How to Create a HIPAA Compliance Plan: 7 Essential Components, Template & Examples

Since 2003, the HHS Office for Civil Rights has collected over $150 million in HIPAA penalties, and that number keeps climbing. In 2023 alone, a single healthcare network paid $4.75 million to settle one investigation.

The uncomfortable truth is that most of those fines did not happen because an organisation was careless about patient care. They happened because no one had developed a proper HIPAA compliance plan.

A HIPAA compliance plan is a documented framework that outlines exactly how protected health information (PHI) must be handled, who is responsible for what, what happens when something goes wrong, and how the organisation stays audit-ready year-round. 

It is not a single policy document. It is not a checkbox exercise. It is the operational backbone of how a healthcare organisation or any business that touches PHI stays on the right side of federal law.

Every covered entity and business associate is legally required to have one. That includes hospitals, physician practices, dental offices, health insurers, billing companies, software vendors handling ePHI, and anyone else who creates, receives, maintains, or transmits protected health information.

This guide covers everything you need to build yours from scratch:

• What a HIPAA compliance plan is (and what it is not).
• Why do you need one? The financial and legal stakes.
• The HIPAA Security Rule explained.
• The 7 essential components of an effective plan.
• A practical template framework.
• Real-world examples by organisation size.
• Common mistakes that lead to costly violations.
• An FAQ section targeting the questions compliance officers ask most often.

What is a HIPAA Compliance Plan?

A HIPAA compliance plan is a formal, written document or set of documents that describes how an organisation will meet its obligations under the Health Insurance Portability and Accountability Act. It covers the policies, procedures, roles, training requirements, risk management processes, and incident response procedures that keep PHI protected and the organisation legally compliant.

The regulatory basis is §164.530 of the HIPAA Administrative Requirements, which mandates that covered entities designate a Privacy Official, implement written policies and procedures, train the workforce, and establish a process for addressing violations. The HIPAA Security Rule (45 CFR Part 164, Subparts A and C) extends these obligations specifically to electronic protected health information (ePHI).

Three terms often get confused when it comes to Compliance. Let’s clarify them!

Compliance plan: The specific, written document outlining how your organization will comply with HIPAA. This is the roadmap.

Compliance program: The broader ongoing effort: the staff, tools, processes, and culture that execute the plan. The plan is the document; the program is the operation.

Compliance policy: An individual rule or procedure within the plan (e.g., your password policy, your breach notification policy). Policies are components of a plan, not the plan itself.

The person responsible for creating and maintaining the plan is the designated Privacy Official or Compliance Officer, a role required under §164.530(a). In a solo physician practice, that might be the physician or practice manager wearing multiple hats. In a large health system, it is a dedicated executive with a team.

One thing every organization needs to understand from the start: a HIPAA compliance plan is a living document. Creating it once and filing it away is not compliance. It must be reviewed, tested, and updated regularly and specifically after any incident, regulatory change, or significant change to your operations.

Important: A HIPAA compliance plan is mandatory for covered entities and business associates. It is a legal requirement under HIPAA’s Administrative Requirements. Absence of a plan is itself a finding during an OCR audit.

Why You Need to Develop a HIPAA Compliance Plan

Some organizations treat HIPAA compliance as a box to check. Those who have been through an OCR investigation never make that mistake twice. Here is what is actually at stake.

The Financial Penalties Are Tiered and Serious

HIPAA civil monetary penalties are structured across four tiers based on culpability:

These figures reflect HHS 2023 inflation adjustments. The cap applies per violation category per year, meaning multiple violation categories in one investigation can stack. The $4.75 million settlement mentioned in the introduction involved multiple categories of violations occurring simultaneously.

Beyond Fines: Breach Notification Costs and Reputational Damage

The HHS OCR breach portal lists every incident affecting 500 or more individuals. These are public records. When a covered entity or business associate appears on that list, patients, partners, payers, and the press all see it. For healthcare providers competing for patients and for software vendors selling into health systems, a public breach record is a material commercial problem, not just a compliance issue.

The average cost of a healthcare data breach in the US was $10.93 million in 2023, according to IBM’s Cost of a Data Breach Report. That includes investigation costs, notification costs, credit monitoring for affected patients, legal fees, and remediation, none of which HIPAA fines cover separately.

