Core Platform

Medicare Underpayment Audit

Find potential coding & charge-capture leaks in your paid claims, cited to CMS.

HIPAA Kit

Downloadable policy templates covering all 23 required safeguards.

Free Tools

Doc Builder

FREE

Free AI generator for appeal letters, PA requests, and call scripts.

Ask D3

FREE

AI compliance assistant answering HIPAA & billing questions instantly.

GuidesSign In
HelpGuidesStatesTemplatesAsk D3PrivacyTerms
© 2026 D3rx. All rights reserved.

Questions or feedback? [email protected]

HIPAA Compliance

HIPAA Policy Templates

Professional, regulation-mapped policy documents covering every HIPAA Security Rule, Privacy Rule, and Breach Notification requirement. Customizable for your practice in minutes.

All 23 policies — plus the Medicare audit, compliance binder, and Doc Builder. Free while we’re in beta.

23 Policies

Every HIPAA-required policy

CFR-Referenced

Mapped to specific regulations

Edit in Your Account

Customize online in your account

Free While in Beta

No charge during the beta

Administrative Safeguards (164.308)

Administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect ePHI.

45 CFR § 164.308(a)(1)(ii)(A)–(B)

Risk Analysis & Risk Management Policy

Defines how your practice identifies, evaluates, and mitigates risks to the confidentiality, integrity, and availability of ePHI. Required for every HIPAA-covered entity and the foundation of your entire compliance program.

45 CFR § 164.308(a)(1)(ii)(C)

Sanction Policy

Establishes consistent consequences for workforce members who violate HIPAA policies and procedures. Demonstrates to auditors that your practice takes compliance seriously and enforces accountability.

45 CFR § 164.308(a)(1)(ii)(D)

Information System Activity Review Policy

Requires regular review of audit logs, access reports, and security incident tracking across all systems that store or transmit ePHI. Critical for detecting unauthorized access before it becomes a breach.

45 CFR § 164.308(a)(2)

Assigned Security Responsibility Policy

Formally designates the security official responsible for developing and implementing HIPAA Security Rule policies and procedures. This is a required standard that names the individual accountable for your entire security program and defines their authority, duties, and reporting relationships.

45 CFR § 164.308(a)(3)

Workforce Security Policy

Governs authorization, supervision, clearance, and termination procedures for workforce members who access ePHI. Covers the full employee lifecycle from hiring through separation to prevent insider threats.

45 CFR § 164.308(a)(4)

Information Access Management Policy

Controls how your practice authorizes and restricts access to ePHI based on job function. Implements role-based access, isolates clearinghouse functions, and manages access to protected health information on a need-to-know basis.

45 CFR § 164.308(a)(5)

Security Awareness & Training Policy

Mandates ongoing HIPAA security training for all workforce members, including security reminders, malware protection awareness, login monitoring, and password management education. Addresses the most common compliance gap found in audits.

45 CFR § 164.308(a)(6)

Security Incident Response Policy

Defines how your practice identifies, responds to, mitigates, and documents security incidents involving ePHI. Establishes the response team, escalation paths, and documentation requirements that are critical during a real incident.

45 CFR § 164.308(a)(7)

Contingency Plan

Addresses data backup, disaster recovery, and emergency-mode operations to ensure ePHI remains available during and after an emergency. Covers the three required implementation specifications: backup plan, recovery plan, and emergency mode operations.

45 CFR § 164.308(a)(8)

Evaluation Policy

Requires periodic technical and non-technical evaluations of your HIPAA security program in response to environmental or operational changes. Ensures your policies stay current as technology, regulations, and your practice evolve.

Physical Safeguards (164.310)

Physical measures, policies, and procedures to protect electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.

45 CFR § 164.310(a)

Facility Access Controls Policy

Governs physical access to facilities that house systems containing ePHI. Covers contingency operations, facility security plans, access control and validation, and maintenance records for physical security measures.

45 CFR § 164.310(b)–(c)

Workstation Use & Security Policy

Specifies the proper use of and physical safeguards for workstations that access ePHI. Covers screen positioning, auto-lock requirements, clean desk procedures, and restrictions on workstation functions to minimize risk of unauthorized access.

45 CFR § 164.310(d)

Device & Media Controls Policy

Governs the receipt, removal, movement, and disposal of hardware and electronic media containing ePHI. Ensures proper sanitization of devices before reuse or disposal and tracks media throughout its lifecycle.

Technical Safeguards (164.312)

Technology and the policies and procedures for its use that protect ePHI and control access to it.

45 CFR § 164.312(a)

Access Control Policy

Establishes technical controls to limit ePHI access to authorized persons and software. Covers unique user identification, emergency access procedures, automatic logoff, and encryption and decryption of data at rest.

45 CFR § 164.312(b)

Audit Controls Policy

Requires implementation of hardware, software, and procedural mechanisms to record and examine activity in systems that contain or use ePHI. Defines what events to log, how long to retain logs, and who reviews them.

