Free HIPAA compliance plan /
manual builder

Build the HIPAA policies and procedures manual your organization can adopt. Pick the policies you need, from risk analysis to breach notification, and this builder writes the standard language aligned with 45 CFR §164.316 and §164.530. Preview it as you go, then download an editable Word document or PDF. Everything runs in your browser, so no data leaves your device and no sign-up is needed.

Plan details

Organization

Designated officials

Policies to include

Each policy you keep is written into the plan as its own section.

Preview

HIPAA COMPLIANCE PLAN

Policies and Procedures Manual

Organization: [Organization Name]

Type: [Organization Type]

Effective date: [Effective Date]

Purpose and Scope

This HIPAA Compliance Plan documents the administrative, physical, and technical safeguards that [the organization] maintains to protect the privacy and security of protected health information (PHI) under the HIPAA Privacy Rule and Security Rule. It applies to all workforce members, contractors, and business associates who create, receive, maintain, or transmit protected health information on behalf of the organization.

These policies and procedures are adopted as of the effective date shown above. They are maintained in written form, made available to the workforce, and reviewed and updated as the organization's operations, technology, and legal obligations change.

Designated Officials

The organization has designated the following individuals to develop and implement its HIPAA policies and procedures:

Privacy Official: [name of Privacy Official]

Security Official: [name of Security Official]

The Privacy Official is responsible for developing and implementing the organization's privacy policies and procedures, and the Security Official is responsible for the security policies and procedures that protect electronic protected health information. Questions, requests, and complaints regarding protected health information may be directed to these officials.

1. Security Management and Risk Analysis

The organization conducts an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information it creates, receives, maintains, or transmits. Risks identified through this analysis are reduced to a reasonable and appropriate level through a documented risk management process, following 45 CFR 164.308(a)(1).

The risk analysis and the resulting safeguards are reviewed and updated on a regular schedule, and whenever a significant change to the organization's operations, systems, or facilities could affect the security of protected health information.

2. Workforce Security and Training

The organization authorizes access to protected health information only for workforce members whose roles require it, and it applies procedures for granting, reviewing, and removing that access as roles change or employment ends, following 45 CFR 164.308(a)(3).

All workforce members receive security awareness and privacy training when they join and periodically after that, following 45 CFR 164.308(a)(5). Training covers safe handling of protected health information, password and device practices, how to recognize and report a suspected incident, and the sanctions for violating these policies.

3. Access Controls and Minimum Necessary

Systems that hold electronic protected health information enforce unique user identification and permit access only to authorized users, following 45 CFR 164.312(a). Access rights follow the minimum necessary standard, so each workforce member can reach only the information needed to perform their specific job.

Uses and disclosures of protected health information, other than for treatment, are limited to the minimum amount reasonably needed to accomplish the intended purpose, following 45 CFR 164.502(b).

4. Audit Controls and Activity Review

Information systems that contain or use electronic protected health information record activity through audit logs, following 45 CFR 164.312(b). The organization regularly reviews records of system activity, such as audit logs, access reports, and security incident tracking reports, to detect inappropriate access and potential security incidents, following 45 CFR 164.308(a)(1)(ii)(D).

Audit records are retained and protected from alteration so they remain available for review and investigation.

5. Transmission and Storage Security

The organization encrypts electronic protected health information at rest and in transit wherever it is reasonable and appropriate to do so, following 45 CFR 164.312(a)(2)(iv) and 164.312(e). Where encryption is not implemented, the organization documents an equivalent alternative measure that provides reasonable protection.

Protected health information transmitted over open networks, including email and web connections, is protected against unauthorized access using encryption and other technical safeguards.

6. Physical Safeguards

The organization limits physical access to facilities, workstations, and devices that hold protected health information to authorized personnel, following 45 CFR 164.310. This includes facility access controls, workstation use and security policies, and procedures for the secure handling, reuse, and disposal of hardware and electronic media.

Media and devices that have stored protected health information are sanitized or destroyed before disposal or reuse so that the information cannot be recovered.

7. Breach Notification

The organization investigates every suspected or known breach of unsecured protected health information and, when a breach is confirmed, notifies the affected individuals, the Secretary of Health and Human Services, and, where required, the media, within the timeframes set by the HIPAA Breach Notification Rule at 45 CFR 164.400 through 164.414.

The organization keeps a record of breaches and of the risk assessments used to decide whether an impermissible use or disclosure is a reportable breach.

8. Business Associate Agreements

Before sharing protected health information with a vendor or contractor that performs services on the organization's behalf, the organization obtains satisfactory written assurances, in the form of a business associate agreement, that the business associate will appropriately safeguard the information, following 45 CFR 164.308(b) and 164.504(e).

The organization maintains an inventory of its business associates and their agreements, and it reviews those agreements periodically and whenever the services change.

9. Patient Rights: Access, Amendment, and Accounting

The organization honors individuals' rights over their own protected health information, including the right to inspect and obtain a copy of their records under 45 CFR 164.524, the right to request an amendment of inaccurate or incomplete records under 45 CFR 164.526, and the right to receive an accounting of certain disclosures under 45 CFR 164.528.

Requests to exercise these rights are handled through a documented process and within the timeframes required by the HIPAA Privacy Rule.

