Free HIPAA compliance plan /
manual builder
Build the HIPAA policies and procedures manual your organization can adopt. Pick the policies you need, from risk analysis to breach notification, and this builder writes the standard language aligned with 45 CFR §164.316 and §164.530. Preview it as you go, then download an editable Word document or PDF. Everything runs in your browser, so no data leaves your device and no sign-up is needed.
Plan details
Organization
Designated officials
Policies to include
Each policy you keep is written into the plan as its own section.
HIPAA COMPLIANCE PLAN
Policies and Procedures Manual
Organization: [Organization Name]
Type: [Organization Type]
Effective date: [Effective Date]
Purpose and Scope
This HIPAA Compliance Plan documents the administrative, physical, and technical safeguards that [the organization] maintains to protect the privacy and security of protected health information (PHI) under the HIPAA Privacy Rule and Security Rule. It applies to all workforce members, contractors, and business associates who create, receive, maintain, or transmit protected health information on behalf of the organization.
These policies and procedures are adopted as of the effective date shown above. They are maintained in written form, made available to the workforce, and reviewed and updated as the organization's operations, technology, and legal obligations change.
Designated Officials
The organization has designated the following individuals to develop and implement its HIPAA policies and procedures:
Privacy Official: [name of Privacy Official]
Security Official: [name of Security Official]
The Privacy Official is responsible for developing and implementing the organization's privacy policies and procedures, and the Security Official is responsible for the security policies and procedures that protect electronic protected health information. Questions, requests, and complaints regarding protected health information may be directed to these officials.
1. Security Management and Risk Analysis
The organization conducts an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the electronic protected health information it creates, receives, maintains, or transmits. Risks identified through this analysis are reduced to a reasonable and appropriate level through a documented risk management process, following 45 CFR 164.308(a)(1).
The risk analysis and the resulting safeguards are reviewed and updated on a regular schedule, and whenever a significant change to the organization's operations, systems, or facilities could affect the security of protected health information.
2. Workforce Security and Training
The organization authorizes access to protected health information only for workforce members whose roles require it, and it applies procedures for granting, reviewing, and removing that access as roles change or employment ends, following 45 CFR 164.308(a)(3).
All workforce members receive security awareness and privacy training when they join and periodically after that, following 45 CFR 164.308(a)(5). Training covers safe handling of protected health information, password and device practices, how to recognize and report a suspected incident, and the sanctions for violating these policies.
3. Access Controls and Minimum Necessary
Systems that hold electronic protected health information enforce unique user identification and permit access only to authorized users, following 45 CFR 164.312(a). Access rights follow the minimum necessary standard, so each workforce member can reach only the information needed to perform their specific job.
Uses and disclosures of protected health information, other than for treatment, are limited to the minimum amount reasonably needed to accomplish the intended purpose, following 45 CFR 164.502(b).
4. Audit Controls and Activity Review
Information systems that contain or use electronic protected health information record activity through audit logs, following 45 CFR 164.312(b). The organization regularly reviews records of system activity, such as audit logs, access reports, and security incident tracking reports, to detect inappropriate access and potential security incidents, following 45 CFR 164.308(a)(1)(ii)(D).
Audit records are retained and protected from alteration so they remain available for review and investigation.
5. Transmission and Storage Security
The organization encrypts electronic protected health information at rest and in transit wherever it is reasonable and appropriate to do so, following 45 CFR 164.312(a)(2)(iv) and 164.312(e). Where encryption is not implemented, the organization documents an equivalent alternative measure that provides reasonable protection.
Protected health information transmitted over open networks, including email and web connections, is protected against unauthorized access using encryption and other technical safeguards.
6. Physical Safeguards
The organization limits physical access to facilities, workstations, and devices that hold protected health information to authorized personnel, following 45 CFR 164.310. This includes facility access controls, workstation use and security policies, and procedures for the secure handling, reuse, and disposal of hardware and electronic media.
Media and devices that have stored protected health information are sanitized or destroyed before disposal or reuse so that the information cannot be recovered.
