All of Appendix A

Or individual file downloads:
Breach Response Checklist
Business Associate Agreement (BAA) Audit Checklist
Minimum Necessary Checklist
Policy Review Checklist
Security Rule Checklist – Administrative Safeguards
Security Rule Checklist – Physical Safeguards
Security Rule Checklist – Technical Safeguards
Telehealth Compliance Checklist
Training Program Checklist

All of Appendix B

Or individual file downloads:
Tier 1–4 Violation Definitions
Minimum and Maximum Civil Penalty Ranges
Factors That Influence Penalty Severity
Examples of OCR Enforcement Actions (Brief Summary)

All of Appendix C

Or individual file downloads:

Compliance Logs and Oversight
Internal Monitoring Log
Policy and Training Review Log
Security Risk Assessment Log

Incident and Breach Response
Breach Investigation Log
Breach Notification Letter
Incident Report Form
Internal HIPAA Complaint Form

Patient-Facing Forms
Acknowledgment of Receipt of Privacy Notice
Authorization to Release Protected Health Information
Notice of Privacy Practices
Patient Request for Access to Records
Patient Request for Amendment to Records
Patient Request for Confidential Communication
Patient Request for Restriction of Use or Disclosure

Vendor and Partner Oversight
Business Associate Agreement (BAA) Template

Workforce and Staff Management
Employee Lifecycle Compliance Checklist
Visitor Confidentiality Agreement / Non-Disclosure Agreement
Workforce Termination Checklist
Workforce Training Acknowledgment Form

OCR Compliance Guide for Small Medical Practices

All of Appendix E

Or individual file downloads:

RISK ASSESSMENT AND COMPLIANCE TOOLS
Gulfcoast CloudForge: Offering professional HIPAA consulting services.
HHS Security Risk Assessment Tool
HHS Guidance on Risk Analysis
NIST Cybersecurity Framework (CSF)

STANDARDS, FRAMEWORKS, AND ADDITIONAL READING
Center for Internet Security (CIS) Controls (Not a government site)
A prioritized set of cybersecurity best practices used to defend against known threats.

COBIT (Not a government site)
A governance framework for enterprise IT management, developed by ISACA.

GDPR (General Data Protection Regulation)
European Union regulation for data protection and privacy rights of EU residents.

HIPAA Journal (Not a government site)
News and expert commentary on HIPAA enforcement and healthcare data security.

HITRUST (Not a government site)
A widely used framework for managing compliance across multiple standards.

ISO/IEC 27001 (Not a government site)
A global standard for information security management systems (ISMS).

ISO/IEC 27002 (Not a government site)
Companion to 27001 offering practical security control guidelines.

PCI DSS (Payment Card Industry Data Security Standard) (Not a government site)
Industry standard for protecting credit card information and preventing fraud.

Quality System Regulation (QSR)
FDA compliance requirements for medical device manufacturers in the U.S.

WORKFORCE TRAINING AND AWARENESS
KnowBe4 – www.knowbe4.com
Cofense – www.cofense.com
Terranova Security – www.terranovasecurity.com
Hook Security – www.hooksecurity.co