How to Build a HIPAA Clinic Compliance Calendar

A HIPAA compliance calendar is not a luxury for larger health systems. It is what keeps a small clinic’s compliance program alive between incidents. Without one, compliance work happens reactively — in response to a breach, a complaint, or an OCR inquiry — rather than as a managed operating function.

The absence of scheduled, documented compliance review has appeared as a finding in multiple OCR enforcement actions. When an investigator asks to see evidence of periodic risk analysis, policy review, or workforce training, “we do it when we remember” is not an acceptable answer.

---

Why the calendar matters before an investigation opens

OCR’s audit protocol — the same framework used in desk audits and complaint investigations — expects evidence that compliance activities happen on a regular, documented schedule. The protocol checks for:

• Whether risk analysis has been performed and kept current
• Whether policies have been reviewed and updated periodically
• Whether workforce members have received and attested to training
• Whether access controls have been reviewed and terminated access has been removed
• Whether incident logs have been maintained and reviewed

A calendar without evidence is just a list of intentions. A calendar with dated, archived evidence artifacts is a defensible compliance record.

---

Annual activities

Annual activities are the foundation of the calendar. Each one produces a mandatory evidence artifact.

Activity	Regulatory basis	Evidence artifact	Typical owner
Risk analysis (full refresh or update)	45 CFR § 164.308(a)(1)	Signed risk analysis document with current date	Security Officer
Security and Privacy policy review	45 CFR § 164.316(b)(2)	Policy approval log with reviewer signature and date	Privacy Officer
Workforce HIPAA training attestation	45 CFR § 164.530(b)	Training completion records, signed attestations	Practice Manager
Disaster recovery / contingency plan test	45 CFR § 164.308(a)(7)	Test log: what was tested, date, result, gaps noted	Security Officer
Workforce sanctions log review	45 CFR § 164.530(e)	Dated review notation on the sanctions log	Privacy Officer
BAA inventory full audit	45 CFR § 164.308(b)(1)	BAA inventory with status column: active, expired, pending	Privacy Officer

Risk analysis. This is the most scrutinized annual activity in OCR investigations. The analysis must account for the clinic’s current environment — every system that creates, receives, maintains, or transmits PHI. If the clinic added an EHR module, a patient portal, a new telehealth vendor, or a billing service this year, those must appear in the current analysis. An undated or multi-year-old risk analysis is a red flag.

Policy review. The Security Rule requires that policies and procedures be reviewed and updated as needed in response to environmental or operational changes (45 CFR § 164.316(b)(2)(iii)). Annual review is the minimum expected cadence. The review log should note who reviewed each policy, what changed, and when the revised version was approved.

Training attestation. Training must be provided to new workforce members at hire and to all workforce members when policies change materially. At the annual review, confirm that every active workforce member has a current attestation on file. Gaps in training records are one of the most common documentation deficiencies OCR cites in enforcement actions.

Contingency plan test. Testing the contingency plan—whether through a full backup restore test, a tabletop exercise, or an emergency-mode operation drill—must be documented. The log should capture what was tested, who participated, the date, and any gaps identified and remediated.

---

Quarterly activities

Quarterly activities are the checkpoint layer. They catch drift before it becomes a compliance problem.

Activity	Why quarterly	Evidence artifact	Owner
Access control review	Terminated employees, role changes, and new hires all affect access. Quarterly review limits exposure windows.	Access review log: systems reviewed, accounts confirmed or removed	Security Officer
BAA status check	Vendors change ownership, go out of business, or quietly expand their services. Quarterly checks catch issues before the annual audit.	BAA status notation: active agreements confirmed, issues flagged	Practice Manager
Incident log review	Incidents that look minor at first often have compliance implications that surface on review.	Quarterly incident log summary with status of each open item	Privacy Officer

Access reviews in practice. For a small clinic, the quarterly access review takes less than an hour. The goal is to confirm that every active system account belongs to a current workforce member with the right role, and that no terminated employee retains active credentials. The review log does not need to be elaborate — a dated note recording what was reviewed, who reviewed it, and what actions were taken is sufficient.

