HIPAA Documentation Templates: What You Actually Need to Keep on File
TL;DR
- 45 CFR § 164.316 requires every covered entity and business associate to maintain written policies, procedures, and records of any action, activity, or assessment required by the Security Rule — retained for six years from creation or last effective date, whichever is later.
- The same six-year retention rule applies to Privacy Rule documentation under 45 CFR § 164.530(j).
- A Business Associate Agreement (BAA) is required before any vendor creates, receives, maintains, or transmits PHI on your behalf. The contract must include ten specific provisions enumerated in 45 CFR § 164.504(e).
- A Notice of Privacy Practices must contain mandatory header text and list individual rights as specified in 45 CFR § 164.520; health plans must resend it every three years.
- The HHS-proposed Security Rule update (NPRM published December 2024) would move encryption, MFA, and network segmentation from addressable to required specifications, creating new documentation obligations if finalized.
Who This Is For
This guide is for compliance officers, privacy officers, IT security leads, and operations managers at covered entities and business associates. It covers what the regulations actually require you to document, what each template must include, and where to get free starting points from HHS and NIST. If you are deciding whether to build your documentation program in-house or buy a GRC platform, this is the checklist that defines the minimum scope.
What HIPAA Requires You to Document
Two separate rules drive documentation requirements, and they are not identical.
The Security Rule — 45 CFR § 164.316
Under § 164.316(b), every covered entity and business associate must maintain in written (including electronic) form:
- The policies and procedures implemented to comply with the Security Rule standards.
- Written records of every action, activity, and assessment the Security Rule requires.
Those records must be retained for six years from the date of creation or the date they last were in effect, whichever is later. They must also remain available to the personnel responsible for implementing the procedures, and they must be reviewed and updated in response to changes in your environment or operations.
The Privacy Rule — 45 CFR § 164.530(j)
The Privacy Rule imposes a parallel obligation. Under § 164.530(j), covered entities must maintain policies and procedures in written or electronic form, keep written communications required by the Privacy Rule, and document any action, activity, or designation the rule requires. The same six-year window applies.
What this means in practice. A verbal decision does not count. If you decided not to encrypt a specific backup because it is stored in a locked physical facility, that risk acceptance decision must appear in writing, signed by an authorized owner, with a date. If it is not written down, OCR treats it as if it was never evaluated.
The 13 Required Security Rule Documentation Areas
The Security Rule's administrative safeguards under 45 CFR § 164.308 name the following areas where documentation is required or where a written implementation decision is expected. Items marked Required are non-negotiable; items marked Addressable must either be implemented or have a written risk-based justification for not implementing them.
| # | Documentation Area | Required or Addressable |
|---|---|---|
| 1 | Security Risk Analysis | Required |
| 2 | Risk Management Plan | Required |
| 3 | Sanction Policy | Required |
| 4 | Information System Activity Review | Required |
| 5 | Assigned Security Responsibility (named official) | Required |
| 6 | Workforce Authorization and Supervision Procedures | Addressable |
| 7 | Workforce Clearance Procedures | Addressable |
| 8 | Termination Procedures | Addressable |
| 9 | Security Incident Response Procedures | Required |
| 10 | Data Backup Plan | Required |
| 11 | Disaster Recovery Plan | Required |
| 12 | Emergency Mode Operation Plan | Required |
| 13 | Business Associate Contracts | Required |
Physical and technical safeguards — device and media controls, workstation use policies, audit controls, encryption, and transmission security — add additional required documentation under 45 CFR §§ 164.310 and 164.312.
The December 2024 HHS proposed Security Rule update would, if finalized, promote encryption, MFA, and network segmentation from addressable to required. That means organizations currently holding a written "we chose not to implement full-disk encryption" justification would need to eliminate the gap, not just document it.
The Security Risk Analysis: Your Most-Scrutinized Document
OCR cites a missing or inadequate risk analysis in the majority of its enforcement settlements. The risk analysis is required under 45 CFR § 164.308(a)(1), and it must be accurate and thorough in assessing the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
A defensible risk analysis template covers:
- A full inventory of every system, device, application, and workflow that creates, receives, maintains, or transmits ePHI.
- A threat and vulnerability catalog mapped to each asset, specific to your infrastructure — not a generic list.
- A likelihood and impact rating for each risk, using a consistent scoring method.
- The selected control or a written acceptance decision for residual risk.
- A named owner and target remediation date for open items.
- A version history showing the document has been reviewed after significant environmental changes and at least annually.
HHS and ONC jointly publish the Security Risk Assessment Tool, a free downloadable application designed for small and mid-sized organizations. It structures the analysis, prompts for required fields, and produces a report you can attach to your compliance file. It is not a substitute for populating it with your actual systems and vendors.
