See What You Actually Get
Real samples of every artifact TrackHIPAA produces — generated for a fictional 5-person dental practice in California. Your documents will be customized to your practice in the same format.
All samples below were generated for this fictional practice:
Smile Family Dental
Dental practice · San Francisco, California · 5 employees
Sample Policy Document
Notice of Privacy Practices — one of 35+ customized HIPAA policies TrackHIPAA generates. Every CFR citation is to the actual federal regulation. You download this as a Word document or PDF, branded to your practice.
notice-of-privacy-practices.docx
Sample · 45 CFR § 164.520
Notice of Privacy Practices
Smile Family Dental San Francisco, California
Effective Date: January 1, 2026 Next Review: January 1, 2027
THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.
1. Our Pledge Regarding Your Health Information
Smile Family Dental ("we," "our," or "the Practice") is committed to protecting the privacy of your protected health information ("PHI"). PHI is information that identifies you and relates to your past, present, or future physical or mental health, the dental care we provide to you, or payment for that care.
This Notice is provided pursuant to 45 CFR § 164.520, which is part of the federal regulations implementing the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
We are required by law to:
- Maintain the privacy of your PHI;
- Provide you with this Notice describing our legal duties and privacy practices regarding your PHI;
- Notify you in the event of a breach of your unsecured PHI; and
- Follow the terms of the Notice that is currently in effect.
2. How We May Use and Disclose Your Health Information
The following categories describe the ways we may use and disclose your PHI without your written authorization. Not every permitted use is listed; however, all uses fall into one of these categories.
2.1 For Treatment (45 CFR § 164.506)
We will use and disclose your PHI to provide, coordinate, or manage your dental care and any related services. For example, we may share your treatment records with an orthodontist or oral surgeon to whom you have been referred.
2.2 For Payment (45 CFR § 164.506)
We may use and disclose your PHI to obtain payment for the services we provide. For example, we may submit claims to your dental insurance plan, which may include your diagnosis, the procedure performed, and the date of service.
2.3 For Health Care Operations (45 CFR § 164.506)
We may use and disclose your PHI to support our internal business activities. Examples include quality assessment, staff training, accreditation activities, and reviewing the performance of our team.
2.4 Other Permitted and Required Uses
We may also use or disclose your PHI without your authorization for the following purposes, when required or permitted by law:
- Required by law — disclosures required by state, federal, or local law (45 CFR § 164.512(a));
- Public health activities — reporting to public health authorities for disease prevention (45 CFR § 164.512(b));
- Health oversight — disclosures to government agencies for audits, investigations, or licensure (45 CFR § 164.512(d));
- Judicial and administrative proceedings — disclosures in response to a court order or subpoena (45 CFR § 164.512(e));
- Law enforcement — limited disclosures for law enforcement purposes (45 CFR § 164.512(f));
- Coroners, medical examiners, funeral directors — to identify a deceased person (45 CFR § 164.512(g));
- Workers' compensation — as authorized by state workers' compensation laws (45 CFR § 164.512(l));
- Serious threat to health or safety — to prevent imminent harm (45 CFR § 164.512(j)).
2.5 Uses Requiring Your Written Authorization
The following uses of your PHI require your written authorization under 45 CFR § 164.508:
- Marketing communications;
- Sale of your PHI;
- Most uses or disclosures of psychotherapy notes (if applicable).
You may revoke your authorization at any time in writing, except to the extent we have already acted in reliance on it.
3. Your Rights Regarding Your Health Information
Under 45 CFR § 164.520(b)(1)(iv), you have the following rights with respect to your PHI:
3.1 Right to Inspect and Copy (45 CFR § 164.524)
You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. You may request a copy in paper form or in the electronic format we maintain. We will respond within 30 days of your request and may charge a reasonable, cost-based fee.
3.2 Right to Request Amendment (45 CFR § 164.526)
You have the right to request that we amend PHI you believe is incorrect or incomplete. Your request must be in writing and explain the reason for the amendment. We may deny your request under limited circumstances; you will be notified in writing of any denial.
3.3 Right to an Accounting of Disclosures (45 CFR § 164.528)
You have the right to request a list of certain disclosures of your PHI made by us in the six years prior to your request. We will provide the first accounting in any 12-month period free of charge.
3.4 Right to Request Restrictions (45 CFR § 164.522(a))
You have the right to request restrictions on how we use or disclose your PHI for treatment, payment, or health care operations. We are not required to agree to your request, except where you have paid out-of-pocket in full for a service and request that the information not be disclosed to your health plan.
3.5 Right to Request Confidential Communications (45 CFR § 164.522(b))
You have the right to request that we communicate with you about medical matters in a certain way or at a certain location (for example, at work rather than at home).
3.6 Right to a Paper Copy of This Notice
You have the right to receive a paper copy of this Notice upon request, even if you have agreed to receive it electronically.
3.7 Right to Be Notified of a Breach (45 CFR § 164.404)
You have the right to be notified following a breach of unsecured PHI affecting your information.