OCR Audits and Investigations

The OCR conducts both reactive investigations (triggered by complaints and reported breaches) and proactive audits. During an audit, the first thing they ask for is your compliance documentation. If you cannot produce a current, implemented compliance plan, written policies, training records, and a risk assessment, the investigation goes deeper and faster.

A well-maintained compliance plan is your first line of defence in any regulatory interaction. It demonstrates that you took your obligations seriously, that you have processes in place, and that any HIPAA violation was an exception, not a symptom of systemic neglect.

Building Patient Trust

Patients are increasingly aware of how their health data is handled. Organizations that can demonstrate a genuine, documented commitment to data protection, not just a legal minimum, build stronger patient relationships and face less friction in data-sharing partnerships with other providers, payers, and technology vendors.

Pro Tip: If your organization has not had a formal HIPAA risk assessment in the past 12 months, that alone is a Tier 3 or Tier 4 violation risk. The Security Rule requires annual risk analysis under §164.308(a)(1). Do not wait for an OCR complaint to discover this gap.

Understanding the HIPAA Security Rule

Before building your compliance plan, you need a clear picture of what the HIPAA Security Rule requires because the plan must address all of it.

The HIPAA Security Rule was enacted in 2003 and became effective for most covered entities in April 2005. It establishes national standards for protecting electronic protected health information (ePHI), any PHI that is created, received, maintained, or transmitted in electronic form.

The Security Rule applies to covered entities and their business associates. If you handle ePHI in any capacity, the Security Rule applies to you.

The Three Categories of Safeguards

The Security Rule organizes its requirements into three categories:

Administrative Safeguards: These are the policies, procedures, and management processes that govern the handling of ePHI. They include the mandatory annual risk analysis, workforce training requirements, access management policies, and incident response procedures. Administrative safeguards make up the largest portion of the Security Rule requirements.

Physical Safeguards: These govern physical access to systems and facilities that contain ePHI. They include facility access controls, workstation use policies, device and media controls, and procedures for equipment disposal.

Technical Safeguards: These are the technology-based controls that protect ePHI in transit and at rest. They include encryption, access controls (unique user IDs, automatic log-off), audit controls (logs of who accessed what data and when), and integrity controls to ensure ePHI has not been improperly altered.

What Are the Two Key Components of HIPAA?

HIPAA’s two primary rules that every compliance plan must address are:

The Privacy Rule governs the use and disclosure of PHI in all forms (oral, written, electronic). It establishes patients’ rights over their health information and limits how covered entities can use it without patient authorization.

The Security Rule specifically governs ePHI and requires the administrative, physical, and technical safeguards described above.

A compliance plan that only addresses one of these two rules is incomplete. Both must be covered, and both have distinct requirements.

HIPAA Network Requirements

For organizations handling ePHI over networks, the Security Rule requires:

• Encryption of ePHI in transit (email, file transfers, web portals)
• Encryption of ePHI at rest on servers, devices, and portable media
• Access controls with unique user authentication
• Audit logs recording system access and activity
• Automatic log-off for workstations that access ePHI
  

These are not optional technical enhancements. They are required by the Security Rule’s technical safeguard provisions.

Pro Tip: “Addressable” does not mean optional under the HIPAA Security Rule. When a safeguard is listed as “addressable,” it means you must either implement it or document a written justification for why an equivalent alternative is in place. Many organizations mistakenly treat addressable requirements as voluntary, which creates audit vulnerabilities.‍

Building your HIPAA compliance program and not sure where to start? ComplyJet helps healthcare organizations and business associates build HIPAA-ready compliance programs with expert support and audit-ready documentation. Book a free consultation.

The 7 Essential Components of a HIPAA Compliance Plan

These seven components align with the HHS OIG General Compliance Program Guidance and constitute the minimum structure for any effective HIPAA compliance plan. Each one is a required element, not a recommendation.

1. Written Policies and Procedures

Written policies are the foundation on which everything else is built. Without them, there is no consistent standard to train staff on, enforce against, or audit compliance with. Your policies need to exist, be up to date, and be accessible to the people responsible for following them.

At a minimum, your written documentation should include:

• A code of conduct establishes the organization’s commitment to HIPAA compliance.
• A Privacy Rule policy covering permitted uses and disclosures of PHI.
• A Security Rule policy covering administrative, physical, and technical safeguards.
• A Breach Notification policy outlining the steps required when a breach is suspected or confirmed.
• Policies for workforce access to PHI and ePHI (role-based access, minimum necessary standard).
• A Business Associate policy covering how BAAs are executed and monitored.