45 CFR § 164.312(c)

Integrity Controls Policy

Protects ePHI from improper alteration or destruction. Implements mechanisms to authenticate electronic records, detect unauthorized changes, and maintain data integrity across all systems that process protected health information.

45 CFR § 164.312(d)

Authentication Policy

Requires procedures to verify the identity of any person or entity seeking access to ePHI. Covers multi-factor authentication requirements, password standards, biometric options, and token-based authentication for your practice.

45 CFR § 164.312(e)

Transmission Security Policy

Guards against unauthorized access to ePHI being transmitted over electronic networks. Addresses encryption of data in transit, integrity controls for transmitted data, and secure communication channel requirements including email and fax.

Privacy Rule (164.500–534)

Standards for the use and disclosure of individuals' health information, and the rights of patients to understand and control how their health information is used.

45 CFR § 164.520

Notice of Privacy Practices

The patient-facing document that describes how your practice uses and discloses PHI, patient rights, and your privacy obligations. Required to be provided to every patient and posted prominently in your facility.

45 CFR § 164.502(b), § 164.514(d)

Minimum Necessary Standard Policy

Requires your practice to limit PHI use, disclosure, and requests to the minimum amount necessary to accomplish the intended purpose. Defines role-based access categories and procedures for routine vs. non-routine disclosures.

45 CFR § 164.522, § 164.524, § 164.526, § 164.528

Patient Rights Policy

Addresses the full spectrum of patient rights under HIPAA: the right to access their records, request amendments, receive an accounting of disclosures, request restrictions, and obtain confidential communications. Essential for front-desk and HIM staff.

45 CFR § 164.502(e), § 164.504(e)

Business Associate Agreement Template

A ready-to-use BAA template for engaging vendors, contractors, and service providers who will access PHI on your practice's behalf. Includes all required provisions per HITECH Act amendments and the Omnibus Rule.

Breach Notification (164.400–414)

Requirements for covered entities and business associates to notify individuals, HHS, and in some cases the media, following a breach of unsecured PHI.

45 CFR §§ 164.400–414

Breach Notification Policy & Procedures

Step-by-step procedures for detecting, investigating, and reporting breaches of unsecured PHI. Covers the four-factor risk assessment, notification timelines (60 days for individuals, annual for HHS), and documentation requirements.

Free While in Beta

Complete HIPAA Policy Library

All 23 HIPAA policy templates — along with the Medicare audit, compliance binder, and Doc Builder. Everything is included and free while we’re in beta.

  • All 23 HIPAA policy templates
  • Kept current as HIPAA regulations change
  • New templates added as we expand the library
  • Implementation checklists, calendar & training sign-offs
  • Medicare revenue audit — claims analysis
  • Compliance binder + Doc Builder
  • Edit & customize any template online
Free

all 23 templates, while in beta

Open the templates

Free while we’re in beta · create a free account

Free Tool

Need a one-off document instead?

Our AI Doc Builder creates custom appeal letters, prior auth requests, call scripts, and more — tailored to your specific claim in seconds.

Try Doc Builder Free

Get every policy

All 23 policies, checklists, and review templates — alongside the Medicare audit and compliance binder. Free while we’re in beta.

Open the templates

Free while we’re in beta · create a free account

IMPORTANT LEGAL DISCLAIMER These HIPAA policy templates are provided for informational and educational purposes only. They do not constitute legal advice, and their purchase or use does not create an attorney-client relationship between you and D3rx, Inc. or any of its affiliates. CUSTOMIZATION REQUIRED — Every template must be customized to reflect the specific operations, workforce, technology environment, and state-law requirements of your practice. Using a template without tailoring it to your organization does not satisfy HIPAA's documentation requirements. PROFESSIONAL REVIEW — All policies must be reviewed and approved by your practice's designated Privacy Officer and/or Security Officer, and by qualified legal counsel familiar with healthcare regulatory compliance, before adoption and implementation. NO COMPLIANCE GUARANTEE — Adopting these templates does not guarantee compliance with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, or any other federal or state regulation. The U.S. Department of Health and Human Services (HHS) does not recognize, endorse, or approve private HIPAA compliance certifications or seals of approval. See 45 CFR § 164.316 (documentation requirements) and HHS guidance on compliance programs. IMPLEMENTATION RESPONSIBILITY — Your practice remains solely responsible for the implementation, workforce training, ongoing monitoring, and documentation of all HIPAA policies and procedures. A written policy that is not operationalized provides no compliance protection. STATE LAW OVERLAY — Many states have privacy, security, and breach-notification laws that impose requirements more stringent than HIPAA. These templates address federal HIPAA requirements only. You must evaluate and incorporate applicable state-law obligations for every jurisdiction in which your practice operates. NO WARRANTY — These templates are provided "as is" without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, or non-infringement. By using these templates, you acknowledge that you have read and understood this disclaimer.