Free HIPAA attestation form
& audit log generator

Document your HIPAA program in minutes. Generate a training attestation form or an access audit log with language aligned with HIPAA's training and audit-control requirements (45 CFR §164.530(b) and §164.312(b)). Fill in a short form, preview it as you type, then download it as an editable Word document or PDF. Everything runs locally in your browser, so no data leaves your device and no sign-up is needed.

Document details

Employee

Training

Attestation statements

Signature

Preview

HIPAA TRAINING ATTESTATION

This form documents that the individual named below has completed the required HIPAA training and acknowledges [Organization Name]'s privacy and security policies.

Employee

Name: [Employee Name]

Title: [Title]

Organization: [Organization Name]

Training

Training completed: Annual HIPAA Privacy & Security Training

Date completed: [Date]

Attestation

(a) I have completed the HIPAA privacy and security training identified above.

(b) I have read and understand [Organization Name]'s HIPAA privacy and security policies and procedures.

(c) I understand that I may access, use, or disclose protected health information only as permitted by my role and the minimum necessary standard.

(d) I will report any suspected privacy or security incident, unauthorized access, or breach to the appropriate person without delay.

(e) I understand that failure to comply with HIPAA and these policies may result in disciplinary action, up to and including termination, and may carry civil or criminal penalties.

Signature

By signing below, I confirm that the statements above are true.

Employee: [Employee Name] Title: [Title]

Signature: _______________________ Date: [Date]

Generated by BlockSurvey

How the attestation & audit log generator works

1

Choose and fill in

Pick a training attestation form or an access audit log, then fill in the details in a short guided form.

2

Review the live preview

Watch the document assemble in real time as you type, including audit-log rows you add.

3

Download and file

Export a PDF or an editable Word file for your records. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

Most compliance-document tools send your details to their servers or lock the real download behind a paywall. This one is different, and both documents reflect HIPAA's audit-control requirement at 45 CFR §164.312(b):

01

100% in-browser

The document is built on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

The complete document as Word or PDF at no cost, not a watermarked sample.

What an access audit log entry should capture

  1. The date and time of access.
  2. Who accessed the record, including the user and their role.
  3. Which record or patient was accessed.
  4. The action taken: view, edit, print, export, or disclose.
  5. The purpose or reason for the access.

Built For Every Healthcare Organization

Good documentation is what lets you show a policy was followed. This tool produces clean attestation and audit records quickly, and it works with HIPAA-compliant survey software when you collect health data through forms.

Compliance & privacy officers

Assemble the documentation your program needs, fast.

Practice managers

Handle everyday HIPAA paperwork without the legal bill.

Solo practitioners

Stay compliant even without a compliance department.

Healthcare IT & security teams

Back your safeguards with the right records.

HR & operations

Onboard staff with the HIPAA documents you must keep on file.

Legal & risk teams

Start from a solid template and tailor it to your situation.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered too.

More free HIPAA tools

Explore more

Frequently asked questions

Does HIPAA require training attestation forms?

HIPAA requires you to train all workforce members on your privacy and security policies (45 CFR 164.530(b) and 164.308(a)(5)) and to document that the training happened. A signed attestation form is the common way to create that documentation: it records who was trained, on what, and when, and captures the employee's acknowledgment of your policies. Keep completed attestations for at least six years, the HIPAA record-retention period.

Does HIPAA require audit logs?

Yes. The Security Rule requires audit controls that record and examine activity in systems containing electronic PHI (45 CFR 164.312(b)), and a regular review of information system activity (45 CFR 164.308(a)(1)(ii)(D)). Most electronic health record systems generate access logs automatically. This tool helps you produce a clean, human-readable access log for reviews, investigations, or documentation when you need to record entries manually.

What should an access audit log capture?

At a minimum, each entry should show the date and time of access, who accessed the record (user and role), which record or patient was accessed, what action was taken (view, edit, print, export, or disclose), and the purpose or reason. A consistent log makes it far easier to spot inappropriate access and to respond to a patient's request for an accounting of disclosures.

How long should we keep these records?

HIPAA requires covered entities to retain required documentation for six years from the date it was created or last in effect, whichever is later (45 CFR 164.316(b)(2)). That covers training attestations and the policies and logs that support your security program. Some states set longer retention periods, so check your state rules as well.

Do you store the information I enter?

No. Both documents are assembled locally in your browser. Employee names, log entries, and everything else you type are never sent to or stored on any server, which is why no sign-up is required.

Is this a substitute for legal advice?

No. This tool generates starting-point documents aligned with HIPAA's training and audit-control requirements, but it is not legal advice and is not guaranteed to be complete or suitable for your specific situation. Your policies, systems, and state law may add requirements. Have your compliance or legal team review these documents before you rely on them.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.