The Halfway Point Nobody Schedules
Most healthcare practices treat HIPAA compliance as an annual event. The risk analysis gets dusted off when the auditor asks, the training gets assigned in Q1, and the binder sits untouched until something forces it open. The problem with an annual cadence is that twelve months is a long time for a program to drift — new vendors get onboarded without a BAA, an employee leaves without having their access revoked, a server falls behind on patches, and none of it surfaces until the year-end scramble or, worse, an incident.
June is the natural correction point. Half the year is behind you, half is ahead, and the gaps that have accumulated since January are still small enough to close without drama. This is not a full audit — it is a structured 30-minute review designed to find the handful of things that have quietly slipped. Run it this week.
1. Is Your Risk Analysis Still Accurate?
The single most-cited deficiency in OCR enforcement actions is the absence of a current, comprehensive risk analysis. But "current" does not mean "exists" — it means it reflects your organization as it is today. Pull up your most recent risk analysis and ask three questions:
- Have you added systems or vendors since it was written? A new EHR module, a new telehealth platform, a new billing service — each one expands your attack surface and belongs in the analysis.
- Have any of the risks you documented actually been remediated? An analysis that lists the same "high" risks year after year with no movement is evidence that the program is not operating.
- Does it predate your current vendor list? If you cannot map every business associate to a line in your risk analysis, the analysis is stale.
If you have never completed a formal risk analysis, that is the first thing to fix, and you can start this week rather than waiting for a consultant's calendar to open.
2. Did Everyone Actually Complete Training?
Assigning training and completing training are different events. Pull the completion report and look for the workforce members who started in the first half of the year and never finished their onboarding module, the long-tenured staff whose annual renewal lapsed, and the contractors who were never assigned anything. Annual training is the floor, not the program — but the floor has to actually be in place. If your phishing simulation results are trending the wrong way, that is a sign the annual module needs reinforcement, not just re-assignment.
3. Is Every Vendor Covered by a Current BAA?
Every entity that creates, receives, maintains, or transmits PHI on your behalf needs a Business Associate Agreement. The mid-year check is the moment to reconcile two lists: the vendors you are actually paying, and the BAAs you have on file. The gaps are almost always the same — a new SaaS tool a department adopted without telling compliance, a vendor that was acquired and now operates under a different entity, or a "temporary" service that became permanent. A signed BAA is the legal floor; it does not verify the vendor's security, but its absence is an automatic finding.
4. Has Anyone Left Without Losing Access?
Terminated employees and contractors whose credentials still work are one of the cheapest and most preventable breach vectors in healthcare. Compare your HR departures since January against your access revocation records. For each person who left, confirm that EHR access, email, VPN, building access, and any cloud application logins were disabled on or before their last day. If you find even one account that should have been closed and was not, that is exactly the gap attackers look for — and it is the moment to formalize your offboarding access-revocation process so it does not depend on memory.
5. Are You Patching the Vulnerabilities That Are Actually Being Exploited?
Not all vulnerabilities are equal. CISA's Known Exploited Vulnerabilities (KEV) catalog is the subset of flaws that attackers are using in the wild right now. The mid-year check should confirm that anything on the KEV list affecting your environment has been patched. Several 2025–2026 healthcare breaches involved vulnerabilities that had sat on the KEV catalog for more than ninety days at the time of the incident — which means the organization had ample warning and did not act. If you do not have continuous network monitoring that surfaces these for you, June is the time to put it in place.
6. Has Your Incident Response Plan Ever Been Tested?
A response plan that has never been exercised is a document, not a plan. The 60-day breach notification clock starts at discovery, and the first 48 hours of an incident are not the time to discover that nobody knows who calls the cyber-insurance carrier or where the offline backups live. A 30-minute tabletop exercise — walk through a ransomware scenario and a stolen-laptop scenario out loud with the people who would actually respond — will reveal more gaps than any document review.
Turning the Check Into a Habit
The mid-year review works because it is short, structured, and scheduled. The practices that stay out of the breach portal are not running heroic annual audits — they are running small, consistent checks that catch drift early. If a 30-minute June review feels useful, formalize it as a recurring rhythm with the quarterly HIPAA mini-audit, which expands this checklist into a repeatable 90-minute session four times a year.
Each of the six items above maps to a question an auditor or a cyber-insurer will eventually ask. Answering them in June, on your own schedule, is dramatically easier than answering them in December under deadline — or after an incident, under investigation.
Related Reading
- The 90-minute quarterly HIPAA mini-audit
- No risk assessment yet? Start this week
- Audit-ready in 30 days: a HIPAA prep plan
- Revoking access when staff leave
Call to Action
Want to know exactly where your program stands at the halfway mark? Take our 3-minute readiness quiz to surface your highest-priority gaps, or schedule a walkthrough to see how HIPAA Security Suite keeps risk analysis, training, vendors, and monitoring current in one workspace — so the mid-year check takes minutes, not weeks.