We offer HIPAA Compliance software which comprises of tools such as templates, checklist, procedures, policies, and guides which will assist your entity in becoming HIPAA compliant and kick off your HIPAA compliance projects. Mentioned are tools that will comprehensively address your HIPAA compliance needs and save your organization a lot of money.

  1. HIPAA Contingency Plan Template Suite ($1200)
  2. HIPAA Security Policies Template Suite ($495)
  3. HIPAA Privacy Policies & Procedures Template Suite ($300)
  4. HIPAA Risk Analysis Template Suite ($495)
  5. HIPAA Audit Templates Suite ($300)

Total cost: $2500 (Value $2790) Buy Now (Opens in New Window)


This suite is recommended for entities that wish to address their HIPAA Compliance needs in regards to their Disaster Recovery Planning (DRP) and Business Continuity Planning and still wish to make sure they are compliant to the Sarbanes Oxley (SOX), ISO 27002, HIPAA, JCAHO and FISMA requirements. Otherwise, the suite can be used by any organization regardless of size and customize it to fit their environmental needs.

  • Business Impact Analysis (BIA)
  • Risk Assessment
  • Selecting and Implementing Recovery Strategies
  • Contingency Program Policy & Standards
  • Data Backup and Storage Plan
  • Disaster Recovery Plan (DRP)
  • Business Continuity Plan (BCP)
  • Emergency Mode Operation Plan (EMOP)
  • DRP & BCP Testing and Revision Plan
  • Business Resumption Plan examples for depts. like Accounting, Human resources etc
  • Policies and procedures
  • Department Disaster Recovery Activation
  • Recovery Strategies
  • Training of the Disaster Recovery Team
  • Testing of the Disaster Recovery Plan
  • Evaluation of the Disaster Recovery Plan Tests
  • Maintenance of the Disaster Recovery Plan

Documents in HIPAA Contingency Plan Template Suite:

Conducting a Business Impact Analysis (BIA)

  • Conducting a Business Impact Analysis (Guide) (23 pages)
  • Long Version Business Impact Analysis Template (21 pages)
  • Short Version Business Impact Analysis Template (6 pages)
  • Applications and Data Criticality Analysis Template (24 pages)
  • Final Business Unit Report Template includes following sub documents (8 pages)
  • Department Financial Impact Chart Template (1 page)
  • Department Operational Impact Chart Template (1 page)
  • Department Legal/Regulatory Chart Template (1 page)
  • Final Executive Management Report Template includes following sub documents (23 pages)
  • Combined Financial Impact Chart Template (2 pages)
  • Combined Operational Impact Chart Template ( 3 pages)
  • Combined Legal/Regulatory Chart Template (1 page)
  • Combined People Over Time Chart Template (3 pages)

Conducting a HIPAA Risk Assessment

  • Conducting a Risk Assessment (Guide) (15 pages)
  • Risk Assessment Template (17 pages)
  • Risk Assessment Worksheet (14 pages)
  • Executive Risk Assessment Findings Report (15 pages)
  • Preventative Measures Examples (6 pages)
  • Final Facility Risk Assessment Report (10 pages)
  • Executive Report Charts Template (5 Charts) (5 pages)

Selecting And Implementing Recovery Strategies

  • Implementing Recovery Strategies includes following sub documents (15 pages)
  • Contingency Planning Process (8 pages) Sample Documents
  • Example of Completed Long Version BIA (24 pages)
  • Example of Completed Short Version BIA (4 pages)
  • Example of Completed App & Data Criticality Analysis (39 pages)
  • Example of Completed Business Unit Final Report (8 pages)
  • Example of Charts to support Business Unit Final Report (3 Charts) (3 pages)
  • Example of Completed Executive Management Report (40 pages)
  • Example of Completed Risk Assessment (17 pages)
  • Example of Completed Final Risk Assessment Report (16 pages)
  • Example Completed Risk Assessment Worksheet (14 pages)

Contingency Program Policy & Standards

  • Business Impact Analysis Policy includes following sub document (12 pages)
  • Business Impact Analysis Standard (14 pages)
  • Risk Assessment Policy includes following sub document (11 pages)
  • Risk Assessment Standard (11 pages)
  • Contingency Planning Policy includes following sub documents (10 pages)
  • Disaster Recovery Planning Standard (69 pages)
  • Emergency Mode Operation Plan Standards (14 pages)
  • Business Resumption Planning Standards (20 pages)
  • Testing and Revision Policy will includes following sub documents (17 pages)
  • Testing & Revision Standards (14 pages)
  • Data Backup Plan Policy Template will include following sub documents (15 pages)
  • Data Backup Standard (8 pages)
  • Training & Awareness Standard (7 pages)
  • Instructions on how to update all standards (3 pages)

