← Back to HIPAA Compliance
📋 HIPAA Document Templates
The following templates provide the structural framework for essential HIPAA compliance documents. Each template outlines the required sections and key content areas. These should be customized to the specific organization, reviewed by legal counsel, and approved by the Privacy Officer or Compliance Committee before use.
Business Associate Agreement (BAA) Template
1
1. Definitions — Define key terms: Business Associate, Covered Entity, PHI, ePHI, Required by Law, Secretary, Security Incident, Breach, Unsecured PHI, Subcontractor
2
2. Obligations of Business Associate — Specify: not to use or disclose PHI other than as permitted; implement appropriate safeguards; report any security incidents or breaches; ensure subcontractors agree to the same restrictions; make PHI available to individuals exercising their rights; make internal practices available to HHS for compliance audits; return or destroy all PHI at termination
3
3. Permitted Uses and Disclosures — Define the specific purposes for which the BA is authorized to use and disclose PHI; reference the underlying service agreement; permit uses for proper management and administration of BA; permit disclosures required by law
4
4. Obligations of Covered Entity — Covered Entity shall: provide notice of any limitations in its NPP that affect BA's use of PHI; notify BA of any restrictions agreed to with individuals; notify BA of any revocations of authorization
5
5. Term and Termination — Define the agreement term; specify termination provisions for material breach; define obligations upon termination (return or destruction of PHI); specify survival clauses for obligations that continue after termination
6
6. Breach Notification Requirements — BA shall report breaches to CE without unreasonable delay (maximum 60 days); specify content of breach notification; define cooperation requirements for breach investigation
7
7. Miscellaneous — Amendment provisions (must amend to comply with regulatory changes); survival clause; interpretation (must be consistent with HIPAA); governing law; entire agreement; counterparts; signatures and dates
Notice of Privacy Practices (NPP) Template
1
1. Header — THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY. (This exact header language is required by HIPAA.)
2
2. Our Duties — Describe the organization's legal duties: maintain the privacy of PHI; provide notice of privacy practices; follow the terms of the current notice; notify affected individuals in the event of a breach of unsecured PHI
3
3. How We May Use and Disclose Your PHI — Treatment (sharing with other providers for your care); Payment (billing your insurance); Healthcare Operations (quality improvement, training, compliance); As Required by Law; Public Health Activities; Abuse or Neglect Reporting; Health Oversight Activities; Judicial Proceedings; Law Enforcement; Decedents; Organ Donation; Research; Serious Threats; Workers Compensation; Specialized Government Functions; Correctional Institutions
4
4. Uses Requiring Your Authorization — Psychotherapy notes; Marketing; Sale of PHI; Other uses not described in this notice
5
5. Your Rights — Access your medical records; Request amendments; Accounting of disclosures; Request restrictions; Request confidential communications; Right to a paper copy of this notice; Right to choose someone to act for you; Right to file a complaint
6
6. How to Exercise Your Rights — Contact information for the Privacy Officer; Address and phone number; How to file a complaint with HHS OCR
7
7. Changes to This Notice — Reserve the right to change this notice; New provisions apply to all PHI maintained; Distribution of revised notice
8
8. Effective Date and Contact Information — Effective date of current notice; Privacy Officer name, address, phone, email
Risk Assessment Report Template
1
1. Executive Summary — Purpose and scope of the assessment; Methodology used; Key findings summary; Overall risk posture; Top 5 critical recommendations
2
2. Assessment Methodology — Risk assessment framework used (NIST SP 800-30, HHS SRA Tool, etc.); Scope definition; Data collection methods; Risk calculation methodology; Risk acceptance criteria; Participants and their roles
3
3. ePHI Asset Inventory — Complete list of systems, applications, databases, and media containing ePHI; Classification by type, criticality, and data volume; Data flow diagrams showing how ePHI moves between systems
4
4. Threat Analysis — Identified threat sources (natural, human, environmental); Threat events and scenarios; Threat likelihood ratings with justification
5
5. Vulnerability Analysis — Identified vulnerabilities organized by asset and safeguard category; Vulnerability severity ratings; Evidence (scan results, interview findings, observation notes)
6
6. Current Controls Assessment — Existing safeguards mapped to HIPAA requirements; Effectiveness ratings for each control; Gap identification for missing or inadequate controls
7
7. Risk Determination — Risk register with all identified risks; Likelihood and impact ratings for each risk; Overall risk level calculations; Risk prioritization matrix
8
8. Risk Management Recommendations — Recommended controls and actions for each identified risk; Priority ranking (Critical, High, Medium, Low); Estimated implementation timelines and costs; Responsible parties
9
9. Appendices — Detailed vulnerability scan results; Interview notes; Policy review findings; Supporting documentation and evidence
Incident Response Plan Template
1
1. Purpose and Scope — Define the purpose of the plan; Scope of incidents covered; Relationship to breach notification procedures; Authority and approval
2
2. Incident Response Team — Team members and roles (Incident Commander, Security Analyst, Legal Counsel, Communications Lead, Privacy Officer); Contact information and escalation procedures; External resources (forensics firm, outside counsel, PR firm); Activation criteria and procedures
3
3. Incident Classification — Definition of security incident; Severity levels (Critical, High, Medium, Low); Classification criteria and examples; Escalation matrix based on severity
4
4. Detection and Analysis — Incident detection sources (SIEM alerts, help desk reports, user reports, vendor notifications); Initial analysis procedures; Evidence preservation requirements; Initial containment decision criteria
