What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

← All calendars

HIPAA · 15 RECURRING ACTIVITIES

HIPAA Compliance Calendar — recurring §164 obligations, scheduled

OCR investigations almost always start the same way: 'show us your most recent risk analysis.' If yours is more than 12 months old, you're already in trouble. This calendar maps every recurring HIPAA Security + Privacy Rule activity to a specific §164 reference.

Cadence mix:1× Weekly2× Monthly2× Quarterly1× Every 6 months7× Annually2× Event-triggered

Who this is for

Covered entities (providers, plans, clearinghouses) and Business Associates
Security Officers / Privacy Officers running active HIPAA programs
Healthcare SaaS vendors operating under signed BAAs

Typical effort

Plan for a designated Security Officer + Privacy Officer (often combined). Major effort: annual risk analysis (40+ hrs).

The calendar

Weekly (1)

Audit log review — failed access + impermissible disclosure flags

Audit Controls

Sample audit logs from EHR / database / S3 access logs. Investigate anomalies.

Reference

§164.312(b)

Owner

Security officer

Effort

1–2 hrs

Evidence

Log review record

Monthly (2)

Termination access removal verification

Workforce

Cross-check HR off-boarding list against system disablements within target SLA (typ. 24 hrs).

Reference

§164.308(a)(3)(ii)(C)

Owner

HR + IT

Effort

1 hr

Evidence

Termination access log

Patch + vulnerability scan

Vulnerability

OS / DB / app patching. Document any deferred patches with risk acceptance.

Reference

§164.308(a)(1)(ii)(B)

Owner

Effort

4 hrs

Evidence

Patch + scan reports

Quarterly (2)

Workforce access review (role-based)

Workforce Access

Manager certifies users still need their level of PHI access. Remove or downgrade as needed.

Reference

§164.308(a)(4)

Owner

Manager + IT

Effort

3–4 hrs

Evidence

Signed access review

Sanctions log review

Sanctions

Review any workforce HIPAA violations + sanctions applied. Required documentation.

Reference

§164.308(a)(1)(ii)(C)

Owner

Privacy officer + HR

Effort

1–2 hrs

Evidence

Sanctions log

Every 6 months (1)

Contingency plan test (data backup / disaster recovery / emergency mode)

Contingency

Restore a sample backup; failover one critical service; document.

Reference

§164.308(a)(7)(ii)(D)

Owner

IT + Security

Effort

8–16 hrs

Evidence

Contingency test report

Annually (7)

HIPAA Security Rule risk analysis

Risk

Required, accurate, thorough — covers all ePHI flows (Cloud + on-prem + endpoint + BAAs). Output: documented risks + likelihood + impact.

Reference

§164.308(a)(1)(ii)(A)

Owner

Security officer

Effort

40–80 hrs

Evidence

Risk analysis report

Risk management plan update

Risk

Address risks identified — implement, mitigate, accept; track residual risk.

Reference

§164.308(a)(1)(ii)(B)

Owner

Security officer

Effort

16 hrs

Evidence

Risk management plan

Workforce HIPAA training

Workforce

Required for every workforce member — Privacy + Security awareness; new hires within reasonable time; updated when material change.

Reference

§164.530(b), §164.308(a)(5)

Owner

Privacy officer + HR

Effort

4 hrs admin

Evidence

Training completion records

Policies + procedures review

Policies

Every Security + Privacy Rule policy reviewed and updated as needed. 6-year retention required.

Reference

§164.316(b)

Owner

Privacy + Security officers

Effort

8–16 hrs

Evidence

Updated policy library

BAA inventory + renewal review

BAA

Every Business Associate has a current, valid BAA covering PHI use + breach notification. Refresh expiring agreements.

Reference

§164.308(b), §164.502(e)

Owner

Privacy officer + Legal

Effort

8–12 hrs

Evidence

BAA register + renewals

Notice of Privacy Practices review

Privacy

NPP must be current; redistribute on material change; available on website + at point of care.

Reference

§164.520

Owner

Privacy officer

Effort

4 hrs

Evidence

NPP version + posting evidence

Periodic technical + nontechnical evaluation

Evaluation

Required §164.308(a)(8) — confirm policies + procedures continue to meet the Security Rule. Often combined with annual risk analysis.

Reference

§164.308(a)(8)

Owner

Security officer

Effort

16 hrs

Evidence

Evaluation report

Event-triggered (2)

Breach risk assessment + notification

Breach

Any impermissible PHI use/disclosure: 4-factor risk assessment; if breach, notify individuals within 60 days, HHS, and (if 500+) media.

Reference

§164.402, §164.404, §164.408, §164.410

Owner

Privacy officer + Legal

Effort

Variable

Evidence

Breach risk assessment + notice records

New Business Associate onboarding

BAA

Signed BAA before any PHI shared. Vendor security review proportionate to risk.

Reference

§164.308(b), §164.502(e)

Owner

Privacy officer + Procurement

Effort

4–8 hrs

Evidence

Signed BAA + due diligence

Pitfalls — where teams actually fail

Risk analysis older than 12 months — most-cited HIPAA finding by OCR.
Risk analysis scoped only to the EHR — must cover ALL ePHI (email, backups, endpoints, vendors, BAAs).
Training records can't show 100% completion for the workforce in scope.
BAA missing or unsigned for a vendor that touches PHI (cloud, email, AI vendor) — instant finding.
No evidence of contingency testing — paper plan only is not compliant.
Audit logs not reviewed (just collected) — §164.312(b) requires review, not retention alone.

Want this calendar mapped to YOUR controls?

Drop your existing HIPAA policy or upload a draft — ComplianceIQ scores it against the framework and produces a 0–100 audit, gap-by-gap with the cadence work you're missing.

Run free HIPAA audit See readiness checklist

What happens when the cadence slips — real HIPAA actions

$16M

Anthem Inc. · 2018

$6.85M

Premera Blue Cross · 2020

FAQ

Is the annual HIPAA risk analysis a strict regulatory requirement?

Yes. §164.308(a)(1)(ii)(A) requires an accurate and thorough assessment of risks to ePHI. OCR has fined entities specifically for not having a current, comprehensive risk analysis.

How often must HIPAA training happen?

On hire (within reasonable time), and any time there's a material change to policies/procedures. Annual training is the prevailing best practice and what auditors look for.

Do Business Associates need to follow this calendar?

Yes — the HIPAA Security Rule applies in full to BAs since 2013 (Omnibus Rule). The risk analysis, workforce training, audit-log review, and contingency plan obligations all apply identically.

Does this calendar cover the new HIPAA Security Rule update (2024–2025 NPRM)?

Items here align with the long-standing Final Rule. The proposed 2024 NPRM strengthens technical safeguards (mandatory MFA, encryption, vulnerability scans, network segmentation, written contingency plans) — items already in this calendar align with that direction.

HIPAA Compliance Calendar — recurring §164 obligations, scheduled

The calendar

Weekly (1)

Monthly (2)

Quarterly (2)

Every 6 months (1)

Annually (7)

Event-triggered (2)

Pitfalls — where teams actually fail

What happens when the cadence slips — real HIPAA actions

FAQ

Other calendars