Policies must be reviewed and updated at least annually, and whenever there is a material change in operations, systems, or regulatory requirements. A policy written in 2019 and never touched since is a liability, not a protection.

2. Compliance Leadership and Oversight

HIPAA requires every covered entity to designate a Privacy Official under §164.530(a). The Security Rule requires a Security Officer under §164.308(a)(2). In practice, many organizations combine these into a single Compliance Officer role, provided that the person has the authority, resources, and time to fulfil both functions.

The Compliance Officer’s job is not just to create policies. They are responsible for running the compliance program day-to-day: conducting or overseeing risk assessments, managing training, investigating potential violations, maintaining documentation, and staying current on regulatory changes.

For larger organizations, a Compliance Committee including representatives from legal, IT, clinical operations, and HR provides oversight and distributes responsibility across the business. Board-level oversight is also expected under HHS OIG guidance: the board should receive regular compliance reports and ensure the Compliance Officer has the independence and budget to do the job properly.

3. HIPAA Training and Education

Every member of your workforce who has access to PHI or ePHI must receive HIPAA training. That is not a best practice; it is a legal requirement under §164.530(b) of the Privacy Rule and §164.308(a)(5) of the Security Rule.

The minimum standard is annual training for all members of the workforce. But annual training alone is not sufficient for many roles. Your training program should also include:

• Role-specific training: Clinical staff need to understand patient rights and minimum necessary disclosures. IT staff need to understand technical safeguard requirements. Front desk staff need to understand verification procedures and the risks of incidental disclosure. One generic training module for everyone does not meet this requirement.
• New hire training: All new employees should complete HIPAA training before or immediately upon gaining access to PHI.
• Documented completion: Training records must be maintained. If you cannot prove an employee received training, it effectively did not happen for compliance purposes.
• Condition of employment: Per HHS OIG guidance, HIPAA training completion should be a mandatory condition of employment or continued engagement.

4. Open Communication and Reporting Channels

Staff who witness or suspect a HIPAA violation need a clear, safe way to report it. If the only option is telling their direct supervisor, who may be involved in the issue, most violations go unreported until they become breaches. Your compliance plan must establish:

• An anonymous reporting mechanism, a hotline, a secure online form, or a dedicated email address, where staff can report concerns without fear of identification.
• A written non-retaliation policy protects anyone who raises a compliance concern in good faith.
• A disclosure log maintained by the Compliance Officer to track all reported concerns, investigations, and outcomes.
• Regular communication from leadership, reinforcing that compliance questions and concerns are welcome.

This is the feedback loop that keeps small problems from becoming large violations.

5. Enforcement: Consequences and Incentives

A compliance policy with no enforcement mechanism is just a suggestion. Your plan must include a clear disciplinary process for HIPAA violations, and it must be applied consistently at every level of the organization, from the front desk to the C-suite.

The disciplinary framework should:

• Define categories of violations and the corresponding disciplinary actions (verbal warning, written warning, suspension, termination)
• Be documented in writing and communicated to all workforce members
• Apply equally regardless of seniority; inconsistent enforcement is itself a compliance risk.
• Include a process for determining whether a violation was accidental, the result of inadequate training, or the result of willful conduct, because the response should differ

On the positive side, consider incentives for strong compliance performance, recognising staff who report concerns, complete training early, or demonstrate good data handling practices. Culture is built through both consequences and recognition.

6. Risk Assessment, Auditing, and Monitoring

The annual risk analysis is one of the most-cited missing elements in OCR investigations. It is required under §164.308(a)(1) of the Security Rule, and its absence is treated as a Tier 3 or Tier 4 violation.

A proper risk analysis involves:

• Identifying all systems, devices, and locations where ePHI is created, received, maintained, or transmitted.
• Identifying the threats and vulnerabilities that could affect ePHI confidentiality, integrity, or availability.
• Assessing the likelihood and impact of each threat/vulnerability combination.
• Documenting current controls and their effectiveness.
• Prioritising risks and developing a risk management plan.

Risk analysis and risk management are separate obligations. The analysis identifies the risks. The risk management plan documents what you are going to do about them — and the timeline.

