What We Ask During a Compliance Assessment

Walking into a compliance assessment can feel intimidating if you do not know what to expect. At Black Lab Solutions, we believe transparency builds trust. This page walks you through the categories of questions we cover during our assessment sessions so you can prepare your team and gather relevant documentation ahead of time.

Our assessment is conversational, not adversarial. We are not auditors looking to penalize you. We are your partners, working to understand where you stand today and what needs to happen to get you where you need to be.

Governance and Policy

Strong compliance starts with governance. We need to understand who is responsible for security in your organization, what policies exist, and how they are maintained. Without clear ownership and documented policies, even the best technical controls can fall short during a regulatory review.

• Do you have a documented information security policy? We want to see if there is a written policy that defines your organization's approach to protecting sensitive data, and whether staff know where to find it.
• Who is your designated Security Officer and Privacy Officer? HIPAA requires named individuals in these roles. We need to confirm they are assigned and understand their responsibilities.
• How often do you review and update your security policies? Policies that have not been reviewed in years do not reflect your current environment and will not hold up under scrutiny.
• Do you have a documented change management process? Changes to systems, software, and configurations should follow a structured process to avoid introducing vulnerabilities.

Access Controls

Controlling who can access sensitive data and systems is fundamental to every compliance framework. This section examines both your technical controls and your administrative processes around access management.

• How do you provision and deprovision user accounts? We look at whether there is a formal process for granting access when someone joins and revoking it immediately when they leave.
• Is Multi-Factor Authentication enabled on all critical systems? MFA is one of the most effective controls against unauthorized access and is increasingly expected by regulators and cyber insurance providers.
• Do you follow the principle of least privilege? Users should only have access to the data and systems they need to perform their job functions, nothing more.
• When was the last time you conducted an access review? Permissions accumulate over time. Regular reviews catch users who have more access than they should.

Data Protection

Protecting ePHI and other sensitive data requires controls at every stage: when data is stored, when it is transmitted, and when it is no longer needed. We assess whether appropriate safeguards are in place throughout the data lifecycle.

• Is ePHI encrypted at rest and in transit? We check for full-disk encryption on endpoints, database encryption on servers, and TLS/VPN usage for data in motion.
• What is your data backup strategy and how often do you test restores? Backups that have never been tested are not reliable backups. We want to know the frequency, retention period, and last successful test.
• Do you have a data classification policy? Not all data is equally sensitive. Classification helps ensure the right level of protection is applied to the right data.
• How do you handle data disposal? Hard drives, paper records, and cloud storage all require documented destruction procedures when data is no longer needed.

Network Security

Your network is the highway that connects all your systems and data. We need to understand its architecture and the controls protecting it from external and internal threats.

• Do you have a current network diagram? An up-to-date diagram shows us where ePHI flows and helps identify potential exposure points.
• Is your network segmented to isolate sensitive systems? Flat networks allow an attacker who compromises one device to reach everything. Segmentation limits the blast radius.
• What firewall and intrusion detection systems are in place? We evaluate whether perimeter and internal defenses are configured, monitored, and regularly updated.
• How do remote workers connect to your network? With remote and hybrid work common in healthcare, secure remote access is a critical control.

Incident Response

Every organization will face a security incident eventually. What matters is how quickly you detect it, how effectively you respond, and whether you can meet regulatory notification requirements.

• Do you have a written Incident Response Plan? We look for a documented plan that defines roles, communication channels, containment steps, and recovery procedures.
• Have you tested your Incident Response Plan in the past year? A plan that has never been tested is a plan that will fail when you need it. Tabletop exercises count.
• Do you know who to contact in the event of a breach? This includes legal counsel, your cyber insurance carrier, HHS (for HIPAA breaches), and affected individuals.

Vendor Management

Your compliance posture is only as strong as your weakest vendor. If a business associate mishandles your patients' data, your organization shares the liability. We assess how you evaluate and manage third-party risk.

• Do you maintain an inventory of all vendors who access or handle ePHI? Many organizations underestimate how many vendors touch their data, from EHR providers to shredding companies.
• Are signed Business Associate Agreements in place with every applicable vendor? BAAs are a legal requirement under HIPAA, not just a best practice.
• Do you evaluate vendor security practices before engaging them? We look for a vendor risk assessment process, even a simple questionnaire.
• How do you monitor vendor compliance on an ongoing basis? A BAA signed three years ago does not guarantee the vendor is still meeting its obligations today.

This is not an exhaustive list. Depending on your organization's size, specialty, and regulatory requirements, we may go deeper in certain areas. The goal is always the same: give you a clear, prioritized picture of where you stand and what to do next.