Appendix Documents (Help Guides / Templates)

  • Types of Contingency Plans (9 pages)

Data Backup and Storage Plan

  • Data Backup Plan (DBP) Template (18 pages)
  • Data Backup Plan (DBP) development Guide (11 pages)

Disaster Recovery Plan

  • Application Recovery Template (23 pages)
  • Application Recovery Plan Development Guide (18 pages)
  • Network Recovery Template (20 pages)
  • Network Recovery Plan Development Guide (15 pages)
  • Database Recovery Template (19 pages)
  • Database Recovery Plan Development Guide (16 pages)
  • Server Recovery Template (19 pages)
  • Server Recovery Plan Development Guide (15 pages)
  • Telecommunications Recovery Template (19 pages)
  • Telecom Recovery Plan Development Guide (17 pages)
  • Disaster Recovery Plan Overview (38 pages)
  • Disaster Recovery Plan Development Guide (17 pages)

Emergency Mode Operation Plan

  • Dept. Business Resumption Plan Template (16 pages)
  • Emergency Operation Plan (18 pages)
  • Emergency Mode Operation Planning Standards (38 pages)
  • Emergency Mode Operations Plan Development Guide (11 pages) Sub Section: Testing And Revision Plan
  • Testing and Revision Program including following sub documents (18 pages)
  • Business Unit Test Plan (16 pages)
  • Business Unit Test Plan Development Guide (10 pages)
  • Technology Test Plan (18 pages)
  • Technology Test Plan Development Guide (10 pages)
  • Test Schedule (2 pages)
  • Business Unit Plan Audit Checklist (6 pages)
  • Application Plan Audit Checklist (7 pages)
  • Database Plan Audit Checklist (6 pages)
  • Disaster Recovery Audit Checklist (6 pages)
  • Network Plan Audit Checklist (6 pages)
  • Server Plan Audit Checklist (6 pages)
  • Telecom Plan Audit Checklist (6 pages)
  • Audit Notification Memo (1 page)
  • Plan Audit Final Report Template (1 page)
  • Test Notification Memo (1 page)
  • Type of Tests (1 pages) Sub Section: Sample Documents
  • Example of Completed Data Backup Plan (18 pages)
  • Example of Completed Disaster Recovery Plan (38 pages)
  • Example of Completed Application Recovery Plan (23 pages)
  • Example of Completed Emergency Mode Op Plan including following sub documents:
  • Accounting EMOP (42 pages)
  • BIOMED EMOP (37 pages)
  • Corporate Communications EMOP (38 pages)
  • Emergency Services EMOP (37 pages)
  • Facilities & Security EMOP (38 pages)
  • Human Resources EMOP (38 pages)
  • Laboratory EMOP (38 pages)
  • Materials Management EMOP (38 pages)
  • Pharmacy EMOP (37 pages)
  • Surgery EMOP (36 pages)
  • Example Business Unit Test Plan (14 pages)
  • Example Technology Unit Test Plan (16 pages)
  • Example Test Schedule (2 pages)
  • Example Audit Notification Memo (1 page)
  • Example Business Plan Audit Checklist (6 pages)
  • Example Final Audit Report (2 pages)
  • Example Audit Follow Up Memo (1 page)
  • Example Test Notification Memo (2 pages)


The final rule that was published on 20 February 2003, American Recovery and Reinvestment Act of 2009 (ARRA)’s HITECH act, and Omnibus rule of 2013 on HIPAA Security required all the healthcare organizations to make sure that their policies and procedures were congruent to the requirements under this law and that their employees were trained on how to implement that on their daily activities at their place of work.

The HIPAA rule is quite specific on its requirements in respect to the creation, implementation and changing of their procedures and policies. According to the Policies and Procedures standard it has been stipulated that a covered entity has to ensure implementation of policies and procedures that are consistent with the implementation specification, standards, policies under this subpart in regards to its health protected information. These policies and procedures have to be customized according to the size and activities of a covered entity in respect to its handling of protected health information to ensure adherence to the HIPAA compliance requirements. The standard should never be construed to excuse or permit violation acts that are contrary to the implementation specifications, standards or any other requirements under this sub part.

