HIPAA Documentation Checklist for Small Practices
A practical list of every HIPAA artifact a small medical, dental, or behavioral health practice should have on file — what it is, why it matters, and what "good" looks like.
Administrative documentation
| Artifact | What "good" looks like |
|---|---|
| Current Security Risk Analysis | Scoped, dated within the last 12 months, with findings and risk rankings. |
| Risk Management / Remediation Plan | Each finding has an owner, target date, and evidence of completion or progress. |
| HIPAA Privacy & Security Policies | Customized to the practice, versioned, signed off, reviewed annually. |
| Notice of Privacy Practices | Current, posted in the office, given to patients, and on the website if applicable. |
| Workforce Sanctions Policy | Documented consequences for HIPAA violations, applied consistently. |
| Designated Privacy & Security Officials | Named individuals with documented responsibilities. |
Workforce documentation
| Artifact | What "good" looks like |
|---|---|
| HIPAA training records | Per-user completion with date and certificate, refreshed annually. |
| Policy attestations | Signed acknowledgement that each workforce member received and read the policies. |
| Access provisioning records | Who has access to which systems, granted when, by whom. |
| Termination / access removal records | Documented timely revocation of access when someone leaves. |
Vendor & technical documentation
| Artifact | What "good" looks like |
|---|---|
| Business Associate Agreements | Signed BAA for every vendor that touches PHI, current and findable. |
| Vendor risk reviews | Documented review of significant vendors' security posture. |
| Endpoint inventory & encryption status | List of devices that handle PHI with encryption verified. |
| Vulnerability / patch evidence | Scan results, patch status, and remediation of known-exploited CVEs. |
| Backup & disaster recovery records | Documented backups, test results, and recovery procedures. |
| Audit log review records | Evidence that key system audit logs are reviewed regularly. |
Incident & breach documentation
| Artifact | What "good" looks like |
|---|---|
| Incident Response Plan | Written plan, with roles and contact information, tested at least annually. |
| Incident log | Every reported incident with classification, response actions, and outcome. |
| Breach risk assessments | Documented evaluation for each incident that may have involved PHI. |
| Breach notifications (if applicable) | Records of notifications sent to individuals, HHS, and media as required. |
Frequently asked questions
How long must HIPAA documentation be retained?
The HIPAA Security Rule requires that policies, procedures, and related documentation be retained for at least six years from the date of creation or the date last in effect, whichever is later.
Can HIPAA documentation be electronic?
Yes. HIPAA requires that required documentation be maintained in written form, which may be electronic. The key requirement is that it is accurate, current, available to those who need it, and produced on request.
What is the difference between policies and procedures?
Policies state what the organization does and why; procedures describe how the work is actually performed. Auditors expect both, customized to the organization.
What is the most-missed HIPAA documentation in small practices?
Risk management / remediation plans tied to the Security Risk Analysis, evidence of policy adoption, and training records with per-user proof of completion are the most commonly missing items.
Centralize your HIPAA documentation
HIPAA Security Suite puts every artifact on this checklist in one workspace, so producing your audit response package is a download, not a hunt.