Between annual assessments, ongoing monitoring is required. This includes reviewing audit logs, monitoring access patterns for anomalies, conducting spot-check audits of policy compliance, and scanning for new vulnerabilities as your technology environment changes.

7. Corrective Action and Incident Response

When something goes wrong, a potential breach is reported, a policy violation is discovered, an unauthorised access event is detected, your plan must describe exactly what happens next. Improvising the response to a HIPAA incident in real time is how small problems become large fines.

Your corrective action and incident response framework should include:

• A defined process for investigating reported violations or suspected breaches
• Clear decision criteria for determining whether an incident meets the HIPAA definition of a breach
• Breach notification procedures: notifying affected individuals within 60 days of discovery, notifying HHS, and (for breaches affecting 500+ individuals in a state) notifying prominent media outlets in that state
• Root cause analysis to determine what failed and why
• Remediation steps to prevent recurrence
• Documentation of the full investigation and outcome
  

Every incident, including those that are investigated and determined not to be a breach, must be documented. That documentation demonstrates due diligence should the same incident type resurface in a broader investigation.

Pro Tip: The 60-day breach notification deadline runs from the date of discovery, not the date the breach occurred. Organizations that sit on a potential breach while waiting for investigation results often find themselves in violation of the Breach Notification Rule before the investigation concludes. Start the notification process early, and update as facts become clear.

HIPAA Compliance Plan Template Key Elements to Include

No two organizations have identical compliance plans, and they should not. A solo physician practice and a regional health system both need a plan, but the complexity, staffing, and technology controls differ significantly. What every plan needs is the same core structure.

Here is a template framework you can adapt to your organization:

Section 1: Organizational Information and Scope - Organization name, type (covered entity or business associate), locations, the types of PHI/ePHI handled, and the systems and technologies used.

Section 2: Compliance Officer and Committee - Name and contact details of the designated Privacy Official and Security Officer. If there is a Compliance Committee, list its members and their roles. Include escalation paths for compliance questions and incidents.

Section 3: PHI Inventory and Data Flow Map - A current inventory of where PHI and ePHI exist in the organization: systems, databases, devices, paper files, and third-party processors. Include how PHI moves who sends what to whom, in what format, under what authority.

Section 4: Risk Assessment Summary - Date of last risk analysis, key risks identified, risk ratings, and status of risk management actions. This should be updated annually and after significant changes.

Section 5: Written Policies Index - A list of all active policies with their effective dates and scheduled review dates. Include links or file paths to the policy documents themselves.

Section 6: Training Schedule and Log - A schedule of required training (initial, annual, role-specific), a log of completed training by employee, with dates and confirmation of completion.

Section 7: Business Associate Agreement Tracker - A list of all active Business Associate Agreements: vendor name, effective date, renewal date, scope of PHI access, and location of the signed BAA document.

Section 8: Incident Log and Response Procedure - A running log of all reported compliance concerns and incidents. For each: date reported, nature of the concern, investigation steps taken, determination (breach/not a breach), and resolution.

Section 9: Annual Review Checklist - A checklist confirming that all plan elements have been reviewed, tested, and updated within the past 12 months. Sign-off from the Compliance Officer and relevant leadership.

Templates must be customized to reflect your organization’s actual size, systems, and processing activities. A template that does not match your real operations is not a compliance plan; it is a document that will create problems during an audit.

Pro Tip: Store your compliance plan and all associated documentation in a centralized, access-controlled location, not in an individual’s personal drive. During an OCR audit or investigation, you need to produce documents quickly and completely. If the only copy of your risk assessment lives in a departed employee’s email folder, that is a problem you do not want to discover under pressure.

HIPAA Compliance Plan Example Small Practice vs. Large Health System

The structure of a HIPAA compliance plan is the same regardless of organization size. What changes are there in complexity, staffing, and technology?

Small Practice Example: Solo Physician Office

A solo family medicine practice with five staff members handles PHI daily through an EHR, a billing system, and phone communications with patients.

• Compliance Officer: The practice manager serves as the Privacy Official and Security Officer; there is no dedicated compliance department.

• Policies: A focused set of policies covering patient record access, front desk verification, EHR access controls, and breach response. Less than 20 pages total.