We have 71 HIPAA Security polices of which 60 of them are on security policies and procedures as per the HIPAA security regulation and 11 extra forms, checklist, and policies which act as supplemental documents to the required procedures and policies. The policies address the challenges faced by most enterprises in regards to the security policies as well as all the key components of the HIPAA security rule which can be tailored to meet your organization's HIPAA compliance needs.

I. Policies on the Standards for Administrative Safeguards

  • Breach Notification Policy
  • Security Management Process
  • Risk Analysis
  • Risk Management
  • Sanction Policy
  • Information System Activity Review
  • Assigned Security Responsibility
  • Workforce Security
  • Authorization and/or Supervision
  • Workforce Clearance Procedure
  • Termination Procedures
  • Information Access Management
  • Access Authorization
  • Access Establishment and Modification
  • Security Awareness & Training
  • Security Reminders
  • Protection from Malicious Software
  • Log-in Monitoring
  • Password Management
  • Security Incident Procedures
  • Response and Reporting
  • Contingency Plan
  • Data Backup Plan
  • Disaster Recovery Plan
  • Emergency Mode Operation Plan
  • Testing and Revision Procedure
  • Applications and Data Criticality Analysis
  • Evaluation
  • Business Associate Contracts and Other Arrangements
  • Business Associate Agreement
  • Execution of Business Associate Agreements with Contracts

II. Policies on the Standards for Physical Safeguards

  • Facility Access Controls
  • Contingency Operations
  • Facility Security Plan
  • Access Control and Validation Procedures
  • Maintenance Records
  • Workstation Use
  • Workstation Security
  • Device and Media Controls
  • Disposal
  • Media Re-use
  • Mobile Device Policy
  • Accountability
  • Data Backup and Storage

III. Policies on the Standards for Technical Safeguards

  • Access Control
  • Unique User Identification
  • Emergency Access Procedure
  • Automatic Logoff
  • Encryption and Decryption
  • Audit Controls
  • Integrity
  • Mechanism to Authenticate Electronic Protected Health Information
  • Person or Entity Authentication
  • Transmission Security
  • Integrity Controls
  • Encryption

IV. Organizational Requirements

  • Policies and Procedures
  • Documentation
  • Isolating Healthcare Clearinghouse Function
  • Group Health Plan Requirements

V. Supplemental Policies for Required HIPAA Policies

  • Wireless Security Policy
  • Email Security Policy
  • Analog Line Policy
  • Dial-in Access Policy
  • Automatically Forwarded Email Policy
  • Remote Access Policy
  • Ethics Policy
  • VPN Security Policy
  • Extranet Policy
  • Internet DMZ Equipment Policy
  • Network Security Policy


Any covered entity has to ensure that it has developed and implemented policies and procedures necessary for its practices and employees to ensure that the amount of health protected information that is used, transmitted, or stored is at bare minimum in respect to the HIPAA Privacy Rule 45 CFR part 160. Therefore we have developed 57 forms, policies and procedures in our HIPAA Privacy Policy and Procedures template suite which can be used by any entity. These policies are in MS word format which should give room for editing according to your organizational privacy requirements. Each of these templates is in a standard format which reflects critical facets of an organization functions which provide guidance on being HIPAA compliant.

These HIPAA policies cover all the major areas like:

  1. General policies regarding use and disclosure of PHI
  2. Minimum necessary rule for use and disclosure of PHI
  3. Patient rights regarding their own PHI
  4. Uses and disclosures not requiring patient authorization
  5. Special cases for restriction of uses and disclosures of PHI
  6. Organizational issues and safeguards

The templates suite includes following HIPAA Privacy policies and procedures.

