Compliancy Group created a HIPAA quiz, available for free, for covered entities (CEs) and business associates (BAs) to assess their HIPAA compliance. We have analyzed the results from 352 respondents to determine trends in HIPAA compliance. The findings from the HIPAA quiz are discussed below. 

Take our HIPAA quiz to see where your organization stands! 

HIPAA Quiz ScoresHIPAA Quiz: Scores

The HIPAA quiz scores organization’s overall HIPAA compliance. We found that the average quiz score is 57. The vast majority of respondents failed the quiz. Of the 352 respondents, only 119 scored above a 70, while 119 respondents scored less than 50. 

How Many Audits Completed

HIPAA Quiz: Self-audits

To be HIPAA compliant, organizations must complete self-audits to assess their business practices against HIPAA standards. Of the quiz respondents, only 24% completed all six required audits, while 46% completed just one audit. 

Completed Audits

Of the completed self-audits 24% of respondents completed a security risk assessment (SRA), while only 10% completed a HITECH Subtitle D Audit. A security risk assessment assesses an organization’s security practices, while the HITECH audit assesses an organization’s handling of electronic protected health information (ePHI).

HIPAA Quiz: Gap Identification

Completing self-audits enables organizations to identify gaps in their safeguards surrounding protected health information (PHI). Although 75% of respondents replied that they had identified their gaps, that is unlikely to be accurate. To have truly identified their gaps, respondents would have had to have completed all of their self-audits; since only 24% completed all of the required self-audits, it is likely that most organizations did not adequately identify their gaps.

HIPAA Quiz: Remediation Plans

Remediation plans address the gaps identified by self-audits. Creating remediation plans, and implementing these plans, allows organizations to address vulnerabilities in their current business practices. 83% of respondents claim to have created remediation plans, however, as stated previously, since the majority of respondents did not complete all of their self-audits, whatever remediation plans were created are likely insufficient to address all gaps.

HIPAA Quiz: Policies and Procedures

Policies and procedures dictate the proper uses and disclosures of PHI. It is required for policies and procedures to be customized to apply to the specific business; 91% of respondents replied that they had policies and procedures in line with HIPAA standards.

HIPAA Quiz: Employee Training

Employee training must be completed annually; employees must trained on HIPAA standards as well as organizational policies and procedures. 87% of respondents replied that they had completed their employee training

HIPAA Quiz: Business Associate Management

Part of HIPAA compliance is vetting vendors and having signed business associate agreements (BAAs) with all vendors. Respondents were asked whether or not they had identified their vendors, 90% responded that they had. 

HIPAA Quiz: Incident Management

Organizations that experience a breach are required to report it. Respondents were asked whether or not they had a defined process for reporting and responding to breaches, 87% replied that they do.