• Training: Annual online HIPAA training for all five staff, with completion certificates saved in a shared folder. New hires complete training before accessing the EHR.

• Risk Assessment: Annual review conducted by the practice manager using an HHS-provided risk assessment tool, documented in a spreadsheet.

• BAAs: Active BAAs in place with the EHR vendor, the billing company, and the answering service.

• Technology: EHR with role-based access controls and automatic log-off. Encrypted email for patient communications. No personally owned devices are used for patient data.

Large Health System Example: Regional Medical Center

A regional health system with 3,000 employees, multiple facilities, and hundreds of vendor relationships operates in an entirely different environment.

• Compliance Officer: A dedicated VP of Compliance supported by a Compliance Committee including the CISO, General Counsel, CMO, and HR Director. Compliance analysts handle day-to-day monitoring.

• Policies: A comprehensive policy library of 80+ documents, version-controlled and published on the intranet. Policy review assignments are distributed across departments.

• Training: Annual system-wide HIPAA training via a learning management system (LMS) with automated reminders and completion tracking. Separate role-based modules for clinical staff, IT security teams, and administrative staff. Training tied to performance reviews.

• Rsk Assessment: Annual enterprise risk analysis conducted by a third-party assessor, supplemented by quarterly internal monitoring reviews and continuous SIEM-based log monitoring.

• BAAs: A dedicated BAA management system tracking hundreds of active vendor agreements, with automated renewal alerts.

• Technology: Enterprise EHR with comprehensive audit logging, SIEM integration, data loss prevention (DLP) tools, encrypted email, mobile device management (MDM) for BYOD devices, and automated access reviews.

Key takeaway: The same seven components apply to both. The solo practice’s plan can be documented in a binder. The health system’s plan spans multiple systems and dozens of people. The obligation is the same, regardless of the implementation scales.

Looking for a compliance platform that scales with your organization? ComplyJet supports healthcare organizations and business associates with HIPAA compliance management, automated risk assessments, and audit-ready documentation.
Start your free trial!

What is the Key to Success for HIPAA Compliance?

The organizations that avoid OCR trouble are not necessarily the ones with the largest compliance budgets. They are the ones that treat compliance as an ongoing operational discipline, not an annual paperwork exercise.

Here is what genuinely separates effective HIPAA compliance from performative compliance:

Leadership sets the tone: When executives and clinical leaders take HIPAA seriously, referring to compliance policies in decision-making, supporting the Compliance Officer’s recommendations, and holding themselves accountable to the same standards as everyone else, the rest of the organization follows. When leadership treats compliance as the compliance team’s problem, violations accumulate.

Continuous monitoring, not annual snapshots: A risk assessment that happens once a year and then sits on a shelf is not risk management. Effective compliance programs monitor continuously: reviewing access logs, tracking training completion, auditing policy adherence, and scanning for new vulnerabilities as technology and business operations evolve.

Training that sticks: Annual online training is the legal minimum, not the compliance ideal. The best programs supplement annual training with regular communications, real-world scenario discussions, and role-specific refreshers. Employees who understand why HIPAA matters, not just what the rules say, make better decisions in ambiguous situations.

Technology that supports compliance: Manual processes break under pressure. HIPAA Compliance management software, automated training platforms, secure EHR systems, encrypted communications, and automated BAA tracking reduce both the burden and the error rate. The time savings in an audit or investigation alone justify the investment.

Staying current on regulatory changes: HHS OCR updates enforcement priorities, issues new guidance, and adjusts civil monetary penalty amounts over time. Organizations that do not actively monitor these changes find their compliance programs drifting out of alignment with current expectations. Assign someone the responsibility of tracking and communicating regulatory updates.

Pro Tip: After any HIPAA incident, even one that is investigated and found not to be a reportable breach, review your compliance plan for the gap that allowed it to occur. The best compliance programs treat near-misses as free lessons. Organizations that ignore near-misses tend to escalate to actual breaches.

8 Common HIPAA Compliance Mistakes to Avoid

These are the errors that recur in OCR investigations and enforcement actions. Most are avoidable with proper planning.

1. Treating compliance as a one-time event: Creating a compliance plan in year one and never revisiting it is one of the most common and most dangerous mistakes. HIPAA compliance is an ongoing program, not a project with an end date.

