DSP HIPAA Comply™

Sign in to your compliance dashboard

New to DSP HIPAA Comply?
Compliance overview
Last updated: June 10, 2026 · 2025/2026 HIPAA Security Rule · 45 CFR §164.306
2025 Rule active
5 critical gaps require immediate action — MFA enforcement, encryption at rest, asset inventory, penetration testing, and BA verification. NPRM proposed rule deadline: May 2026 · 240-day compliance window.
Overall score
67%
34 of 51 controls
Critical gaps
5
Immediate action
BAs verified
11/18
Annual required
Staff trained
78%
§164.308(a)(5)
Compliance by category
Critical gaps — action required
Upcoming deadlines
Recent incidents
Training snapshot
Controls tracker
51 controls mapped to 45 CFR §164.308 · §164.310 · §164.312 · §164.314 · §164.316 — click any control to review, test, and upload evidence
Control CFR Citation Category Type Frequency Owner Status
Security Risk Assessment wizard
Annual requirement per §164.308(a)(1)(ii)(A) — answers auto-save to your account
Risk register + heat map
§164.308(a)(1) · Likelihood + impact scoring · NIST SP 800-30 methodology
Risk heat map
← Rare  ·  Unlikely  ·  Possible  ·  Likely  ·  Certain →
Risk summary
High/Critical
8
Medium
9
Low
5
Risk / vulnerability CFR ref Likelihood Impact Score Accountability Due date Status
Policies & procedures
§164.316(a) — Adopt reasonable and appropriate policies and procedures to comply with the Security Rule
Templates library
Active policies
Due for review
Auto-generated SRA report
Annual HIPAA Security Risk Assessment · §164.308(a)(1)(ii) · Ready for sign-off and export
Sign-off & attestation

By signing below, the authorized official attests that this Security Risk Assessment was conducted in accordance with 45 CFR §164.308(a)(1)(ii)(A) and represents an accurate assessment of risks to ePHI as of the date signed.

Security officer / authorized signatory
Title / role
Date of attestation
Next review date
Business associate registry
§164.308(b) · Annual verification required · BAA must be executed before ePHI access · 24-hr contingency notification
Total BAs
18
Verified
11
Verification due
7
Business associate Type ePHI access Risk level BAA status Last verified Next due
Incident tracker
§164.308(a)(6) · 72-hr response required · §164.400–414 Breach Notification Rule · 60-day HHS reporting for breaches ≥500 individuals
Open
2
Avg response
14h
72-hr limit
72h
Resolved YTD
39
Reminder: All suspected breaches involving ≥500 individuals must be reported to HHS OCR within 60 days of discovery per §164.408. Smaller breaches must be reported annually by March 1.
ID Incident Discovered Severity Breach determination HHS notification Response time Status
Staff training tracker
§164.308(a)(5) HIPAA workforce training safeguards — all workforce members with ePHI access must complete annual training
Overall completion
78%
Overdue
8
Courses active
6
Phishing tests
3
Users & roles
Manage access levels — Admin · Editor · Viewer · Assign controls and accountability
Role definitions
Admin
Full access — manage users, sign off SRA, edit all controls, view billing. Reserved for Security Officer or Compliance Lead.
Editor
Can update control status, upload evidence, log incidents, manage BAs and training. Cannot manage users or sign SRA.
Viewer
Read-only access to all compliance data. Suitable for auditors, executives, or outside counsel reviewing the program.
User Email Role Assigned controls Last active MFA