How to Run a Quarterly HIPAA Compliance Meeting

Most small clinics hold their HIPAA compliance meeting once a year, in January, as a frantic catch-up before someone remembers training is overdue. A handful hold no formal meeting at all, relying on informal conversations between the office manager and whoever functions as the Privacy Officer.

Both approaches create the same problem: no documented evidence that the clinic is managing its compliance posture. When OCR sends an audit request or a complaint triggers an investigation, the absence of periodic review records is a finding. It is evidence the compliance program exists only on paper.

Quarterly meetings create four documented checkpoints per year. Each one is an opportunity to surface incidents, confirm training completion, update the risk register, and review access changes. Each one produces minutes that go into the evidence binder.

Why quarterly instead of annual

The HHS Audit Protocol asks for records of periodic evaluation. NIST SP 800-66 Rev. 2 frames the Security Rule as a continuous management process, not a one-time implementation. Quarterly meetings operationalize that requirement at a scale a small clinic can sustain.

Annual compliance reviews have a predictable failure mode: everything that happened in the first nine months is forgotten or poorly documented by the time someone sits down in December. A workforce member who received a verbal warning in March is no longer top of mind. An access change made in July was never formally closed out. A vendor BAA that expired in September was not caught until renewal season.

Quarterly meetings interrupt that pattern and create a cadence for closing out open items before they become problems.

Who should attend

For a clinic of fewer than 20 staff, the meeting roster does not need to be large.

Role	Attendance
Privacy Officer	Required
Practice Administrator / Office Manager	Required
Clinical lead (physician, NP, or PA)	Required
Billing representative	Required when billing is on the agenda
Scheduling / front desk representative	Required when access or front-desk practices are on the agenda
IT contact or managed service provider	Quarterly or as needed for security items

The clinical lead does not need to drive the agenda or present materials. Their presence matters for two reasons: they can answer questions about clinical workflow changes that affect PHI handling, and their attendance documents that compliance is not siloed in the administrative function.

The agenda template

Distribute the agenda at least 48 hours before the meeting. Each section should have a named owner who comes prepared with a brief status update.

1. Open incidents (10–15 minutes)

Review any incidents that were opened since the last meeting and any that are still under investigation.

• New incidents: date discovered, category (privacy, security, or breach), current status, and whether breach notification analysis was completed
• Closed incidents: brief summary of findings and any policy or procedure changes that resulted
• Lessons learned: one or two practical takeaways the full group should hear

If there are no incidents, record that explicitly in the minutes. “No incidents reported this quarter” is a compliance record.

2. Training completion review (5–10 minutes)

Review the training completion log for the quarter.

• Which workforce members completed required training
• Who is overdue, and by how long
• Any new workforce members who have not yet completed initial training
• Any training updates that need to be pushed out based on incidents or policy changes

If your training platform exports completion reports, attach the report to the meeting minutes rather than transcribing every name.

3. Access review summary (10 minutes)

Review any access changes made during the quarter.

• New hires: were access credentials provisioned on or after the start date, not before?
• Terminations: were access credentials revoked within the required timeframe? Any gaps?
• Role changes: did access rights change when the role changed?
• Any shared credentials still in use that should be eliminated?

This is also where you flag any accounts that were not reviewed during the quarter. An access review that finds nothing is still valuable — it confirms the review happened.

4. BAA status (5 minutes)

Review the business associate agreement log.

• Any new vendors added since the last meeting? Do they have a signed BAA?
• Any BAAs expiring in the next 90 days that need renewal?
• Any vendors discontinued? Confirm data return or destruction was addressed.

The BAA log does not need to be reviewed in exhaustive detail every quarter. A brief “no changes, all current” statement with an attached log is sufficient when nothing has changed.

5. Policy review status (5 minutes)

Track which policies are due for annual review and where they are in that process.

• Policies reviewed and updated since the last meeting
• Policies due for review in the next 90 days
• Any policies that need out-of-cycle updates based on incidents or regulatory changes

A clinic with 8–15 active HIPAA policies gets better reviews by distributing them across quarters rather than stacking all of them in January.

6. Risk register updates (10 minutes)

Review the current risk register and note any changes.

• New risks identified since the last meeting
• Status changes on existing risks (mitigated, accepted, or escalated)
• Any risk items that need a decision from the group

The risk register does not need to be rebuilt from scratch every quarter. The meeting is an opportunity to confirm that the current register reflects the clinic’s actual risk landscape and to capture anything that has changed.

7. Next quarter priorities (5 minutes)

Close with a brief list of what the compliance program will focus on in the coming quarter: training deadlines, policy reviews due, infrastructure changes, or any follow-up from incidents.

Assign owners and due dates. Record them in the minutes.

What meeting minutes must capture

Minutes are the compliance artifact the meeting produces. They do not need to be a verbatim transcript, but they must be specific enough to be useful during an audit.

A sufficient set of minutes includes:

• Date, time, and location (or “held via video conference”)
• Names and roles of all attendees
• Brief summary of each agenda section, including any status that was “no change”
• Decisions made and the basis for each decision
• Action items with the owner’s name and a due date
• Name and signature (or electronic attestation) of the person who prepared the minutes

Store minutes with the evidence binder, not in a shared folder with general meeting notes. OCR auditors ask for compliance documentation specifically. Organizing it separately makes the response faster and more credible.

Running the meeting when you are the only compliance person

In a small clinic, the Privacy Officer and the practice administrator are often the same person. Running a meeting you are also facilitating while fielding questions and taking notes is hard.

Prepare a one-page status sheet before the meeting. Each agenda section gets a brief bullet-point update based on records you have already reviewed. The meeting moves faster and you are not trying to recall details on the spot.

Rotate note-taking to someone else in the room. The clinical lead or billing representative can take rough notes; finalize the minutes within 48 hours.

Use a standing agenda. The seven sections above should not change quarter to quarter. When attendees know the structure, they come prepared and the meeting does not get derailed by setup.

What quarterly meetings do for OCR exposure

The HHS Audit Protocol asks covered entities to demonstrate that they have conducted periodic technical and non-technical evaluations in response to environmental and operational changes. A quarterly meeting, documented properly, is direct evidence that evaluation is happening.

Clinics that have faced OCR investigations report that two categories of documentation carry the most weight: training records and evidence of ongoing management attention. Quarterly meeting minutes fall in the second category. They show compliance is a managed program with recurring oversight — not a once-a-year exercise.

The absence of any such records suggests the compliance program exists on paper but not in practice. That inference tends to escalate a complaint investigation into a finding with corrective action.

Getting the first meeting scheduled

The hardest part is the first meeting. Block 75 minutes on the calendar now. Send the agenda a week in advance and ask each attendee to come with a brief status update for their area.

Set the next meeting date before ending the first one. Compliance programs that schedule meetings one at a time tend to slip. Compliance programs with a standing quarterly date on the calendar do not.