NIST SP 800-66 Revision 2, the HIPAA Security Rule implementation guide, contains appendices that map Security Rule standards to specific control and documentation requirements. Its tables are a useful cross-check once your risk analysis draft is complete.
The 10 Core Policy Documents Every Entity Needs
Beyond the risk analysis, your documentation program needs the following written policies and procedures. This is the minimum set that covers both the Security Rule and Privacy Rule obligations.
1. Information Security Policy
Covers purpose, scope, roles (Privacy Officer, Security Officer, workforce members), and the governing principles for how PHI is handled. Every other policy references this one. Keep it under 10 pages; workforce members do not read longer versions.
2. Access Control and User Management Policy
Documents role-based access groups and what PHI each role may access, the new-user provisioning workflow, quarterly access review with named sign-off, immediate revocation procedures for separations, unique user ID requirements, and password standards. Under the proposed 2024 Security Rule NPRM, multi-factor authentication procedures would also be required here.
3. Security Incident Response Policy
Defines event vs. incident vs. breach, specifies detection and escalation paths, covers containment, eradication, recovery, and evidence preservation. 45 CFR § 164.308(a)(6) requires you to identify and respond to suspected or known security incidents, mitigate harmful effects, and document incidents and their outcomes.
4. Breach Notification Procedure
Layers the HIPAA-specific timelines onto your incident response policy. Individual notification is required within 60 days of discovery. HHS notification for breaches affecting 500 or more individuals is required without unreasonable delay and in any case no later than 60 days. Media notification applies to breaches affecting 500 or more individuals in a state or jurisdiction. Business associates must notify the covered entity without unreasonable delay and within 60 days. All of this is in 45 CFR §§ 164.400-414.
5. Workforce Training Policy and Log
Training is required for every workforce member, at hire and after material policy or system changes (45 CFR § 164.308(a)(5)). Your log must record employee name and role, training topic and content version, date completed, acknowledgment or score, and manager verification. The log is one of the first things OCR requests in an investigation.
6. Sanction Policy
45 CFR § 164.308(a)(1) requires a written sanction policy covering the consequences of workforce violations. Include progressive discipline steps, immediately terminable offenses, and the documentation trail required when sanctions are applied. Keep this document consistent with your HR policies.
7. Device and Media Controls Policy
Covers full-disk encryption requirements for laptops and mobile devices, secure disposal procedures with certificates of destruction, media tracking for removable storage, offboarding checklists, and BYOD remote-wipe capability. Required under 45 CFR § 164.310(d).
8. Audit Log Review Policy
45 CFR § 164.312(b) requires hardware, software, and procedural mechanisms to record and examine activity in systems containing ePHI. Your policy must identify which systems are in scope, which events are logged, the review frequency, the reviewer role, and what triggers escalation. A monthly checklist with an actual signature is more defensible than a system-generated report no one reviewed.
9. Contingency Plan
Required under 45 CFR § 164.308(a)(7), the contingency plan must include a data backup plan, disaster recovery plan, and emergency mode operation plan as required specifications. Testing and revision procedures and a criticality analysis are addressable. At minimum, document backup frequency, storage location and encryption, recovery time and recovery point objectives, emergency access procedures, and annual test results.
10. Business Associate Management Policy
Documents how you identify, contract with, and monitor business associates. Links to your BAA template and specifies the review cycle for existing agreements. See the BAA section below.
Business Associate Agreement Essentials
A BAA is required whenever a vendor will create, receive, maintain, or transmit PHI on your behalf. 45 CFR § 164.504(e) specifies ten obligations the BAA must impose on the business associate. Any BAA that omits these provisions is non-compliant, regardless of how it looks:
- Permitted uses only. The business associate may not use or disclose PHI outside what the contract permits or what law requires.
- Appropriate safeguards. The business associate must implement safeguards for electronic PHI under the Security Rule.
- Breach reporting. The business associate must report any unauthorized use, disclosure, or breach of unsecured PHI.
- Subcontractor flow-down. Subcontractors that handle PHI must sign equivalent agreements with the business associate.
- Individual access support. The business associate must make PHI available for patient access requests.
- Amendment support. The business associate must accommodate authorized amendment requests.
- Disclosure accounting. The business associate must provide information enabling the covered entity to produce disclosure accountings.
- Compliance support. When performing covered entity obligations, the business associate must comply with applicable HIPAA requirements.
- Audit access. Internal practices and records must be available for HHS compliance reviews.
- Return or destruction at termination. The business associate must return or destroy all PHI on termination, or if return is infeasible, limit further use and protect what remains.
