Start free trial
Free tool Β· No signup

HIPAA + 42 CFR Part 2
compliance self-audit.

Twenty-five yes-or-no questions across the HIPAA Privacy Rule, HIPAA Security Rule, and 42 CFR Part 2. You get a live score, a ranked gap list, and the recommended action for every gap. Designed by a behavioral-health operator for behavioral-health operators.

25Questions
5Categories
~5Minutes
Start the audit Security & compliance
01Privacy Rule02Security Rule03Administrative Safeguards0442 CFR Part 205Operational
Heads up

This is operator-grade self-assessment, not legal advice. The audit reflects common best practices for HIPAA and 42 CFR Part 2. Consult qualified behavioral-health compliance counsel before relying on the output for any binding decision. Your answers stay in your browser unless you click one of the contact buttons.

The audit

Twenty-five questions. One honest score.

Answer yes or no for each control. Live score updates as you go. Skip nothing β€” gaps are ranked by severity once you finish.

010/5 answered

Privacy Rule

Patient-facing controls: NPP, authorizations, BAAs, and access rights.

  1. Q1

    Do you have a designated Privacy Officer responsible for HIPAA compliance?

    High
  2. Q2

    Do you have a current Notice of Privacy Practices and provide it to every patient at first encounter?

    High
  3. Q3

    Do you obtain written authorization before disclosing PHI for purposes beyond treatment, payment, or healthcare operations (TPO)?

    High
  4. Q4

    Do you have a signed Business Associate Agreement (BAA) with every vendor that touches PHI?

    High
  5. Q5

    Do you provide patients with access to their medical records within 30 days of their request?

020/7 answered

Security Rule

Technical safeguards: risk analysis, encryption, identity, and audit logs.

  1. Q6

    Have you conducted a formal HIPAA Security Risk Assessment in the last 12 months?

    High
  2. Q7

    Is all electronic PHI encrypted at rest (database, file storage, backups, mobile devices)?

    High
  3. Q8

    Is all PHI encrypted in transit (TLS 1.2+ for web, encrypted email/SFTP for file transfer)?

    High
  4. Q9

    Does every staff member with PHI access have a unique user account (no shared logins)?

    High
  5. Q10

    Are PHI access permissions limited by role to the minimum necessary for each staff member's job?

  6. Q11

    Does your EMR capture audit logs for every PHI access, modification, and deletion?

    High
  7. Q12

    Do you have a documented incident response and breach notification plan?

    High
030/4 answered

Administrative Safeguards

Policies, training, sanctions, and routine activity-log review.

  1. Q13

    Do all employees with PHI access complete annual HIPAA training, with documentation?

  2. Q14

    Do you have written policies and procedures covering each Privacy and Security Rule requirement?

  3. Q15

    Do you have a documented sanctions policy for staff who violate HIPAA, and apply it consistently?

  4. Q16

    Do you review system activity logs for inappropriate access at least quarterly?

040/6 answered

42 CFR Part 2

SUD-specific consent, redisclosure, segmentation, and court orders.

  1. Q17

    Do you obtain Part 2-compliant written consent before disclosing SUD treatment records (with specific recipient, purpose, expiration)?

    High
  2. Q18

    Do all redisclosures of Part 2 records carry the federal notice prohibiting further redisclosure?

    High
  3. Q19

    Do you maintain Part 2 records separately or with technical controls preventing commingling with non-Part 2 records?

    High
  4. Q20

    Do you have a documented process for revoking Part 2 consent, and honor revocations promptly?

  5. Q21

    Do staff who handle SUD records receive training on 42 CFR Part 2 specifically (not just HIPAA)?

  6. Q22

    Do you have a documented process for handling subpoenas and court orders for Part 2 records that complies with 42 CFR Part 2?

    High
050/3 answered

Operational

Internal audits, complaint handling, and six-year documentation retention.

  1. Q23

    Do you conduct internal compliance audits at least annually?

  2. Q24

    Do you have a designated point of contact for patient privacy complaints, and document every complaint?

  3. Q25

    Do you retain compliance documentation (policies, training records, audits, BAAs) for at least six years?

    High
Score reveals at 25 / 25

Answer all 25 questions to reveal score.

0/25 answered Β· 25 remaining

Progress0/250%25 left
See Navix on your facility's data

Compliance is the foundation,
not the checklist.

HIPAA and 42 CFR Part 2 compliance is the foundation of every Navix deployment. Audit logs on every PHI access. Encryption at rest and in transit. BAAs signed with every paid customer. The Compliance Agent watches your chart in real time and exports payer-ready packets on demand.

Schedule a demo Read security & compliance
  • EncryptionAES-256 at rest Β· TLS 1.2+ in transit
  • Audit logsEvery PHI access, modification, deletion
  • ComplianceHIPAA Β· 42 CFR Part 2 Β· SOC 2 Β· Drummond ONC