A pediatric clinic in Idaho had a binder on the shelf labeled "HIPAA Compliance Plan." It was printed in 2017, never updated, and nobody on staff had read it. When OCR came knocking after a breach involving unencrypted ePHI on a stolen laptop, that binder did exactly nothing to help them. The investigation revealed no risk analysis, no workforce training documentation, and no breach notification procedures. What they had wasn't a plan — it was a prop.

I've seen this pattern play out dozens of times. Organizations treat HIPAA compliance plans like insurance policies they hope they'll never need. But OCR doesn't care what's on your shelf. They care what's in your operations. If you're reading this, you probably already sense that your plan needs work — or you need to build one from scratch. Either way, here's exactly how to create a HIPAA compliance plan that holds up under real scrutiny.

What Is a HIPAA Compliance Plan, Really?

A HIPAA compliance plan is a documented, living framework that describes how your organization protects PHI across every department, device, and workflow. It covers administrative, physical, and technical safeguards. It names responsible people. And it gets updated — not once, but continuously.

Think of it as the operating manual for how your covered entity handles protected health information from the moment it's created to the moment it's destroyed. It's not a single document. It's an ecosystem of policies, procedures, training records, risk assessments, and incident response protocols that work together.

The $4.3 Million Mistake: What Happens Without a Real Plan

In 2019, the University of Texas MD Anderson Cancer Center lost its appeal of a $4.3 million penalty imposed by HHS after three separate breach incidents involving unencrypted devices. The organization argued it had policies in place, but OCR found that those policies weren't consistently implemented or enforced. The distinction matters: having a policy written down is not the same as having a compliance plan that works.

You can review OCR's enforcement actions and resolution agreements on the HHS Resolution Agreements page. The pattern is unmistakable. Nearly every major penalty involves gaps between what an organization says it does and what it actually does.

The Gap OCR Always Finds

In my experience, the gap usually lives in three places: outdated risk assessments, missing training documentation, and nonexistent breach notification procedures. Your HIPAA compliance plan has to close all three of those gaps — or it's just decoration.

The Seven Components Every HIPAA Compliance Plan Needs

I've helped organizations of every size build plans that survive audits. Here are the seven non-negotiable components.

1. A Current, Thorough Risk Analysis

The HIPAA Security Rule requires it at 45 CFR § 164.308(a)(1). You need to identify every place ePHI lives — servers, laptops, cloud platforms, mobile devices, paper charts, even voicemail systems. Then you assess threats and vulnerabilities for each one. This isn't a one-time exercise. Do it annually at minimum, and after any significant change to your infrastructure.

2. Written Policies and Procedures

Your policies must cover access controls, data encryption, workstation security, device management, and disposal of PHI. They also need to address the Privacy Rule: minimum necessary standards, patient rights to access records, and authorization requirements. Generic templates won't cut it. Your policies need to reflect your actual workflows.

3. A Designated Privacy and Security Officer

Every covered entity must designate someone responsible for HIPAA compliance. In smaller practices, this might be the office manager. In larger organizations, it could be a dedicated compliance team. The key: this person must have authority to enforce policies and access to leadership.

4. Workforce Training — Documented and Recurring

OCR doesn't accept "we told them during orientation" as evidence of training. You need documented, role-specific training for every workforce member, with completion records you can produce on demand. New hires need training before they touch PHI. Everyone else needs annual refreshers.

If your team includes remote workers — and in 2026, most healthcare organizations have at least some — your training program must address the unique risks of home offices, public Wi-Fi, and personal devices. Our HIPAA training course for remote healthcare workers was built specifically for this scenario.

5. Business Associate Agreements

Every vendor, contractor, or partner who handles PHI on your behalf must sign a Business Associate Agreement. Your compliance plan should include a process for tracking these agreements, reviewing them regularly, and ensuring BAAs are in place before any PHI changes hands.

6. Breach Notification Procedures

When — not if — a breach occurs, your plan must spell out exactly who does what, within what timeframe. The Breach Notification Rule requires you to notify affected individuals within 60 days and report to HHS. Breaches affecting 500 or more individuals also require media notification. Your plan should include templates, contact lists, and a clear chain of command.

7. An Audit and Monitoring Program

Your HIPAA compliance plan should include regular internal audits. Review access logs. Check that terminated employees lose access immediately. Test your incident response procedures. Document everything. The organizations that avoid penalties aren't the ones that never have incidents — they're the ones that can prove they were actively managing risk.

How Often Should You Update Your HIPAA Compliance Plan?

At minimum, review and update your HIPAA compliance plan annually. But certain events should trigger an immediate review:

  • A security incident or breach
  • A major technology change (new EHR system, cloud migration, telehealth expansion)
  • Organizational changes like mergers, acquisitions, or leadership transitions
  • New regulatory guidance from HHS or OCR
  • Changes to state privacy laws that affect your operations

Document every review — even if nothing changes. OCR wants to see that you looked, assessed, and made a deliberate decision.

Small Practices Are Not Exempt

I hear this constantly: "We're too small for OCR to care about." That's false. In 2018, OCR fined Filefax, Inc. — a company with a handful of employees — $100,000 for improper disposal of PHI. Small practices face the same rules as large health systems. The scale of your plan can be simpler, but it still has to exist and function.

If you're a small or mid-sized practice just getting started, our HIPAA Introduction Training for 2026 gives your team a solid foundation before you build out your full plan.

Remote Work Changed Everything — Your Plan Should Reflect That

The explosion of remote work and telehealth didn't create new HIPAA rules, but it created new risks that your compliance plan must address. Home networks, shared family computers, screen visibility in coffee shops, and unsecured messaging apps are all real threats to ePHI.

Your plan should include a remote work policy that specifies approved devices, required encryption standards, VPN usage, and physical workspace requirements. It should also address what happens when a remote worker's device is lost or stolen.

I've reviewed compliance plans from organizations with 40% remote staff that made zero mention of remote work. That's a finding waiting to happen.

Building the Plan: Where to Start Today

If you're staring at a blank page — or worse, staring at a dusty binder — here's your starting sequence:

  • Step 1: Designate your Privacy and Security Officer.
  • Step 2: Conduct a thorough risk analysis. Document every finding.
  • Step 3: Write policies that match your actual operations — not a template from the internet.
  • Step 4: Train your workforce and keep the records. Consider starting with our HIPAA Fundamentals course to bring everyone to baseline.
  • Step 5: Inventory your business associates and get BAAs signed.
  • Step 6: Write your breach notification procedures and test them with a tabletop exercise.
  • Step 7: Schedule your first internal audit — within 90 days.

This isn't a weekend project. But it's not an impossible one either. The organizations that get into trouble aren't the ones that have imperfect plans. They're the ones that have no plan at all — or plans that exist only on paper.

Your Plan Is Only as Strong as Your Follow-Through

A HIPAA compliance plan that sits unread is worse than having no plan at all. It gives you a false sense of security while leaving you fully exposed to OCR enforcement. The plan has to live in your daily operations — in how your front desk handles patient requests, in how your IT team configures access controls, in how your remote workers secure their home offices.

Every member of your workforce plays a role. Your job is to make sure they know what that role is, have the training to execute it, and understand the consequences if they don't.

Build the plan. Train your people. Document everything. Then do it again next year.