BAA status checks. Business associates change. A vendor that had a signed BAA two years ago may have been acquired, changed its data practices, or expanded its services in ways that require an updated agreement. A quarterly scan of the active BAA inventory takes minutes and prevents surprises.

---

Monthly activities

Monthly activities are lightweight checks, not deep reviews. They keep the compliance program’s daily operations visible without requiring significant time.

Activity	Purpose	Evidence artifact	Owner
Training completion rate check	Ensure new hires complete required training within the onboarding window	Monthly completion report	Practice Manager
New hire onboarding verification	Confirm each new workforce member has signed the workforce confidentiality agreement and received training	Onboarding checklist per hire	Practice Manager

New hire onboarding is a common gap. In busy periods, HR onboarding and HIPAA onboarding get treated as separate tracks. A monthly check against the personnel roster ensures no one slips through without completing required training and signing the confidentiality agreement. The evidence is simply the completed onboarding checklist for each hire in the period.

---

Assigning ownership at a small clinic

At a clinic without dedicated compliance staff, the Privacy Officer and Security Officer roles are almost always held by non-specialists — the practice administrator or a senior nurse. That is fine under HIPAA, but the roles must be formally assigned and the people holding them must understand what they are responsible for.

A practical ownership model for small clinics:

• Privacy Officer (often the practice administrator): owns Privacy Rule compliance, the BAA inventory, incident response, and workforce training attestation.
• Security Officer (often the same person or the office manager): owns the risk analysis, technical safeguard review, contingency plan testing, and access control reviews.
• Department leads (e.g., front desk manager, billing lead): own activity-level tasks within their areas, such as confirming their team’s training is current.

When one person holds both roles, the calendar still lists the role title as the owner—not the person’s name—so the assignment survives personnel changes.

---

Evidence: what to keep and where to keep it

Every calendar activity needs a defined evidence artifact before the calendar goes live. The most common failure is completing an activity without capturing evidence, then being unable to demonstrate it when asked.

Minimum evidence standards by activity type:

• Risk analysis: The signed analysis document itself, dated, with version number
• Policy review: A review log listing each policy, the reviewer’s name, the review date, and whether changes were made
• Training: Completion records from the training platform or signed paper attestations, indexed by workforce member
• Access review: A dated log entry noting the systems reviewed, the reviewer, and the outcomes
• BAA inventory: The inventory spreadsheet or document with a “last verified” date column
• Incident log: The log itself, with a dated quarterly review notation

Store evidence in a single, access-controlled location — a shared drive folder or a compliance platform. Scattered evidence is the same as no evidence when an investigator is asking for documentation within 30 days.

---

The risk of skipping the calendar

OCR enforcement actions consistently cite the absence of documented periodic review. The resolution agreements and corrective action plans published by HHS follow a predictable pattern: when a complaint or breach triggers an investigation, investigators look first at the risk analysis, then at training records, then at policies. Clinics that cannot produce dated evidence of these activities face findings that reach beyond the original incident.

A compliance calendar does not prevent all findings. It narrows the exposure window and gives the clinic a documented record to present when an investigator asks what the compliance program looks like.

---

Building the calendar in practice

A compliance calendar does not need to be complicated. A shared spreadsheet or a task management tool with recurring assignments is sufficient. What matters is that:

1. Every required activity appears on the calendar with a specific due date
2. Every activity has a named owner who is responsible for completion and evidence collection
3. Completed activities are marked with the date of completion and the location of the evidence artifact
4. The calendar itself is reviewed at least quarterly to catch missed items and adjust for changes

For small clinics managing compliance alongside patient care, the calendar converts compliance from a vague annual obligation into discrete, scheduled tasks that can be tracked and confirmed — without requiring a compliance department to manage them.