  • Accept Access Request
  • Accounting for Disclosures
  • Acknowledgement of Receipt
  • Amendment to Record Form
  • Authorization for Release of Protected Health Information
  • Authorization To Use Disclose Protected Health Information
  • Business Associate Agreement
  • Business Associate Contracts and Other Arrangements
  • Complaint Process
  • Data Use Agreement Template
  • De-identified Information and Limited Data Sets
  • Denial Access Request
  • Denial Request to Amend Form
  • Disclosure Accounting Log for Medical Information
  • Disclosure of PHI with and without authorization Template
  • Disclosures Record Form
  • Document Retention Requirements
  • EHR accounting of disclosures
  • Employee Confidentiality Agreement
  • Execution of Business Associate Agreements with Contracts
  • Health Plan Notice of Privacy Practices
  • HIPAA Accept Amend Request Form
  • Identifying PHI and Designated Record Sets
  • Minimum Necessary
  • Multi-Organization Arrangements
  • Notice of Privacy Practices
  • Patient Right to Access PHI
  • PHI Release by Whistleblowers
  • Privacy Officer
  • Receipt of Payment when Disclosing PHI
  • Release for Abuse Neglect or Domestic Violence
  • Release for Confidential Communications
  • Release for Fundraising Purposes
  • Release for Health Oversight
  • Release for Judicial or Administrative Proceedings
  • Release for Law Enforcement
  • Release for Marketing Purposes
  • Release for Public Health
  • Release for Research Purposes
  • Release for Specific Government Functions
  • Release for Workers Compensation
  • Release of Information for Deceased Patients or Plan Members
  • Release of Information for Legal Representatives
  • Release of Information to a Minor
  • Release of Information to a Minor's Parents
  • Release of Information to Friends and Family Members
  • Release of Psychotherapy Notes
  • Release to Avert Serious Threat to Safety
  • Request Confidential Communications Template
  • Request Restriction
  • Request to Amend Patient or Plan Member Record
  • Requests for Restriction policy
  • Required PHI Disclosures
  • Right to Object to Release for Certain Purposes
  • Safeguarding PHI
  • Training Requirements
  • Workforce Sanctions


The first step to being HIPAA Compliant is by conducting a risk analysis. This is a required implementation specification according to the HIPAA Security Rule in section 164.308(a)(1) under the Administrative Safeguards section in the Security Management Standard. A covered entity should be assured that it is likely to benefit from the program besides on how to be HIPAA compliant. However, adherence to HIPAA compliance requirements is not an option rather a must to prevent fines and penalties.

Objective of HIPAA Security Risk Analysis/Assessment:

The core objective of running a risk analysis is to make documentations on potential threats and weaknesses pertaining to the security, accessibility and privacy of the Electronic Protected Health Information and to ensure risks are mitigated to an appropriate and manageable level using necessary protection measures. The main goal is also to ensure that the expenditure and controls are commensurate to budgets on risks in which an organization is exposed.

List of documents in HIPAA Security Risk Analysis Template revised for HITECH Omnibus Rule

  • Asset Inventory Worksheet
  • Detailed HIPAA Security Risk Analysis Executive Report
  • Risk Analysis Checklist
  • Risk Analysis Template
  • Risk Assessment Executive Presentation
  • HIPAA Security Risk Assessment Scorecard 
    • Overview speadsheet
    • Administrative safeguard spreadsheet
    • Technical safeguard spreadsheet
    • Physical safeguard spreadsheet
    • Organizational safeguard spreadsheet
  • Sample Privacy & Security Risk Analysis Executive Report 2013-Short Version
  • Threat Matrix Worksheet


Organizations are required by the HIPAA Security rule to conduct periodical reviews on their internal audit on the processes and procedures used to ensure the confidentiality and protection of protected health information in respect to (PHI) (45 CFR 164.308 (a) (8). Though is not a must to have external sources review your audits it is normally advisable. Most of the times, this is usually determined by the size and type of business as well as contract requirements (i.e. Medicaid, Medicare etc). The main purpose of an audit is to assess whether an entity or organization has properly documented its physical, technical, and administrative practices, procedures and policies in regard to the rule's requirements.

Objective of HIPAA Audit and Evaluation for Compliance

The objective of HIPAA Audit includes the following activities:

  • Assess if all vulnerabilities have been addressed.
  • Verify that all compliance requirements have been met.
  • The objective of the Audit Control standard is to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

List of documents for HIPAA Audit Template:

  • HIPAA Comprehensive Audit Checklist
  • HIPAA Privacy & Security Audit Report - Sample
  • HIPAA Security Abbreviated Audit Checklist final
  • HIPAA Security Audit Executive Presentation
  • Information Security Audit Template

Total cost: $2500 Buy Now

All the templates come in Microsoft Word/excel files so you can add, change and delete content as required to complete your privacy policies. If you have any questions, or if you wish to see additional samples, please feel free to contact us at bob@hipaacompliancesoftware.net or call on (515) 865-4591. You can also buy individual HIPAA template suites, which are available in our online HIPAA store for purchase.


Supremus Group LLC
855 SE Bell Ct, Suite 300
Waukee, IA 50263
Tel : (515) 865-4591 | Fax: (515) 221-2363
Email: bob@hipaacompliancesoftware.net
copyright 2009-2014 hipaacompliancesoftware.net . All rights reserved.