2. No formal, documented risk assessment: The Security Rule requires an annual risk analysis. Organizations that skip it, or conduct an informal assessment without documentation, have created a direct path to Tier 3 or Tier 4 penalties.

3. Missing Business Associate Agreements: Every vendor, contractor, or third party that creates, receives, maintains, or transmits PHI on your behalf needs a signed BAA before they access any PHI. Missing BAAs are cited in a significant proportion of OCR enforcement actions. Audit your vendor list and close the gaps.

4. Generic training that does not address roles. One size does not fit all in HIPAA training. A clinical staff member handling patient records faces different risks than an IT administrator managing server access. Role-based training is not optional; it is a requirement.

5. Ignoring BYOD (Bring Your Own Device) risks. Personal smartphones and laptops used for work, without formal policies and technical controls, are among the most common sources of PHI exposure. If your workforce uses personal devices for any work-related communications or access, you need a documented BYOD policy and appropriate technical controls.

6. Not updating policies after a breach or near-miss. A breach is painful enough. Experiencing the same type of breach twice because the root cause was never addressed is both avoidable and difficult to explain to OCR. Every incident should trigger a review of policies and procedures.

7. Failing to document investigations and outcomes. Even when an investigation concludes that no reportable breach occurred, the investigation itself must be documented. OCR expects to see that you investigated properly, made a defensible determination, and recorded the outcome.

8. Underestimating business associate risk. Your compliance obligations do not end at your organization’s perimeter. If a business associate suffers a breach involving your patients’ PHI, you may face regulatory scrutiny too, particularly if your BAA was absent, inadequate, or if you failed to exercise appropriate oversight of the BA’s compliance posture.

Frequently Asked Questions

What is a HIPAA compliance plan?

A HIPAA compliance plan is a documented framework that outlines how an organization will meet its legal obligations under HIPAA. It covers written policies, designated compliance leadership, workforce training, risk assessment, incident response, and corrective action procedures, and must be maintained as a living document, not created once and filed away.

How many components are in an effective HIPAA compliance plan?

Seven written policies and procedures, compliance leadership and oversight, HIPAA training and education, open communication and reporting channels, enforcement through consequences and incentives, risk assessment and monitoring, and corrective action and incident response.

What are the two key components of HIPAA?

The HIPAA Privacy Rule, which governs how PHI can be used and disclosed and establishes patient rights, and the Security Rule, which sets administrative, physical, and technical safeguard requirements for electronic protected health information (ePHI).

Who needs a HIPAA compliance plan?

All covered entities' health plans, healthcare providers, and healthcare clearinghouses, and all business associates that create, receive, maintain, or transmit PHI on behalf of a covered entity. This includes software vendors, billing companies, IT service providers, and any other third party with access to PHI.

What does the HIPAA Security Rule cover?

The HIPAA Security Rule protects electronic protected health information (ePHI) through three categories of safeguards: administrative safeguards (policies, training, risk management), physical safeguards (facility and device controls), and technical safeguards (encryption, access controls, audit logs).

How often should a HIPAA compliance plan be updated?

At a minimum, annually. Additionally, after any significant incident, data breach, change in operations or technology, or relevant update to HHS guidance or OCR enforcement priorities. A plan that has not been reviewed in over a year is not a current compliance plan.

Do small medical practices need a HIPAA compliance plan?

Yes. HIPAA applies to all covered entities regardless of size. A solo physician practice has the same legal obligations as a hospital system; the implementation complexity differs, but the obligation does not. Smaller practices are frequently targeted in OCR investigations triggered by patient complaints.

Conclusion

A HIPAA compliance plan is not a bureaucratic burden. It is the structure that protects your patients, your staff, and your organization when something goes wrong and something always eventually does.

The seven components work together: policies set standards to follow, leadership ensures they are followed, training ensures they understand why, communication channels surface problems early, enforcement makes the standards real, risk assessment identifies gaps before they become breaches, and corrective action closes them when they appear.

Build the plan before you need it. Review it at least annually. Test it with real scenarios. Update it after every incident. And make sure every person in your organization knows that protecting patient information is not someone else’s job; it is everyone’s.

Ready to build a HIPAA compliance program that holds up under audit?
ComplyJet helps healthcare organizations and business associates build complete, audit-ready compliance programs from risk assessments and policy libraries to training tracking and BAA management. Book a free demo