Yundra
← All articlesPractical Guides

How to Document HIPAA Compliance for Your Therapy Practice

11 min read

HIPAA doesn't just require you to be compliant — it requires you to prove it. The difference between a practice that "does HIPAA stuff" and a practice that can survive an OCR investigation comes down to documentation.

If it isn't written down, it didn't happen. That's the operating principle. This guide covers exactly what you need to document, how to organise it, and how long to keep it.

The Documentation Requirement

The HIPAA Security Rule (45 CFR § 164.316) requires covered entities to:

"Maintain the policies and procedures implemented to comply with this subpart in written (which may be electronic) form."

And to:

"Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later."

Six years. That's the minimum retention period for all HIPAA compliance documentation.

What You Need to Document

1. Security Risk Analysis

Your completed SRA — the assessment of where PHI lives, what threats exist, and how you're mitigating them. This should be dated, signed, and include:

  • Asset inventory
  • Threat and vulnerability analysis
  • Risk ratings
  • Current safeguards
  • Remediation plan with timelines

Update annually or when significant changes occur. Keep all versions — not just the current one.

2. Policies and Procedures

Your written security policies covering:

  • Administrative safeguards (Security Officer designation, workforce training, access management)
  • Physical safeguards (facility access, device security, workstation use)
  • Technical safeguards (access controls, encryption, audit logging, transmission security)
  • Vendor management and BAA procedures
  • Incident response overview

Date every version. When you update a policy, keep the old version and the new version — both with dates.

3. Business Associate Agreements

A copy of every signed BAA with every vendor that handles PHI:

  • EHR system
  • Email provider
  • Telehealth platform
  • Cloud storage
  • Billing/clearinghouse
  • Any other vendor that touches patient data

Include the date signed, the parties involved, and when it's due for review.

4. Training Records

Documentation of every HIPAA training session:

  • Who was trained
  • What topics were covered
  • When the training occurred
  • How it was delivered
  • Acknowledgment of completion

Keep training records for every workforce member, including yourself.

5. Notice of Privacy Practices

Every version of your NPP, with effective dates. Keep the current version and all previous versions.

6. Incident and Breach Documentation

For every security incident (whether or not it was a reportable breach):

  • What happened
  • When it was discovered
  • The four-factor breach risk assessment
  • What action was taken
  • Whether notification was required and provided
  • Follow-up and corrective actions

7. Security Official Designation

The written designation of your Security Officer and Privacy Officer (usually you, for a solo practice). Dated and signed.

8. Patient Authorisations

Any signed authorisations from patients for uses and disclosures beyond treatment, payment, and operations.

9. Access and Amendment Records

Documentation of patient requests to access or amend their records, and your responses.

10. Change Management

Records of any significant changes to your practice that triggered policy updates or re-assessment:

  • New vendors
  • New locations
  • Staff changes
  • Technology changes
  • Security incidents

How to Organise It

Option 1: Digital folder structure

Create a folder on your encrypted drive (or compliant cloud storage):

HIPAA Compliance/
├── Risk Analysis/
│   ├── SRA-2026-04.pdf
│   └── SRA-2025-04.pdf
├── Policies/
│   ├── Security-Policies-v3-2026.pdf
│   └── Security-Policies-v2-2025.pdf
├── BAAs/
│   ├── SimplePractice-BAA-2026.pdf
│   ├── GoogleWorkspace-BAA-2025.pdf
│   └── Doxyme-BAA-2026.pdf
├── Training/
│   ├── Training-Log.pdf
│   └── Certificates/
├── NPP/
│   ├── NPP-2026-v2.pdf
│   └── NPP-2024-v1.pdf
├── Incidents/
│   └── (empty until needed)
├── Designations/
│   └── Security-Official-Designation.pdf
└── Patient-Requests/
    └── (access and amendment requests)

Option 2: Combined compliance binder

A single document (physical or digital) that contains everything in order, with a table of contents and section tabs. This is what many consultants deliver.

Your Yundra Compliance Pack provides 7 documents that cover items 1-7 above, all personalised to your practice and organised for easy reference.

The 6-Year Retention Rule

All HIPAA compliance documentation must be retained for a minimum of 6 years from the date of creation or the date it was last in effect, whichever is later.

This means:

  • A policy created in 2020 and replaced in 2023 must be kept until at least 2029
  • A BAA signed in 2024 and still active in 2026 must be kept until at least 2032 (6 years from when it ceases to be in effect)
  • Training records from 2021 must be kept until at least 2027

Don't destroy old compliance documents even when you replace them with new versions. You may need them to demonstrate what was in effect at a particular point in time.

What Happens Without Documentation

When OCR investigates, the first thing they ask for is documentation. Without it:

  • Your risk analysis? "We don't have a written one" → citeable violation
  • Your policies? "We follow them but they're not written down" → citeable violation
  • Your training records? "We did training but didn't document it" → as if it never happened
  • Your BAAs? "We use compliant vendors but didn't sign BAAs" → citeable violation

Every one of these has been cited in real OCR enforcement actions against small practices.

Getting Started Today

If you don't have organised HIPAA documentation:

  1. Take the free assessment — this generates your risk analysis, the foundational document everything else builds on
  2. Get your documents generated — the Compliance Pack creates all 7 core documents personalised to your practice
  3. Organise your BAAs — pull together every vendor BAA you have, identify gaps using the BAA tracker
  4. Start your training log — document today's compliance review as your first entry
  5. Set up your folder structure — create the digital filing system described above
  6. Set a calendar reminder — annual review, every April (or whenever works for your practice)

Documentation isn't glamorous, but it's the difference between "we're compliant" and "we can prove we're compliant." The second one is what matters when OCR asks.

Take the free HIPAA Risk Assessment →

Need these documents for your practice?

Yundra generates all 7 HIPAA documents — personalised to your practice, your vendors, your EHR. Starting at $399, ready in minutes.

Free · See your score instantly