Compliance Pack
Your complete HIPAA compliance documentation — personalised to your practice, ready in minutes.
Seven documents. Every one personalised from your assessment answers. Everything OCR expects to see in an investigation, written in plain English for small practices.
Take the free assessment first · See your gaps before you buy · From $399
What you get
Seven documents that cover every Security Rule requirement.
Each document is generated from your assessment answers, not a fill-in-the-blank template. Everything references your practice, your tools, and your setup by name.
Formal Security Risk Analysis
~15–20 pagesWhat it is: Generated from your assessment answers in the format regulators expect, with risk ratings, current safeguards documented, and a remediation timeline.
Why you need it: The #1 document OCR asks for in any investigation — and the #1 most-fined item when it's missing. In 2025, every single OCR resolution agreement cited failure to conduct a thorough Security Risk Analysis.
A consultant charges $1,500–$3,000 for this document alone.
Policies and Procedures Manual
~12–15 pagesWhat it is: Your written security policies covering administrative, physical, and technical safeguards — personalised to your specific EHR, email provider, and telehealth platform.
Why you need it: Required under 45 CFR §164.316. OCR expects to see written policies that reflect how your practice actually operates, not generic boilerplate.
Notice of Privacy Practices
~3–4 pagesWhat it is: The patient-facing document every practice must provide. Updated for the February 2026 requirements including 42 CFR Part 2 alignment for substance use disorder records.
Why you need it: Required under the Privacy Rule. The February 2026 deadline updated what NPPs must contain — most practices missed the deadline and are still distributing out-of-date notices.
Incident Response Plan
~3–4 pagesWhat it is: Your step-by-step plan for handling a security incident or data breach. Pre-filled with your vendor contacts, breach notification deadlines, and HHS reporting procedures.
Why you need it: Required under §164.308(a)(6). OCR checks for a documented incident response plan during investigations, particularly after a reported breach.
Contingency and Disaster Recovery Plan
~2–3 pagesWhat it is: Your backup procedures, emergency access protocols, and business continuity plan. Personalised to your data storage setup and critical systems.
Why you need it: Required under §164.308(a)(7). Covers the scenarios OCR asks about: ransomware, natural disasters, vendor outages, and sudden loss of access to your EHR.
Vendor Inventory and BAA Tracker
~2–3 pagesWhat it is: Every vendor that handles patient data, their BAA status, and action items. Populated from your assessment answers. Includes a review schedule for annual BAA verification.
Why you need it: After the Change Healthcare breach, vendor management is firmly on OCR's radar. Missing BAAs are a common finding in small-practice investigations.
Security Official Designation and Training Log
~1–2 pagesWhat it is: The formal designation of your Security Official plus a training completion record with certificate. Your Compliance Pack includes HIPAA training with a completion quiz — the certificate is your audit-ready evidence of workforce training.
Why you need it: Required under §164.308(a)(2) (Security Official) and §164.308(a)(5) (workforce training). OCR asks for both in investigations.
HIPAA Training Module with Completion Certificate
Included with packWhat it is: Eight to ten sections of plain-English HIPAA training covering everything a solo or small practice needs to know. Complete the quiz at the end and download your personalised completion certificate.
Why you need it: This is the training record OCR expects to see. Most small practices have never formally trained themselves — the certificate becomes your audit-ready proof that workforce training happened.
Multi-location support
Multiple locations? We've got you covered.
Whether you operate from one office or five, your Compliance Pack covers every location. The assessment asks about each facility's specific setup — physical access, device inventory, network security — and your Security Risk Analysis includes dedicated appendices for each location.
| 1 location | $399 |
|---|---|
| 2–3 locations | $599 |
| 4–5 locations | $799 |
| 6+ locations | Contact us |
6+ locations: email us at hello@yundra.health.
How Yundra compares
The smart middle ground between DIY and a consultant.
| DIY Templates | Yundra | Consultant | |
|---|---|---|---|
| Price | $50–$250 | From $399 | $2,000–$5,000 |
| Personalised to your practice | No — fill in the blanks | Yes — generated from your answers | Yes — but takes weeks |
| Time to complete | 10–20 hours | Minutes | 2–6 weeks |
| Formal Security Risk Analysis | Template only | Full document, OCR-ready | Yes |
| Written policies & procedures | Generic | Personalised to your tools | Yes |
| Notice of Privacy Practices | Usually not included | Included (updated for 2026) | Sometimes |
| All 7 required documents | Rarely | Yes | Varies |
| HIPAA training with certificate | No | Included | Sometimes |
| Updated for 2026 requirements | Check the date | Yes | Depends |
| Multi-location support | No | Yes (per-location appendices) | Yes |
| Ongoing updates available | No | Yes ($19/month) | Pay again |
| Time investment from you | 10–20 hours | 25-minute assessment | 5–10 hours of meetings |
What OCR asks for
Every document OCR expects — mapped to what you get.
When OCR investigates a practice — usually triggered by a patient complaint or a breach report — they request specific documentation. Here's exactly what they ask for and which document in your Compliance Pack provides it.
| What OCR requests | What Yundra delivers |
|---|---|
| Written Security Risk Analysis | Formal Security Risk Analysis |
| Policies & procedures | Policies and Procedures Manual |
| Notice of Privacy Practices | Notice of Privacy Practices (2026) |
| Workforce training records | Training Log + HIPAA Training Certificate |
| BAA documentation | Vendor Inventory and BAA Tracker |
| Incident Response Plan | Incident Response Plan |
| Contingency Plan | Contingency and Disaster Recovery Plan |
Frequently asked
Questions therapists ask before buying.
Is this personalised to my specific practice?
Yes — every document is generated from your assessment answers and references your specific EHR, email provider, telehealth platform, and other tools by name. You won't see any “insert vendor name here” placeholders.
How is this different from a template?
Templates are generic Word documents you fill in yourself — every blank, every scenario, every vendor reference. Yundra generates completed documents from your assessment answers. No blanks to fill, no guesswork about what to include, no second-guessing whether you've covered the required elements.
What if I need to update my documents later?
Retake the assessment and regenerate your documents whenever your practice changes — new EHR, new staff, new telehealth platform, a security incident. Or subscribe to Stay Compliant ($19/month) for automatic updates when regulations change.
Is this legal advice?
No. Yundra generates compliance documentation based on the established HIPAA Security Rule requirements and OCR's published guidance. For specific legal questions about your practice, consult a healthcare attorney.
What if regulations change?
The documents reflect current 2026 requirements, including the proposed Security Rule updates and the February 2026 Notice of Privacy Practices changes that most practices missed. Future regulatory updates are covered by the Stay Compliant subscription — we update your documents when the rules change, and we tell you what changed and why.
I have multiple locations. How does that work?
The assessment includes location-specific questions for each facility — physical access, device inventory, network setup, facility-specific vendors. Your Security Risk Analysis includes dedicated appendices for each location covering physical safeguards and facility-specific risks. Pricing scales with locations (see the pricing section above).
How long does it take?
The assessment takes about 25 minutes. After purchase, your documents are generated in minutes. Most users complete the entire process — assessment, purchase, document download — in under an hour.
Pricing
From $399 — one payment, all seven documents, plus HIPAA training with certificate.
- A compliance consultant charges $2,000–$5,000 for the same deliverable.
- The average OCR fine for a missing risk analysis starts at $25,000.
- Most practices complete the assessment and download all documents in under an hour.
Take the free assessment first. You'll see your compliance score and gap list before deciding whether to purchase.