The contract must also authorize the covered entity to terminate if the business associate materially violates contract terms.
HHS publishes sample BAA provisions you can adapt. Most organizations need legal review before executing BAAs because indemnification and limitation of liability clauses carry commercial risk that varies by deal size. Have counsel review at least your standard BAA template before deploying it.
One gap that appears frequently in audits: the subcontractor flow-down clause exists in the BAA but the covered entity has no process for verifying that the business associate actually executed agreements with its subcontractors. Your business associate management policy should require attestation or a contract summary from each BA confirming downstream agreements are in place.
Notice of Privacy Practices
Only covered entities with direct patient relationships are required to issue a Notice of Privacy Practices (NPP). Business associates are not. Under 45 CFR § 164.520, the NPP must include:
Mandatory header, displayed prominently:
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
Uses and disclosures. Describe treatment, payment, and healthcare operations uses with at least one example of each. Note any uses requiring written authorization, and any that are prohibited under § 164.502(a)(5)(iii).
Individual rights. The NPP must explain how patients can exercise the right to: request use/disclosure restrictions; receive confidential communications; inspect and copy PHI; request amendments; obtain a disclosure accounting; and get a paper copy of the notice.
Covered entity duties. State that the entity is legally required to maintain PHI privacy, provide notice and breach notifications, and is bound by the current notice terms. Note that practices may be revised with advance notice.
Contact information. Name and phone number for the Privacy Officer or designated contact.
Effective date.
Distribution rules. Healthcare providers with direct patient relationships must provide the NPP at or before first service delivery, make good-faith efforts to obtain written acknowledgment, and post it conspicuously at service delivery sites. Health plans must provide the NPP to enrollees at enrollment and notify all enrollees every three years that the notice is available. Any material revision requires updated posting on the website and inclusion in the next annual mailing to enrollees (or within 60 days if the entity has no website).
The NPP must be written in plain language. Keep a copy of every revision and all signed acknowledgments in your compliance file — both fall under the six-year retention rule.
Retention: Six Years Is the Floor, Not the Ceiling
Both 45 CFR § 164.316(b)(2) and 45 CFR § 164.530(j) set the same minimum: retain documentation for six years from the date of creation or the date it last was in effect, whichever is later.
"Last was in effect" is the part organizations miss. If you updated your access control policy in 2024, the 2019 version it replaced is not released from retention until 2030 (six years from 2024, when the 2019 version last applied). Your version archive needs to be structured to preserve prior versions with their effective date ranges, not just the current version.
State laws may extend this period. California's CMIA and several state breach notification statutes impose retention periods for medical records and breach-related documentation that can exceed six years. Check state requirements for the jurisdictions where you operate.
Cyber insurance carriers increasingly audit documentation retention as part of renewal. Carriers that write healthcare-sector policies commonly request evidence that policies were last reviewed within 12 months and that training logs cover the current year.
Free Sources Worth Using
Rather than listing turnaround hours (which vary too widely by organization size and systems complexity to be useful), here is what each free source actually gives you:
HHS Security Risk Assessment Tool — A structured desktop application co-developed with ONC. Walks through required risk analysis fields and generates a report. Best for organizations with fewer systems and no existing GRC platform.
NIST SP 800-66 Revision 2 — The HIPAA Security Rule implementation guide. Its appendices map each Security Rule standard to control requirements, making it a reliable cross-check for policy coverage.
HHS Sample BAA Provisions — HHS-published starting language for the ten required BAA provisions. Requires legal review before use.
45 CFR Parts 160 and 164 (via Cornell Legal Information Institute) — The actual regulatory text. When there is a conflict between a template and the regulation, the regulation controls.
State AG breach notification guides — California, New York, and Texas publish jurisdiction-specific guidance on notification obligations that layer on top of HIPAA's federal floor.
Skip "free HIPAA toolkit" downloads from vendor lead magnets unless you intend to use that vendor's platform. These templates are typically structured around the vendor's product workflow and may reflect outdated regulatory text.
How to Customize a Template
The difference between a template and a policy is specificity. A policy describes what your organization actually does. Generic templates leave every meaningful field blank. Here is the minimum customization sequence:
- Replace all placeholders (organization name, Privacy Officer name, Security Officer name) with your actual values.
- Strike any sections that genuinely do not apply to your environment and add a brief written explanation of why in the document header. Do not delete them silently.
- Cross-reference the document against your actual systems. If the template says "EHR system," name yours.
- Assign a named document owner and a review frequency — at minimum annually, or after any system change, vendor change, workforce restructuring, incident, or regulatory update.
- Have one person who was not the author read the document and flag anything they find unclear.
