HIPAA Security Rule compliance reviews are slow by nature. A compliance officer has to read through every security policy, BAA, training record, and procedure document — cross-referencing each one against the 18 addressable and required implementation specifications across Administrative, Physical, and Technical Safeguards. Finding gaps, assessing severity, building a remediation roadmap. For a single policy document that’s 2-3 hours. For a full audit across an organization’s document library it’s days.
Built a workflow that runs a structured HIPAA gap analysis on any compliance document the moment it lands in Drive — two parallel passes, full remediation roadmap in Slack within 20 seconds.
What it does
Compliance document dropped in Drive → two parallel passes (structured extraction + gap analysis against HIPAA Security Rule) → merges results → calculates risk level and compliance score → logs to compliance tracker → posts full assessment to Slack
About 15-20 seconds per document.
Document types it handles
-
Security policies
-
Business Associate Agreements (BAAs)
-
Training records
-
Incident logs
-
Risk assessments
-
Procedures
Two parallel passes
Pass 1 — Structured extraction:
-
Document type, organization, date, version
-
Last review date and next review date
-
Covered entity / business associate identification
-
Administrative safeguards — each with implemented status and details
-
Physical safeguards — each with implemented status
-
Technical safeguards — each with implemented status
-
Encryption policy
-
Access control policy
-
Audit controls
-
Breach notification procedure
-
Training requirements
-
Sanctions policy
-
Contingency plan
-
Certifications and attestations
Pass 2 — Gap analysis against HIPAA Security Rule:
Evaluates every requirement under:
§164.308 Administrative Safeguards:
Security management process, assigned security responsibility, workforce security, information access management, security awareness training, security incident procedures, contingency plan, evaluation, business associate contracts
§164.310 Physical Safeguards:
Facility access controls, workstation use and security, device and media controls
§164.312 Technical Safeguards:
Access control (unique IDs, emergency access, auto-logoff, encryption), audit controls, integrity controls, person authentication, transmission security
For each requirement: status (Compliant / Gap Identified / Not Addressed / Partial), evidence found, gap description, severity (Critical / High / Medium / Low), and remediation recommendation. Ends with overall compliance score (0-100) and prioritized remediation roadmap.
What lands in Slack
🏥 HIPAA Risk Assessment Complete
Document: Security Policy
Organization: Riverside Medical Group
Version: 3.2
📅 Review Status:
• Document Date: January 15, 2025
• Last Review: January 15, 2025
• Next Review: January 15, 2026
⚠️ Risk Assessment:
• Risk Level: HIGH
• Critical Issues: 1
• High Issues: 4
• Compliance Score: 62%
🛡️ Safeguards:
• Administrative: 8 | Physical: 4 | Technical: 6
• Implemented: 11 / 18
📝 Gap Analysis:
Compliance Score: 62/100
CRITICAL — Transmission Security (§164.312(e)):
No encryption policy for PHI in transit. Policy states
data is transmitted via email without TLS/SSL requirement.
Remediation: Implement end-to-end encryption requirement
for all PHI transmissions immediately.
HIGH — Audit Controls (§164.312(b)):
No logging or monitoring system described for access
to PHI systems. Remediation: Implement audit log
system with 90-day retention and quarterly review.
HIGH — Risk Analysis (§164.308(a)(1)):
Last formal risk analysis not documented. Annual
risk analysis is required. Remediation: Schedule
risk analysis within 30 days.
[continues...]
Remediation Priority:
1. Transmission encryption — IMMEDIATE
2. Audit logging — 30 days
3. Risk analysis documentation — 30 days
4. Workforce termination procedures — 60 days
What lands in Google Sheets
Each row: Document Type, Organization, Document Date, Risk Level, Critical Issues, High Issues, Safeguards Found, Implemented, Compliance Score, Next Review, Processed Date
Filter by Risk Level = Critical or High to see your priority remediation queue. Sort by Compliance Score to track improvement over time across document revisions.
Setup
You’ll need:
-
Google Drive (folder for compliance documents)
-
Google Sheets (free)
-
n8n instance (self-hosted — compliance docs contain PHI and sensitive organizational data)
-
PDF Vector account (~6-8 credits per document for two passes)
-
Slack (for compliance team alerts)
About 15 minutes to configure.
Download
Workflow JSON:
Full workflow collection:
Setup Guide
Step 1: Get your PDF Vector API key
Sign up at pdfvector.com — free plan for testing.
Step 2: Create Drive folder and Sheet
Folder: “HIPAA Compliance Docs” — copy folder ID.
Sheet headers:
Document Type | Organization | Document Date | Risk Level | Critical Issues | High Issues | Safeguards Found | Implemented | Compliance Score | Next Review | Processed Date
Step 3: Import and configure
Download JSON → n8n → Import from File.
New Compliance Doc (Drive Trigger):
- Connect Google Drive (OAuth2), paste folder ID
Extract Compliance Data + Gap Analysis:
-
Both run in parallel from Download Document
-
Add PDF Vector credential to both nodes
Log to Sheets:
- Connect Google Sheets, paste Sheet ID
Send to Slack:
- Connect Slack, select your compliance channel
Accuracy
Tested on hospital security policies, clinic BAAs, and healthcare IT procedure documents.
-
Document type, organization, dates: ~97%
-
Safeguard identification (present vs absent): ~91%
-
Implemented vs not implemented classification: ~87%
-
Gap identification for explicit requirements: ~89%
-
Gap identification for implied or missing requirements: ~78% — requires the document to be specific enough for absence to be detectable
-
Remediation recommendations: practical and aligned with HHS guidance in most cases
This workflow identifies structural gaps in compliance documents. It cannot assess whether documented policies are actually being followed in practice — that requires operational audit work beyond document review.
Cost
~6-8 credits per document. Free tier covers ~12-15 compliance documents per month.
Customizing it
Review date alerts:
Add a scheduled workflow that reads your Sheets tracker weekly and flags any document whose Next Review date is within 30 days.
Track remediation progress:
Add columns for Remediation Status and Remediation Date. Build a companion workflow that re-scans updated policy versions and compares the new compliance score against the previous one.
Multi-document audit:
For a full organizational HIPAA audit, run all policy documents through the folder at once. The Sheets tracker gives you a compliance score per document — average them for an organizational score.
Important note
This workflow performs document-level compliance screening against HIPAA Security Rule requirements. It is not a substitute for a formal HIPAA risk analysis conducted by a qualified compliance professional. Organizations must work with certified HIPAA consultants for official compliance assessments. All compliance documents must be processed on secured, self-hosted n8n infrastructure.
Questions? Drop a comment.