What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

Are BAAs required with every vendor?

Required with anyone creating/receiving/maintaining/transmitting PHI on your behalf. Not required for 'conduit' services (e.g., USPS, basic ISP without access).

What counts as a breach?

Any unauthorized acquisition, access, use, or disclosure of unsecured (unencrypted) PHI. Encrypted PHI is generally exempt if encryption meets HHS guidance.

How long must I retain HIPAA documentation?

Six years from creation OR last effective date, whichever is later (§164.530(j)).

Is HIPAA training required annually?

Required 'periodically' (§164.308(a)(5)). Annual is industry standard and what OCR expects.

HIPAA Compliance Checklist 2026 — 40 Steps (Privacy, Security, Breach)

The checklist

Foundations

1

Determine if you're a Covered Entity, Business Associate, or hybrid

critical

Different obligations apply; document the determination.

→ §160.103

2

Identify all PHI flows in & out of your systems (data map)

critical

Sources, transit, storage, deletion — needed for risk analysis.

→ §164.308(a)(1)

3

Appoint a Privacy Officer and a Security Officer (can be same person)

critical

Required for all Covered Entities; document the role.

→ §164.530(a), §164.308(a)(2)

Privacy Rule

4

Publish a Notice of Privacy Practices (NPP)

critical

Posted publicly + given to patients on first visit + acknowledged in writing.

→ §164.520

5

Limit PHI use & disclosure to minimum necessary

critical

Role-based access; no blanket access to entire patient population.

→ §164.502(b), §164.514(d)

6

Patient rights workflow: access, amend, accounting, restriction, confidential comms

critical

30-day SLA for access (extendable to 60 once); document each request.

→ §164.524–.528

7

Authorization required for non-TPO uses (marketing, research, sale)

high

Specific written authorization with revocation language.

→ §164.508

BAA

8

Execute Business Associate Agreement BEFORE sharing PHI with any vendor

critical

Required terms in §164.504(e) — safeguards, breach notification, subcontractor flow-down.

→ §164.504(e)

9

Maintain inventory of all BAs and their BAAs (with subcontractor BAAs as evidence)

high

Auditor will sample BAs and request the agreement + downstream chain.

→ §164.504(e)

Risk Analysis

10

Conduct an enterprise-wide risk analysis annually

critical

Identify threats, vulnerabilities, likelihood, impact to ePHI confidentiality/integrity/availability.

→ §164.308(a)(1)(ii)(A)

11

Document risk management plan with remediation timelines

critical

Highest single OCR finding category — must show you addressed identified risks.

→ §164.308(a)(1)(ii)(B)

Administrative Safeguards

12

Workforce security policies (authorization, supervision, clearance)

high

Documented; covers hire, role change, termination.

→ §164.308(a)(3)

13

Information access management (need-to-know basis)

critical

Documented authorization for each role; reviewed periodically.

→ §164.308(a)(4)

14

Security awareness training for all workforce members

critical

Annual minimum + new-hire onboarding + role-specific.

→ §164.308(a)(5)

15

Security incident procedures with documented response

critical

Identify, respond, mitigate, document; integrate with breach notification.

→ §164.308(a)(6)

16

Contingency plan: backup, disaster recovery, emergency-mode operation

critical

Documented, tested annually, restoration verified.

→ §164.308(a)(7)

17

Periodic technical and non-technical evaluation

high

Often combined with annual risk analysis; documented.

→ §164.308(a)(8)

Physical Safeguards

18

Facility access controls (locks, badge, visitor log)

high

Document who has physical access to systems holding ePHI.

→ §164.310(a)

19

Workstation use & security policies

high

Screen lock, no PHI on personal devices, MDM for mobile.

→ §164.310(b–c)

20

Device & media controls (disposal, reuse, accountability, backup)

high

Certificate of destruction for retired media; encryption requirement before reuse.

→ §164.310(d)

Technical Safeguards

21

Unique user identification for all workforce

critical

No shared accounts; SSO + IDP integration.

→ §164.312(a)(2)(i)

22

Emergency access procedure

high

Documented break-glass with audit trail.

→ §164.312(a)(2)(ii)

23

Automatic logoff after inactivity

high

Workstation + application level (15-min standard).

→ §164.312(a)(2)(iii)

24

Encryption of ePHI at rest and in transit (addressable but expected)

critical

AES-256 at rest, TLS 1.2+ in transit; document if you choose alternative measure.

→ §164.312(a)(2)(iv), (e)(2)(ii)

25

Audit controls — log all PHI access & modification

critical

Centralised, tamper-resistant, retained 6 years minimum.

→ §164.312(b)

26

Integrity controls (prevent unauthorized alteration of ePHI)

high

Hashing, digital signatures, version control on records.

→ §164.312(c)

27

Person/entity authentication (MFA strongly expected)

critical

MFA on every system touching PHI; document MFA enrolment rate.

→ §164.312(d)

28

Transmission security — encrypt PHI sent over networks

critical

TLS for email, secure file transfer for bulk; HTTPS for portals.

→ §164.312(e)

Breach

29

Risk assessment for any unauthorized PHI use/disclosure

critical

4-factor test: nature, who received, was it actually viewed, mitigation.

→ §164.402

30

Notify affected individuals within 60 days of breach discovery

critical

First-class mail or email (if patient agreed); substitute notice for large breaches.

→ §164.404

31

Notify HHS within 60 days (≥500 affected) or annually (<500)

critical

Submit via OCR breach reporting portal.

→ §164.408

32

Notify prominent media for breaches affecting 500+ in a state/region

high

Press release sent to major media outlets in affected state.

→ §164.406

33

Maintain breach log even for sub-500 breaches

high

Annual aggregate report to HHS for <500 breaches.

→ §164.408(c)

Documentation

34

Maintain HIPAA policies & procedures for 6 years

critical

Includes superseded versions; centralised policy library.

→ §164.530(j)

35

Sanctions policy for workforce violations

high

Documented + applied consistently — auditor will check enforcement record.

→ §164.530(e)

36

Mitigation procedures for known harmful effects

high

Document what you do to mitigate when violations occur.

→ §164.530(f)

37

Refrain from intimidating or retaliatory acts

high

Whistleblower-style protections; documented in policy.

→ §164.530(g)

Governance

38

Document policies & procedures updated when laws/regs change

high

HITECH, Omnibus, state law updates — review annually.

→ §164.530(i)

BA-Specific

39

If you're a BA: comply directly with Security Rule + breach notification

critical

HITECH made BAs directly liable — same admin/physical/technical safeguards apply.

→ §164.314, §164.410

Continuous

40

Track OCR enforcement actions & resolution agreements

high

Reading the latest cases keeps you ahead of common findings.

→ OCR Resolution Agreements

HIPAA Compliance Checklist — 40 Steps (Covered Entity + Business Associate)

The checklist

Foundations

Privacy Rule

BAA

Risk Analysis

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Breach

Documentation

Governance

BA-Specific

Continuous

Pitfalls — where teams actually fail

Real enforcement actions for HIPAA

FAQ

Other checklists