ComplyCreate
HomeComplianceHIPAA Documents List
Compliance Guide

The HIPAA Documents Every Practice Needs (2026 Checklist)

By ComplyCreate Editorial Team  ·  Published Apr 24, 2026  ·  Last reviewed Apr 24, 2026

Quick answer: HIPAA requires covered entities to maintain at least 12 categories of compliance documentation. The two most commonly generated from scratch are the Business Associate Agreement (one for each vendor with PHI access) and the Notice of Privacy Practices (one per covered entity). The others require internal development but follow structured templates.

Many organizations underestimate HIPAA's documentation requirements. The regulations don't just require you to behave a certain way — they require you to document that you have implemented required policies, conducted required assessments, trained your workforce, and entered into required agreements. This documentation is what OCR reviews during investigations and audits.

The 12 Required HIPAA Documents

1. Business Associate Agreements (BAAs)

Who needs it: All covered entities and business associates.
What it is: A signed contract with every vendor or contractor who creates, receives, maintains, or transmits PHI on your behalf. Required by 45 CFR § 164.504(e).
Where to get it: Generate one at BAAGenerator.com for $49. You need a separate BAA for each vendor relationship.
Retention: 6 years from date of creation or last effective date.

2. Notice of Privacy Practices (NPP)

Who needs it: Covered entities with direct patient relationships (providers and health plans with plan members).
What it is: A patient-facing document explaining how you use and disclose PHI, patient rights, and how to file complaints. Required by 45 CFR § 164.520. Must be updated to HHS's February 2026 model for reproductive health privacy provisions.
Where to get it: Generate one at NPPGenerator.com for $49.
Distribution: At first service delivery; posted at physical locations and on website.

3. HIPAA Privacy Policies and Procedures Manual

Who needs it: All covered entities and business associates.
What it is: A written manual documenting your policies for using and disclosing PHI, implementing patient rights, and complying with the Privacy Rule. Required in writing by 45 CFR § 164.530(i).
Where to get it: Developed internally or with a HIPAA consultant. The HIPAA Compliance Starter Kit includes a policy framework to start from.

4. Security Risk Analysis

Who needs it: All covered entities and business associates that maintain ePHI.
What it is: A documented assessment identifying threats and vulnerabilities to ePHI, the likelihood of occurrence, and the potential impact. Required by 45 CFR § 164.308(a)(1). This is the most frequently cited missing document in OCR enforcement actions.
Where to get it: HHS provides a free Security Risk Assessment (SRA) Tool. See our risk assessment guide for step-by-step instructions.

5. Security Risk Management Plan

Who needs it: All covered entities and BAs with ePHI.
What it is: A written plan documenting the security measures implemented to reduce risks identified in the risk analysis to a reasonable and appropriate level. Required by 45 CFR § 164.308(a)(1)(ii)(B).

6. Workforce Training Records

Who needs it: All covered entities and BAs.
What it is: Documentation that all workforce members have received HIPAA Privacy and Security Rule training appropriate to their functions. Required by 45 CFR §§ 164.530(b) and 164.308(a)(5). Must include dates, topics covered, and who attended.

7. Workforce Access Controls Documentation

Who needs it: All covered entities and BAs with ePHI.
What it is: Documentation of who has access to ePHI systems, what level of access they have, and the authorization and review process. Required under 45 CFR § 164.312(a)(1) (technical access controls) and § 164.308(a)(4) (information access management).

8. Breach Log

Who needs it: All covered entities and BAs.
What it is: A log of all breaches of unsecured PHI, including small breaches (fewer than 500 individuals). Used for the annual HHS breach report for sub-500 breaches. Required to document breach investigations and notification actions. See 45 CFR §§ 164.408 and 164.414.

9. Sanctions Policy

Who needs it: All covered entities and BAs.
What it is: A written policy specifying sanctions for workforce members who violate HIPAA policies or the Privacy and Security Rules. Required by 45 CFR §§ 164.530(e) and 164.308(a)(1)(ii)(C). Sanctions must be applied consistently and documented.

10. Data Use Agreements (DUAs)

Who needs it: Covered entities who share PHI as a limited data set for research or public health purposes.
What it is: A contract governing the use of a "limited data set" (PHI with most direct identifiers removed but not fully de-identified). Required under 45 CFR § 164.514(e). Not needed by all covered entities — only those who share limited data sets.

11. Patient Authorization Forms

Who needs it: Covered entities who use or disclose PHI for purposes beyond treatment, payment, and operations (e.g., marketing, research without a waiver, disclosure to non-HIPAA entities).
What it is: A patient-signed document authorizing specific uses or disclosures of their PHI. Must contain required elements under 45 CFR § 164.508 including description of PHI, purpose, expiration, and right to revoke.

12. Business Continuity and Contingency Plan

Who needs it: All covered entities and BAs with ePHI.
What it is: A documented plan for maintaining access to ePHI during emergencies (power outages, natural disasters, ransomware). Must include a data backup plan, disaster recovery plan, and emergency mode operation plan. Required by 45 CFR § 164.308(a)(7).

Frequently Asked Questions

What HIPAA documents are required?

The core required HIPAA documents include: Business Associate Agreements (45 CFR § 164.504(e)), Notice of Privacy Practices (§ 164.520), Privacy Policies and Procedures manual (§ 164.530(i)), Security Risk Analysis (§ 164.308(a)(1)), Security Risk Management Plan, workforce training records, breach log, sanctions policy, access controls documentation, and a contingency plan. Authorization forms and data use agreements are required only in specific circumstances.

How long do you keep HIPAA documents?

45 CFR § 164.530(j) requires retention for 6 years from the date of creation or the date it was last in effect — whichever is later. This applies to policies, BAAs, NPPs, training records, breach logs, risk assessments, and other compliance documentation. Some state laws impose longer retention requirements.

Are HIPAA policies required in writing?

Yes. 45 CFR § 164.530(i) explicitly requires covered entities to implement Privacy Rule policies and procedures in written form. The Security Rule (§ 164.316) similarly requires written security policies and procedures. Oral policies do not satisfy HIPAA's documentation requirements.

Do solo practitioners need HIPAA documentation?

Yes. Solo practitioners who are covered entities must implement all required HIPAA documentation — including BAAs, NPP, policies, risk assessment, and training records. There is no small-practice exemption. OCR has imposed penalties on solo practitioners for documentation failures including missing BAAs and failure to conduct risk assessments.

What is a HIPAA authorization form?

A HIPAA authorization form is a patient-signed document authorizing a specific use or disclosure of their PHI beyond what the Privacy Rule normally permits. Required elements under 45 CFR § 164.508 include: a description of the PHI to be used/disclosed, who is authorized to make the disclosure, the purpose, an expiration date, and the patient's right to revoke. Authorizations are required for marketing uses, most research, and certain other non-standard disclosures.

What to do next

Start with the two most commonly generated HIPAA documents:

If you need a BAA
Generate a HIPAA BAA →
Signable PDF + Word, $49, no subscription.
If you need an NPP
Create a Notice of Privacy Practices →
HHS Feb 2026 model, $49, no subscription.