Higglo/Free tools/HIPAA compliance checklist

Free tool · for ABA & behavioral health

Score your HIPAA posture in under ten minutes.

Name: Higglo
Price range: $$$

A 25-item self-audit across the six domains the OCR actually reviews — data storage, BAAs, staff training, incident response, devices, and patient rights. You get a score, a per-domain gap list, and a printable action plan.

What auditors actually look at

Four patterns we see almost every time.

R.01

BAAs are the fastest way to fail an audit.

Every vendor that touches PHI — EHR, billing, scheduling, even your email host — needs a signed BAA on file. Most practices are missing two or three.

R.02

Training without documentation doesn't count.

If you can't produce a signed acknowledgment from each staff member, the OCR will treat training as not done. Use a checklist tracker, not memory.

R.03

Personal cloud storage is the silent breach.

Personal Google Drive, Dropbox, or iCloud holding any PHI — even one document — is a violation. Audit shared drives twice a year.

R.04

The 60-day rule is non-negotiable.

Notification windows for breaches are calendar days, not business days. A documented response procedure removes the panic and the missed deadline.

Benchmarks · ABA category

Where most practices actually sit.

Audit risk

Practices with active BAAs

62%

Across the practices we've audited, fewer than two-thirds had BAAs with every active vendor. The most-missed: email and scheduling.

Source · Higglo HIPAA reviews, n=14

Training

Documented annual refresh

48%

Less than half of ABA practices document annual HIPAA refresh training in a way that would survive an OCR spot-check.

Source · 2025 cohort review

Patient rights

30-day record access

91%

Strong area — practices respond to record requests on time, but few practices document the response itself, which is the actual requirement.

Source · Higglo client cohort

Pressure-test the score

Bring your gap report to a 20-minute call.

The checklist tells you where the gaps are. We'll tell you which gap to close first based on actual OCR enforcement priorities — and which ones can wait without raising your audit risk.

Book a 20-min call →See services

Higglo/Free tools/HIPAA compliance checklist

Free tool · for ABA & behavioral health

Score your HIPAA posture in under ten minutes.

What auditors actually look at

Four patterns we see almost every time.

R.01

BAAs are the fastest way to fail an audit.

Every vendor that touches PHI — EHR, billing, scheduling, even your email host — needs a signed BAA on file. Most practices are missing two or three.

R.02

Training without documentation doesn't count.

If you can't produce a signed acknowledgment from each staff member, the OCR will treat training as not done. Use a checklist tracker, not memory.

R.03

Personal cloud storage is the silent breach.

Personal Google Drive, Dropbox, or iCloud holding any PHI — even one document — is a violation. Audit shared drives twice a year.

R.04

The 60-day rule is non-negotiable.

Notification windows for breaches are calendar days, not business days. A documented response procedure removes the panic and the missed deadline.

Benchmarks · ABA category

Where most practices actually sit.

Audit risk

Practices with active BAAs

62%

Across the practices we've audited, fewer than two-thirds had BAAs with every active vendor. The most-missed: email and scheduling.

Source · Higglo HIPAA reviews, n=14

Training

Documented annual refresh

48%

Less than half of ABA practices document annual HIPAA refresh training in a way that would survive an OCR spot-check.

Source · 2025 cohort review

Patient rights

30-day record access

91%

Strong area — practices respond to record requests on time, but few practices document the response itself, which is the actual requirement.

Source · Higglo client cohort

Pressure-test the score

Bring your gap report to a 20-minute call.

The checklist tells you where the gaps are. We'll tell you which gap to close first based on actual OCR enforcement priorities — and which ones can wait without raising your audit risk.

Book a 20-min call →See services

Score your HIPAA posture in under ten minutes.

Six domains. Twenty-five honest questions.

Data storage & access

Business Associate Agreements

Staff training

Incident response

Device & network security

Patient rights

Four patterns we see almost every time.

BAAs are the fastest way to fail an audit.

Training without documentation doesn't count.

Personal cloud storage is the silent breach.

The 60-day rule is non-negotiable.

Where most practices actually sit.

Practices with active BAAs

Documented annual refresh

30-day record access

Bring your gap report to a 20-minute call.

Score your HIPAA posture in under ten minutes.

Six domains. Twenty-five honest questions.

Data storage & access

Business Associate Agreements

Staff training

Incident response

Device & network security

Patient rights

Four patterns we see almost every time.

BAAs are the fastest way to fail an audit.

Training without documentation doesn't count.

Personal cloud storage is the silent breach.

The 60-day rule is non-negotiable.

Where most practices actually sit.

Practices with active BAAs

Documented annual refresh

30-day record access

Bring your gap report to a 20-minute call.