- Save with a version number, effective date, and approving officer signature or electronic acknowledgment.
Any of these steps left out leaves you with a form, not a policy.
Documentation Failures That Appear Repeatedly in Audits
OCR resolution agreements are public record and describe the violations cited. Across those agreements, certain failures appear consistently:
No version history. Without a change log, you cannot demonstrate the document was reviewed after a triggering event. OCR treats an undated, unsigned policy as if it was never evaluated.
Policies that do not describe actual operations. A policy that says "PHI is encrypted at rest" when the actual backup system stores unencrypted files is worse than no policy — it creates a direct contradiction that OCR can cite as evidence of negligence.
BAAs without subcontractor flow-down enforcement. The clause exists in the BAA but there is no process to verify the business associate actually executed downstream agreements. Your BA management policy must close this gap.
Risk analyses that omit SaaS tools and mobile devices. If a system holds PHI and is not in the ePHI inventory, it is not in the risk analysis. Cloud tools added between annual reviews are the most commonly missed systems.
Training logs stored informally. If you cannot produce a signed training log within minutes, you effectively cannot produce one under time pressure. Centralize these records in your compliance file, not in an HR folder that changes hands with staff turnover.
Sanctions policy inconsistent with HR policy. OCR checks whether the sanctions your HIPAA policy describes match what HR actually does. Contradictions create a compliance gap even if neither document is wrong on its own.
Mini-FAQ
Are templates legally sufficient on their own?
No. A template is a structure, not compliance. To be defensible, a template must be customized to your specific systems, workforce, vendors, and workflows, approved by an authorized officer, and maintained through periodic review. OCR evaluates whether the documentation reflects reality.
How often should documentation be reviewed?
At minimum annually, as required under 45 CFR § 164.316(b)(2)(iii). In practice, trigger a review any time you add a system handling PHI, change vendors, restructure your workforce, experience a security incident, or see a relevant regulatory change. Document the date and reviewer for each review.
Do business associates need the same documentation as covered entities?
Business associates are required to comply with the HIPAA Security Rule in full and significant portions of the Breach Notification Rule. That means risk analysis, written policies, training logs, incident response procedures, and BAAs with subcontractors are all required. The Notice of Privacy Practices is the primary documentation obligation that applies to covered entities but not to business associates.
What is the difference between a HIPAA policy and a HIPAA procedure?
A policy states the rule: "All PHI must be encrypted at rest." A procedure describes how the rule is carried out: "The IT team enables full-disk encryption on all laptops during provisioning, verifies encryption status during quarterly device audits, and logs any exceptions in the remediation tracker." Auditors expect both, and enforcement cases frequently turn on missing procedures, not missing policies.
Can I use a free template without legal review?
For most policies, yes, provided you customize them to your organization. For BAAs and sanctions policies, legal review is strongly recommended. BAAs contain indemnification and limitation of liability terms that carry commercial and legal risk beyond regulatory compliance. Sanctions policies touch employment law obligations that vary by jurisdiction.
What does the December 2024 proposed Security Rule update change about documentation?
The NPRM (Docket No. HHS-OCR-0945-AA22) proposes moving several addressable specifications to required, including encryption of ePHI at rest and in transit, multi-factor authentication, and network segmentation controls. If finalized, organizations holding written risk-based justifications for not implementing these controls would need to eliminate the gaps rather than document them. The NPRM also proposes new requirements for technology asset inventories and network maps, which would require new documented procedures for keeping those inventories current. Final rulemaking has not been completed as of this writing.
Sources used
- 45 CFR § 164.316 — accessed 2026-05-12
- 45 CFR § 164.530(j) — accessed 2026-05-12
- Business Associate Agreement (BAA) — accessed 2026-05-12
- 45 CFR § 164.520 — accessed 2026-05-12
- 45 CFR § 164.308 — accessed 2026-05-12
- 45 CFR §§ 164.310 — accessed 2026-05-12
- 164.312 — accessed 2026-05-12
- Security Risk Assessment Tool — accessed 2026-05-12
- NIST SP 800-66 Revision 2 — accessed 2026-05-12
- 45 CFR §§ 164.400-414 — accessed 2026-05-12
- sample BAA provisions — accessed 2026-05-12
- 45 CFR Parts 160 and 164 — accessed 2026-05-12
Last reviewed: 2026-05-12. This article was prepared by the Security Compliance Guide Editorial Team. We use AI to draft initial summaries of publicly available cybersecurity compliance documentation, then verify every claim against primary sources before publication. We are not licensed auditors, attorneys, or compliance consultants. For binding decisions, consult a qualified professional. See our editorial standards for full sourcing rules.
