Does your organization enforce need to know access across all platforms and data storage?
Does your organization have a data protection policy in place?
Does your organization have and enforce a data retention policy that includes access logs, update logs, etc?
Does your organization provide cyber security training to employees on an annual basis?
Does your organization have a named HIPAA Compliance officer?
Does your organization enforce data encryption on all end points and data storage locations?
Does your organization enforce logging standards and retention?