5
5. Containment, Eradication, and Recovery — Short-term containment procedures; Evidence collection and preservation; Eradication of threat; System recovery and validation; Return to normal operations
6
6. Breach Determination — 4-factor risk assessment methodology; Breach vs. non-breach determination criteria; Documentation requirements; Decision authority
7
7. Notification Procedures — Individual notification procedures and templates; HHS notification procedures (portal submission); Media notification procedures and criteria (500+ affected individuals); State notification requirements (if applicable); Business Associate notification requirements
8
8. Post-Incident Activities — Lessons learned review; Root cause analysis; Plan and procedure updates; Training updates; Regulatory reporting completion; Documentation and file closure
Workforce Training Program Template
1
1. Program Overview — Purpose and regulatory basis (45 CFR 164.530(b) and 164.308(a)(5)); Scope (all workforce members); Training philosophy and approach; Program governance and responsibility
2
2. Training Requirements — New hire training requirements (timing, content, assessment); Annual refresher training requirements; Role-specific training requirements (clinical, IT, billing, management); Remedial training triggers and procedures; Ad hoc training for policy changes or incidents
3
3. Training Content Outline — Module 1: HIPAA Overview and Organizational Obligations; Module 2: What is PHI and How to Identify It; Module 3: Permitted Uses and Disclosures; Module 4: Patient Rights; Module 5: Security Awareness (passwords, phishing, physical security); Module 6: Organizational Policies and Procedures; Module 7: Incident Reporting; Module 8: Role-Specific Content
4
4. Delivery Methods — In-person classroom sessions; Online learning modules (LMS); Video-based training; Quick-reference cards and job aids; Phishing simulations; Security awareness posters and communications
5
5. Assessment and Documentation — Knowledge assessment requirements (passing score, retake policy); Training completion tracking; Documentation retention (6 years minimum); Reporting and metrics; Non-compliance escalation procedures
6
6. Program Evaluation — Annual program review and update procedures; Training effectiveness metrics; Feedback collection and incorporation; Content currency review
Sanction Policy Template
1
1. Purpose — Define the purpose: to establish clear, consistent consequences for HIPAA policy violations as required by 45 CFR 164.308(a)(1)(ii)(C) and 164.530(e)
2
2. Scope — Applies to all workforce members including employees, volunteers, trainees, contractors, and any person under the organization's direct control
3
3. Violation Categories — Category 1: Unintentional violations (accidental disclosure, failure to follow procedure due to lack of awareness); Category 2: Negligent violations (failure to follow known procedures, failure to complete required training); Category 3: Intentional violations (unauthorized access to records, sharing PHI without authorization); Category 4: Malicious violations (accessing records for personal gain, selling PHI, identity theft)
4
4. Sanctions by Category — Category 1: Verbal counseling, additional training, documented warning; Category 2: Written warning, mandatory remedial training, performance review impact; Category 3: Suspension, termination, reporting to professional licensing boards; Category 4: Immediate termination, reporting to law enforcement, reporting to OCR
5
5. Investigation Procedures — Who investigates; Investigation steps; Documentation requirements; Employee rights during investigation; Timeline expectations
6
6. Appeals Process — How to appeal a sanction; Who reviews appeals; Timeline for appeal decisions; Documentation of appeals
7
7. Documentation and Reporting — Sanction documentation requirements; Retention requirements (6 years); Reporting to Privacy Officer and Security Officer; Trend analysis for identifying systemic issues
Access Authorization Form Template
1
1. Requestor Information — Employee name, ID, department, job title, supervisor name, hire/transfer date
2
2. Access Requested — System(s) to be accessed; Access level (read-only, read-write, admin); Specific modules or data categories; Business justification for access; Duration (permanent, temporary with end date)
3
3. Approvals — Supervisor approval (signature, date); Information/System Owner approval (signature, date); Security Officer approval (signature, date); Privacy Officer approval (if access involves sensitive PHI categories)
4
4. IT Provisioning — Date access provisioned; Provisioned by (IT staff name); Access verification (tested and confirmed); Account details (username, not password)
5
5. Acknowledgment — Employee acknowledgment of: acceptable use policy, minimum necessary standard, audit monitoring, sanctions for misuse; Employee signature and date
6
6. Termination/Modification — Termination date (if applicable); Reason for modification; Date access revoked/modified; Revoked/modified by; Verification of revocation
Breach Notification Letter Template
1
1. Date and Addressee — Date of letter; Patient name and mailing address
2
2. Notification of Breach — Clear statement that a breach of unsecured PHI has occurred; Date of the breach; Date the breach was discovered
3
3. Description of Breach — Brief description of what happened; How the breach occurred; What information was involved (types of PHI, not actual data)
4
4. Types of Information Involved — Specific types of PHI that were or may have been compromised (names, SSNs, diagnoses, etc.)
5
5. Steps Taken — What the organization has done to investigate the breach; What the organization has done to mitigate harm; What the organization is doing to prevent future breaches
6
6. Steps Individuals Can Take — Recommended actions: monitor credit reports, place fraud alerts, review Explanation of Benefits statements; Information about identity theft protection services being offered (if applicable); How to report suspected identity theft
7
7. Contact Information — Toll-free number for questions; Mailing address; Email address; Hours of availability; Reference to HHS website for more information about HIPAA rights
8
8. Closing — Apology and commitment to privacy; Signature of Privacy Officer or senior executive