7. Breach Notification
The organization investigates every suspected or known breach of unsecured protected health information and, when a breach is confirmed, notifies the affected individuals, the Secretary of Health and Human Services, and, where required, the media, within the timeframes set by the HIPAA Breach Notification Rule at 45 CFR 164.400 through 164.414.
The organization keeps a record of breaches and of the risk assessments used to decide whether an impermissible use or disclosure is a reportable breach.
8. Business Associate Agreements
Before sharing protected health information with a vendor or contractor that performs services on the organization's behalf, the organization obtains satisfactory written assurances, in the form of a business associate agreement, that the business associate will appropriately safeguard the information, following 45 CFR 164.308(b) and 164.504(e).
The organization maintains an inventory of its business associates and their agreements, and it reviews those agreements periodically and whenever the services change.
9. Patient Rights: Access, Amendment, and Accounting
The organization honors individuals' rights over their own protected health information, including the right to inspect and obtain a copy of their records under 45 CFR 164.524, the right to request an amendment of inaccurate or incomplete records under 45 CFR 164.526, and the right to receive an accounting of certain disclosures under 45 CFR 164.528.
Requests to exercise these rights are handled through a documented process and within the timeframes required by the HIPAA Privacy Rule.
10. Sanctions and Complaints
The organization applies appropriate sanctions against workforce members who fail to comply with its privacy and security policies and procedures, following 45 CFR 164.530(e). Sanctions are applied consistently and are documented.
Individuals may file a complaint about the organization's privacy practices or its handling of their information. The organization documents complaints and their resolution, and it does not retaliate against anyone for filing a complaint or for exercising their rights.
Documentation and Review
The organization maintains these policies and procedures in written form and retains this documentation, together with records of any required actions, activities, or assessments, for six years from the date it was created or the date it was last in effect, whichever is later, following 45 CFR 164.316(b)(2).
The plan is reviewed periodically and updated as needed to reflect changes in the organization's operations, technology, and legal obligations, following 45 CFR 164.316(b)(2)(iii) and 164.530(i).
Generated by BlockSurvey
How the compliance plan builder works
Enter your organization
Add your organization name, type, effective date, and the Privacy and Security Officials in a short guided form.
Pick the policies you need
Turn each policy on or off. The plan assembles in real time, with standard HIPAA policy language for every section you keep.
Download and adopt
Export a ready-to-adopt PDF or an editable Word file. Nothing you enter ever leaves your device.
Free, secure, and HIPAA-standard by default
Standing up a compliance program should not start with a paywall or a form that ships your details to someone else's server. Every plan this builder produces is written around the documentation requirements of 45 CFR §164.316:
100% in-browser
The plan is built on your device; nothing is uploaded.
No account required
No sign-up, no email wall, no tracking.
Free, real download
The full manual as Word or PDF at no cost, not a watermarked sample.
What a HIPAA policies-and-procedures manual should cover
A solid manual documents the safeguards HIPAA expects and names the people who own them:
- Administrative safeguards, including a security risk analysis and risk management process.
- Physical safeguards for facilities, workstations, devices, and media disposal.
- Technical safeguards such as access controls, audit controls, and encryption.
- Breach notification procedures for individuals, HHS, and, where required, the media.
- Workforce training and security awareness for everyone who handles health information.
- Business associate agreements with every vendor that touches your PHI.
- Patient rights to access, amend, and get an accounting of disclosures.
- Sanctions for violations and a process for handling complaints.
- Documentation kept in writing and retained for six years.
Built For Every Healthcare Organization
Whether you are writing your first policies or standardizing across sites, this builder gives you a solid starting manual. It works alongside HIPAA-compliant survey software when you collect health data through forms.
New practices
Stand up your compliance program from a clean, complete manual.
Business associates
Draft your own policies for the PHI you handle for clients.
Practices prepping for an audit
Have written policies ready for an audit or attestation.
Multi-site groups
Standardize one policy set across every location.
Behavioral health providers
Cover the extra sensitivity of the records you keep.
IT teams & MSPs
Give the clinics you serve a policy set that matches their systems.
Collecting PHI through forms or surveys?
HIPAA-compliant survey software from BlockSurvey signs a BAA with you, so the tool you use to gather health data is covered by your plan too.