach risk assessment must determine whether notification is required. Tabletop breach simulation exercises should be conducted annually.

Please select an answer to continue.
Question 8 of 12 · Administrative Safeguards
🎓 45 CFR §164.308(a)(5)

Do all workforce members with PHI access receive annual HIPAA security awareness training?

Security Awareness and Training (§164.308(a)(5)) is a required specification. Training must cover: malicious software protection, log-in monitoring, password management, and PHI handling. Training records must be maintained for 6 years. AI team members with PHI pipeline access require the same training as clinical staff.

Please select an answer to continue.
Question 9 of 12 · Administrative Safeguards
📈 45 CFR §164.308(a)(1)(ii)(B)

Is your HIPAA risk analysis updated annually and after material changes to your PHI environment?

HIPAA requires an ongoing Risk Management Program — not a one-time assessment. Risk analysis must be updated when: a major system change is made, a new AI model or PHI workflow is introduced, a security incident occurs, or annual review triggers it. HHS OCR cites stale risk analysis in the majority of HIPAA resolution agreements.

Please select an answer to continue.
Question 10 of 12 · Administrative Safeguards
🛡️ 45 CFR §164.308(a)(6)

Do you have a documented security incident response plan with defined roles and recovery procedures?

Security Incident Procedures (§164.308(a)(6)) is a required specification. The plan must address: identification and response to security incidents, documentation of incident outcomes, and post-incident analysis. Annual tabletop exercises are required to validate response effectiveness. Incident documentation must be retained for 6 years.

Please select an answer to continue.
Question 11 of 12 · Administrative Safeguards
🗃️ 45 CFR §164.316(b)(2)

Do you have documented PHI retention schedules and secure disposal procedures?

HIPAA requires HIPAA policy documentation to be retained for 6 years from creation or last effective date. Medical records retention varies by state (often 7–10 years, or longer for minors). PHI on electronic media must be securely wiped per NIST SP 800-88 or physically destroyed. AI training data containing PHI is subject to the same retention and disposal rules.

Please select an answer to continue.
Question 12 of 12 · AI/ML Governance
🤖 §164.308(a)(1) + HHS OCR AI Guidance (2024)

Do your AI/ML systems using PHI have documented governance, de-identification, and BAA coverage for AI vendors?

HHS OCR issued specific AI + HIPAA guidance in December 2024. AI/ML models that ingest PHI require: BAAs with all AI vendors (including LLM API providers), de-identification assessment per §164.514(b) before using PHI in training, technical controls preventing PHI memorization, and PHI processing logs for all AI workloads.

Please select an answer to continue.
One last step

Where should we send your HIPAA gap report?

Your personalized report — with 45 CFR section-by-section remediation guidance and HHS.gov primary citations — will be emailed within seconds.

Optional — helps personalize your report.
Please enter a valid work email.

No spam. One gap report + a 3-email HIPAA compliance follow-up sequence.
Unsubscribe at any time. Privacy policy →

Generating your HIPAA gap report…

Scoring answers against HIPAA Security Rule + HITECH requirements.
Your PDF report with HHS citations will be emailed within seconds.

%
Score by HIPAA Safeguard Category

Sturna closes HIPAA gaps for healthcare AI teams

PHI risk analysis, BAA coverage, audit controls, AI/ML governance policies — OCR-ready documentation in 30 days.

Start a HIPAA Compliance Pilot →

A copy of your report has been emailed to you. Questions? Reply to that email.

Frequently Asked Questions

What is a HIPAA Security Rule risk analysis?

A HIPAA Security Rule risk analysis (required under 45 CFR §164.308(a)(1)) is a formal assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. It's a required administrative safeguard and the foundation of every HIPAA compliance program. HHS OCR cites incomplete or absent risk analysis in the majority of HIPAA resolution agreements.

Do AI and machine learning systems require HIPAA compliance?

Yes. Any AI/ML system that creates, receives, maintains, or transmits PHI on behalf of a covered entity or business associate must comply with the HIPAA Security Rule. LLMs used for clinical documentation, diagnostic support, or patient communication — along with their API providers — require Business Associate Agreements. HHS OCR issued specific AI + HIPAA guidance in December 2024.

What is the HITECH breach notification rule?

HITECH (§13402) requires covered entities to notify affected individuals, HHS OCR, and potentially media outlets within 60 days of discovering a PHI breach. Encrypting PHI at rest and in transit triggers the Safe Harbor provision — encrypted data is exempt from breach notification requirements even if the storage media is lost or stolen.

Do I need a Business Associate Agreement with my AI vendor?

Yes — if your AI vendor receives, processes, or stores PHI on your behalf, a BAA is required under 45 CFR §164.314(a)(1). This includes LLM API providers (OpenAI, Anthropic, Google Gemini), cloud infrastructure (AWS, Azure, GCP), and any analytics or ML platform with PHI access. Operating without a BAA is a HIPAA violation regardless of whether a breach occurs.

How is this HIPAA readiness assessment scored?

This assessment covers 12 controls mapped to the HIPAA Security Rule and HITECH. Each answer is scored: Yes = 1, Partial = 0.5, No or Don't Know = 0. PHI Inventory/Risk Analysis and Business Associate Agreements are weighted 2× because they are prerequisites for all other safeguards. HIPAA-Ready: 85%+. Gaps Identified: 60–84%. Significant Remediation Required: below 60%.

What penalties does HHS OCR impose for HIPAA violations?

Civil monetary penalties range from $100 to $50,000 per violation (up to $1.9M per violation category per year). Notable penalties: Anthem ($16M, risk analysis failures), UCLA Health ($865K, 2023), Montefiore Medical ($4.75M). HHS OCR resolved $46M in HIPAA penalties in 2023 alone. Criminal penalties can reach $250,000 and 10 years imprisonment for intentional PHI disclosure.

What PHI de-identification methods does HIPAA allow for AI training?

HIPAA (§164.514(b)) recognizes two methods: (1) Expert Determination — a qualified statistician certifies re-identification risk is very small; (2) Safe Harbor — 18 specific identifiers including names, SSNs, dates, and geographic data are removed. De-identified data falls outside HIPAA's scope, making it potentially suitable for AI model training. However, AI models can inadvertently memorize PHI — de-identification assessments must account for this risk.

What HIPAA audit controls are required for AI systems?

Under 45 CFR §164.312(b), audit controls are a required specification — no alternative is permitted. For AI systems processing ePHI, this means logging: every PHI input to an AI model, model outputs containing PHI, user IDs initiating AI queries, and timestamps. Logs must be retained for 6+ years and reviewed for anomalous access patterns. AI inference logs are subject to the same HIPAA audit requirements as traditional PHI access logs.