← Back to Dashboard
HIPAA READINESS

HIPAA is two rule sets, not a checkbox — and the documentation is what gets asked for. This is that documentation, complete, in one kit.

If your organization handles protected health information — as a provider, or as a business associate to one — HIPAA expects a documented program: a risk analysis scoped to ePHI, a policy set covering the administrative, physical, and technical safeguards, business-associate agreements you can actually account for, and evidence that your workforce was trained. Most small and mid-size organizations have some of it, in pieces, written years ago by someone who has since left.

This is one comprehensive kit, not an add-on maze. It covers the Security Rule and the Privacy Rule together, because HIPAA does. And it is honest about the line between a governance document you adopt and a legal instrument you cannot: your BAA and your patient authorization forms come from your counsel — what this kit gives you there is the sample so you understand what they cover, and the register so you can prove you are tracking them.

YOU CAN DO THIS TODAY
1

Count your business associates.

Write down every vendor that creates, receives, maintains, or transmits PHI on your behalf — your EHR, billing service, IT provider, shredding company, cloud backup, answering service. Then check how many have a signed BAA you can actually put your hands on. The gap between those two numbers is the finding auditors write up most often.

2

Find the date on your last risk analysis.

The Security Rule expects a risk analysis that is current, scoped to ePHI, and documented. If yours is from 2019, exists only as a vendor’s sales report, or does not exist at all, that is the first thing OCR asks for in an investigation — and the most common source of enforcement findings.

3

Name your Security and Privacy Officials.

HIPAA requires both roles to be designated. They can be the same person in a small organization, but it has to be written down. If you cannot point to the document naming them, that is a five-minute fix you can start today.

THE HIPAA READINESS KIT

One kit covering the Security Rule, the Privacy Rule, business-associate tracking, and training records — the documentation foundation, built by a CISSP who has sat through the audits.

WHAT'S INCLUDED
01

Start Here — Quick Start Guide

The front door. What to do, in what order, who needs to be in the room, what to expect, and what "done" does and does not mean. Twenty-plus documents is a lot to face cold; this is the map.

02

Documentation Mapping Matrix

Every Security Rule and Privacy Rule standard, and what this kit provides for it — stated honestly in three states: provides documentation, partially addresses, or not addressed because it is operational and yours to do. It is an orientation tool, not a certification or a compliance determination.

03

HIPAA Security Risk Analysis

The cornerstone document — identify where ePHI lives, the risks to it, and your decisions. This is the first thing requested in an audit and the most common enforcement finding when it is missing or stale.

04

Security & Privacy Official Designation

The written designation HIPAA requires for both roles. Small organizations can name one person for both — but it has to be documented.

05

HIPAA Information Security Policy

The governing policy, scoped explicitly to ePHI, with HIPAA’s six-year documentation retention rule built in.

06

ePHI Systems Inventory & Data-Flow Map

Every system, application, device, and vendor that touches ePHI, and how it moves. This defines the scope every other safeguard applies to.

07

Workforce Security & Access Management

Authorization and supervision, workforce clearance, and termination procedures — with the access-removal records that prove they were followed.

08

Access Control Policy

The four technical specifications HIPAA names by name: unique user identification, emergency access, automatic logoff, and encryption/decryption — including how to document an addressable specification you implement differently.

09

Sanctions Policy

What happens when a workforce member violates your policies. Required by the Security Rule, and only meaningful if applied consistently.

10

Security Incident Procedures

Identify, respond, mitigate — and document. The documentation of each incident and its outcome is the part auditors ask to see.

11

Breach Notification Procedure

The four-factor risk assessment and HITECH’s hard deadlines: individual notice without unreasonable delay and no later than 60 days, HHS notification, and media notice at 500 or more individuals. It organizes the decision for you and your counsel — it does not make it.

12

Contingency Plan Pack

All five components HIPAA names: data backup plan, disaster recovery plan, emergency-mode operation plan, testing and revision procedures, and applications-and-data criticality analysis.

13

Audit Controls & Log Review Policy

What activity gets recorded in systems holding ePHI, how those logs are protected, and a review cadence that is documented rather than merely intended.

14

Transmission & Network Security Standard

Integrity controls and encryption for ePHI in transit — plus how to document the decision anywhere you implement an addressable specification differently.

15

Physical & Workstation Safeguards

Facility access controls, workstation use, and workstation security, with the facility security plan and maintenance records the Rule expects.

16

Device & Media Controls

Disposal, media re-use, and the movement-and-accountability record for hardware and media holding ePHI — the log most organizations skip.

17

BAA Tracking Register

The core deliverable. Every business associate inventoried, whether a current signed agreement exists, effective and expiration dates tracked, and any BA touching PHI without a current agreement flagged. This is where healthcare organizations actually fail an audit — not the contract, the tracking.

18

BAA Reference Sample (reference only)

A sample so you can see what a Business Associate Agreement covers and why each BA needs one. Clearly marked as a sample — it is not a template to adopt or sign. Your actual agreement comes from your counsel, and we point you to HHS’s published sample provisions.

19

Notice of Privacy Practices

Your NPP describing how you use and disclose PHI and what rights individuals have — a template to adapt, with counsel review before you publish it.

20

Minimum Necessary Policy

Limit uses, disclosures, and requests to the minimum necessary, with role-based access defined to match.

21

Uses & Disclosures Policy + Authorization Sample

When PHI may be used or disclosed with and without authorization. Includes an authorization SAMPLE for understanding only — an authorization is a legal instrument, so your actual form comes from counsel.

22

Patient Rights Procedures

Access, amendment, and accounting of disclosures — who handles each request, the deadlines each carries, and the request log.

23

Training Log & Attestation

HIPAA requires workforce training and requires you be able to show it happened. This is that evidence. (Free guidance on running effective ongoing training lives in our resource library — the how-to is not paywalled.)

24

Review & Testing Cadence

When you next review policies, test the contingency plan, re-run the risk analysis, and re-verify BAAs — with documented results.

25

Sample Compliance Calendar

A cadence to adapt, not a schedule to obey — recurring reviews you set, kept deliberately separate from the deadlines regulation fixes (like the 60-day breach window), which are flagged to verify with counsel rather than taken from a template.

26

Policy Register & Change Log

Not housekeeping — a compliance artifact. A record showing your policies were reviewed and maintained over time is evidence of ongoing governance. Documents all created on the same day and never touched again tell an auditor a very different story.

NEED MORE THAN A KIT?

Some organizations need the program operated, not just documented.

A kit gives you the documentation foundation the Rules expect. If you are facing an active OCR inquiry, carry PHI at scale, or need someone accountable for running the program month to month, that is an engagement rather than a kit. Whitestance’s fractional CISO engagements build and operate the program across your environment and produce the evidence your board, auditors, and carriers can see. Engagements start at $40,000 for smaller organizations and scale from there.

Talk to us about a full engagement →