What Is a HIPAA Health Check — And Does Your Business Need One?

If you work in healthcare — or if your software touches patient data in any way — you've probably heard that you need to be "HIPAA compliant." Most businesses in this space have done the minimum: they've signed a Business Associate Agreement (BAA) with their cloud provider, maybe added an SSL certificate to their website, and called it done.

They're not compliant. Not even close.

A HIPAA Health Check is a structured review of your entire environment — technical, administrative, and physical — against the actual requirements of the HIPAA Security Rule. What we find, consistently, is that the gaps aren't in the obvious places. They're in the policies nobody wrote, the vendor agreements nobody reviewed, and the access controls nobody audited.

Who Actually Needs to Be HIPAA Compliant?

HIPAA applies to two categories of organizations:

• Covered Entities — healthcare providers (hospitals, clinics, therapists, telehealth platforms), health plans, and healthcare clearinghouses that create, receive, or transmit Protected Health Information (PHI)
• Business Associates — any vendor or contractor that handles PHI on behalf of a covered entity. This includes billing software companies, EMR platforms, health app developers, cloud storage providers, and IT firms like us

What Does a HIPAA Health Check Actually Review?

A proper HIPAA Health Check is not a checkbox exercise. It's a structured assessment across three domains defined by the HIPAA Security Rule:

1. Technical Safeguards

• Encryption of PHI at rest and in transit
• Access controls — who can see what, and is that access logged?
• Automatic session timeouts on systems that access PHI
• Audit logs — are you recording who accessed patient data and when?
• Secure API design — is PHI exposed in URLs, logs, or error messages?

2. Administrative Safeguards

• Written HIPAA policies and procedures — do they exist and are they current?
• Workforce training records — can you prove your team was trained?
• Risk analysis — have you formally assessed and documented your risks?
• Incident response plan — what happens if there's a breach?
• BAA inventory — do you have signed BAAs with every vendor who touches PHI?

3. Physical Safeguards

• Workstation controls — are laptops encrypted and screen-locked?
• Device disposal policy — how are old hard drives and phones wiped?
• Facility access controls for any physical location where PHI is accessed

The 5 Gaps We Find in Almost Every Assessment

After reviewing dozens of healthcare tech companies and medical practices, these are the issues that show up over and over:

• No formal risk analysis. HIPAA requires a documented, organization-wide risk assessment. Most businesses have never done one.
• Missing or outdated BAAs. Companies add new vendors constantly — Slack, Zoom, analytics tools — without checking if a BAA is required or requesting one.
• PHI in email. Staff routinely emails patient names, appointment details, or test results through standard Gmail or Outlook without encryption.
• Overprivileged access. Developers and admin staff have access to production PHI they don't need. No principle of least privilege in place.
• No workforce training records. Training may have happened informally, but there's no documentation proving it — which is what auditors actually need.

What HIPAA Violations Actually Cost

These are not hypothetical risks. The HHS Office for Civil Rights (OCR) actively investigates and levies significant fines:

Beyond fines, a HIPAA breach triggers mandatory breach notification to affected patients, potential state attorney general investigations, and — for most healthcare companies — the permanent loss of patient trust.

What Happens After a Health Check?

At GITS, our HIPAA Health Check delivers a written gap report within 5 business days. The report includes:

• Every gap found, ranked by severity (critical, high, medium, low)
• Plain-English explanation of what each gap means and why it matters
• Specific remediation steps for each item — not vague recommendations
• A prioritized 30/60/90-day roadmap so you know where to start

We also offer remediation services — meaning we don't just hand you a list and walk away. If you want us to fix the technical gaps, write the missing policies, or set up proper access controls, we do that too.

How to Know If You're Ready

If you can't answer "yes" to all of these, you need a health check:

• Do you have a signed BAA with every vendor who processes PHI?
• Have you completed and documented a formal HIPAA risk analysis in the last 12 months?
• Can you produce training records proving your workforce received HIPAA training?
• Is all PHI encrypted at rest and in transit — including in backups?
• Do you have a written incident response plan for a potential breach?

Most businesses we talk to can't answer yes to even three of those. The good news is that gaps are fixable — and a structured health check tells you exactly what to do in what order.