10. Sanctions and Complaints

The organization applies appropriate sanctions against workforce members who fail to comply with its privacy and security policies and procedures, following 45 CFR 164.530(e). Sanctions are applied consistently and are documented.

Individuals may file a complaint about the organization's privacy practices or its handling of their information. The organization documents complaints and their resolution, and it does not retaliate against anyone for filing a complaint or for exercising their rights.

Documentation and Review

The organization maintains these policies and procedures in written form and retains this documentation, together with records of any required actions, activities, or assessments, for six years from the date it was created or the date it was last in effect, whichever is later, following 45 CFR 164.316(b)(2).

The plan is reviewed periodically and updated as needed to reflect changes in the organization's operations, technology, and legal obligations, following 45 CFR 164.316(b)(2)(iii) and 164.530(i).

Generated by BlockSurvey

How the compliance plan builder works

1

Enter your organization

Add your organization name, type, effective date, and the Privacy and Security Officials in a short guided form.

2

Pick the policies you need

Turn each policy on or off. The plan assembles in real time, with standard HIPAA policy language for every section you keep.

3

Download and adopt

Export a ready-to-adopt PDF or an editable Word file. Nothing you enter ever leaves your device.

Free, secure, and HIPAA-standard by default

Standing up a compliance program should not start with a paywall or a form that ships your details to someone else's server. Every plan this builder produces is written around the documentation requirements of 45 CFR §164.316:

01

100% in-browser

The plan is built on your device; nothing is uploaded.

02

No account required

No sign-up, no email wall, no tracking.

03

Free, real download

The full manual as Word or PDF at no cost, not a watermarked sample.

What a HIPAA policies-and-procedures manual should cover

A solid manual documents the safeguards HIPAA expects and names the people who own them:

  1. Administrative safeguards, including a security risk analysis and risk management process.
  2. Physical safeguards for facilities, workstations, devices, and media disposal.
  3. Technical safeguards such as access controls, audit controls, and encryption.
  4. Breach notification procedures for individuals, HHS, and, where required, the media.
  5. Workforce training and security awareness for everyone who handles health information.
  6. Business associate agreements with every vendor that touches your PHI.
  7. Patient rights to access, amend, and get an accounting of disclosures.
  8. Sanctions for violations and a process for handling complaints.
  9. Documentation kept in writing and retained for six years.

Built For Every Healthcare Organization

Whether you are writing your first policies or standardizing across sites, this builder gives you a solid starting manual. It works alongside HIPAA-compliant survey software when you collect health data through forms.

New practices

Stand up your compliance program from a clean, complete manual.

Business associates

Draft your own policies for the PHI you handle for clients.

Practices prepping for an audit

Have written policies ready for an audit or attestation.

Multi-site groups

Standardize one policy set across every location.

Behavioral health providers

Cover the extra sensitivity of the records you keep.

IT teams & MSPs

Give the clinics you serve a policy set that matches their systems.

Collecting PHI through forms or surveys?

HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered by your plan too.

More free HIPAA tools

Explore more

Frequently asked questions

What is a HIPAA compliance plan?

A HIPAA compliance plan is the written set of policies and procedures an organization adopts to protect health information under the HIPAA Privacy and Security Rules. It records the administrative, physical, and technical safeguards you have in place, names the people responsible for them, and shows how you handle things like workforce training, access controls, breach notification, and patient rights. HIPAA requires covered entities and business associates to maintain these policies in writing and keep them up to date under 45 CFR 164.316 and 164.530. This builder assembles that document for you from standard policy language.

What should a HIPAA policies and procedures manual include?

At a minimum it should cover your administrative, physical, and technical safeguards; a security risk analysis and risk management process; workforce security and training; access controls and the minimum necessary standard; audit controls and activity review; breach notification; business associate agreements; patient rights to access, amend, and get an accounting of disclosures; sanctions for violations and how complaints are handled; and a contingency plan for backups and disaster recovery. It should also name a Privacy Official and a Security Official. This builder lets you turn each of those policies on or off and writes the standard language for the ones you keep.

How often should we update our HIPAA policies?

Review them at least once a year, and again whenever something material changes, such as new software that touches health data, a move to a new facility, a change in the services you offer, a merger, or a new legal requirement. HIPAA does not set a fixed interval, but it does expect your policies to reflect how you actually operate, and it requires you to keep the documentation for six years from the date it was created or last in effect. Set a recurring review date, record who reviewed the plan and when, and keep the older versions.

Does adopting this plan make us HIPAA compliant?

Writing the policies is a necessary step, but compliance is what you do, not just what you document. You still have to complete a real risk analysis, put the safeguards into practice, train your workforce, sign business associate agreements, and keep records that show you follow the plan. Think of the document this builder produces as the backbone you adopt and then operationalize, not a certificate. Regulators look at whether your practices match your written policies.

Do you store the information I enter?

No. The entire plan is assembled locally in your browser. The organization name, official names, and policy selections you enter are never sent to or stored on any server, which is why no sign-up is required.

Is this a substitute for legal advice?

No. This tool builds a starting-point HIPAA policies and procedures manual aligned with 45 CFR 164.316 and 164.530, but it is not legal advice and is not guaranteed to be complete or suitable for your organization. Your specific services, state law, and the results of your own risk analysis can add requirements. Have the plan reviewed by qualified counsel or a compliance professional and tailored to how your organization actually operates before you adopt it.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.