HIPAA Compliance Documents
Complete HIPAA documentation for covered entities and business associates. Security Rule policies, Privacy Rule procedures, and breach notification templates.
2025 Update: Our templates reflect the proposed HIPAA Security Rule changes (January 2025), including mandatory encryption and enhanced breach reporting.
Who Needs HIPAA Compliance?
Covered Entities
- Healthcare providers (doctors, hospitals, clinics)
- Health plans (insurers, HMOs)
- Healthcare clearinghouses
Business Associates
- SaaS vendors handling PHI
- IT service providers
- Cloud hosting with PHI
- Billing/claims processors
- EHR/EMR vendors
HIPAA Rules Overview
Privacy Rule (45 CFR 164 Subpart E)
How PHI can be used and disclosed. Patient rights.
Security Rule (45 CFR 164 Subpart C)
Administrative, physical, and technical safeguards for ePHI.
Breach Notification Rule
Requirements for notifying individuals, HHS, and media of breaches.
2025 Security Rule Updates
Mandatory encryption, enhanced documentation, stricter timelines.
HIPAA Document Library
Security Rule, Privacy Rule, and operational compliance documents.
Security Rule Documents (Required)
HIPAA Security Policies
§164.316
Complete security policy suite covering all Security Rule requirements
Risk Analysis Template
§164.308(a)(1)(ii)(A)
PHI risk assessment methodology and documentation
Risk Management Plan
§164.308(a)(1)(ii)(B)
Risk mitigation strategies and treatment
Workforce Security Procedure
§164.308(a)(3)
Hiring, termination, access management
Information Access Management
§164.308(a)(4)
Access authorization and establishment
Security Awareness Training
§164.308(a)(5)
Training program and documentation
Security Incident Procedures
§164.308(a)(6)
Incident identification and response
Contingency Plan
§164.308(a)(7)
Emergency operations and data backup
Facility Access Controls
§164.310(a)(1)
Physical access safeguards
Workstation Security
§164.310(b)-(c)
Workstation use and physical safeguards
Device/Media Controls
§164.310(d)(1)
Media disposal and re-use
Access Control Technical
§164.312(a)(1)
Unique IDs, emergency access, encryption
Audit Controls
§164.312(b)
Audit logging and monitoring
Transmission Security
§164.312(e)(1)
Encryption and integrity controls
Business Associate Documents
Business Associate Agreement (BAA)
§164.504(e)
Required contract between covered entity and business associate
Subcontractor BAA
§164.504(e)(2)
For business associates engaging subcontractors with PHI access
BA Security Attestation
Due Diligence
Questionnaire for BA compliance verification
Breach Notification & Privacy Documents
Breach Notification Procedure
§164.400-414
Breach discovery, risk assessment, notification templates
Notice of Privacy Practices
§164.520
Required patient notice (covered entities)
Minimum Necessary Policy
§164.502(b)
Limiting PHI use and disclosure
HIPAA Documentation Retention
HIPAA requires documentation to be retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later (45 CFR §164.530(j)).
- Policies and procedures: 6 years from last effective date
- Training records: 6 years from training date
- Risk assessments: 6 years from assessment date
- BAAs: 6 years after relationship ends
HIPAA Document Packages
Business Associate Starter
Essential BA Documents
- BAA Template
- Core Security Policies
- Risk Analysis Template
- Breach Notification Proc.
Full HIPAA Pack
All 18 Documents
- All Security Rule policies
- BAA templates (2)
- Risk analysis suite
- Breach procedures
- Training documentation
Add: Risk Analysis Only
Risk Focus
- Risk Analysis Template
- Risk Management Plan
- PHI Inventory Template
Need HIPAA compliance documentation?
Get compliant with our complete HIPAA document package, updated for 2025.