4. Our Duties
We are required by law to maintain the privacy of your PHI and to provide you with notice of our legal duties and privacy practices. We are required to abide by the terms of this Notice as it is currently in effect.
We reserve the right to change this Notice. We reserve the right to make the revised Notice effective for PHI we already have about you, as well as any information we receive in the future. The most current Notice will be posted in our office and available upon request.
5. Complaints
If you believe your privacy rights have been violated, you may file a complaint with us or with the Secretary of the U.S. Department of Health and Human Services. To file a complaint with us, contact our Privacy Officer at the address below. You will not be retaliated against for filing a complaint.
You may also file a complaint with the HHS Office for Civil Rights at:
U.S. Department of Health and Human Services 200 Independence Avenue, S.W. Washington, D.C. 20201 1-877-696-6775 www.hhs.gov/ocr/privacy/hipaa/complaints/
6. Contact Information
Privacy Officer Smile Family Dental [Office Street Address] San Francisco, CA [ZIP] Telephone: [Office Phone] Email: [privacy@example.com]
7. Acknowledgment of Receipt
I acknowledge that I have received a copy of Smile Family Dental's Notice of Privacy Practices.
| Field | Entry |
|---|---|
| Patient Name (Printed) | _______________________________ |
| Patient Signature | _______________________________ |
| Date | _______________________________ |
| If signed by personal representative — Name | _______________________________ |
| Authority of representative | _______________________________ |
This document is based on the requirements of 45 CFR § 164.520. Consult a qualified healthcare attorney for legal review before adopting it as your practice's official Notice of Privacy Practices.
Sample Compliance Attestation
Printable wall-hanging certificate documenting your compliance status. Send to insurers, payers, or referral partners who request HIPAA attestation. Each attestation is tied to a unique Member ID and verification URL.
TrackHIPAA
HIPAA Compliance Attestation
Documentation Status as of May 28, 2026
This certifies that
Smile Family Dental
Dental Practice · California
maintains HIPAA compliance documentation through TrackHIPAA, covering the Privacy Rule, Security Rule, and Breach Notification Rule as specified in 45 CFR Part 164.
Compliance Documentation Score
Policies on File
35
Staff Trained
5 / 5
Vendors with BAA
7 / 7
Issued On
May 28, 2026
Member ID
THP-SAMPLE01
Next Review
May 28, 2027
Sample SRA Remediation Roadmap
After you complete the Security Risk Assessment, TrackHIPAA produces a prioritized remediation roadmap with CFR citations, severity ratings, and estimated deadlines for each gap. This is what missing the #1 most-fined HIPAA requirement looks like — and how to fix it.
remediation-roadmap.json
Overall SRA score: 58 / 100 · 13 action items
Sample
Complete annual Security Risk Assessment
Due
2026-05-22
Current: Practice reports no formal SRA has been performed in the last 12 months.
Action: Complete a comprehensive SRA covering all ePHI in the dental records system and document findings in writing.
Execute Business Associate Agreement with EHR vendor
Due
2026-05-25
Current: Practice uses Dentrix-cloud but no signed BAA is on file.
Action: Request and execute a BAA with the EHR provider before continuing to transmit ePHI through the system.
Document annual workforce HIPAA training
Due
2026-05-29
Current: Three of five workforce members have not completed HIPAA training in the past year.
Action: Deliver HIPAA training to all five workforce members and retain signed completion records.
Adopt written breach notification procedure
Due
2026-05-29
Current: No written procedure exists for breach assessment, patient notification, or HHS reporting.
Action: Adopt and distribute a written breach response procedure covering the 60-day patient notification window and the OCR reporting portal workflow.
Enable full-disk encryption on the 4 PHI workstations
Due
2026-06-05
Current: Practice operates 4 Windows workstations storing dental imaging and charting; encryption status not verified.
Action: Enable BitLocker on each Windows workstation, document recovery key custody, and add encryption verification to the quarterly review checklist.
Implement unique user IDs for each workforce member
Due
2026-05-29
Current: Workforce members share two front-desk login accounts in the practice management system.
Action: Provision a unique user account for each of the five workforce members and disable shared accounts.
Enable audit logging in the EHR
Due
2026-06-05
Current: Audit logging in the dental records system is set to its vendor default and is not actively reviewed.
Action: Enable comprehensive audit logs, configure 6-year retention, and assign the Privacy Officer to review logs quarterly.
Designate a Privacy Officer and Security Officer in writing
Due
2026-05-20
Current: No documented designation of a Privacy Officer or Security Officer.
Action: Issue written designation letters identifying the Practice Owner as Privacy Officer and Security Officer; retain in the compliance binder.
Inventory and classify all PHI-handling vendors
Due
2026-05-29
Current: Practice has not maintained a written inventory of vendors that touch PHI.
Action: Create a vendor inventory listing every third party with PHI access (EHR, billing service, IT support, shred vendor, dental lab) and the BAA status of each.
Establish written sanction policy for workforce HIPAA violations
Due
2026-06-05
Current: No written sanction policy is in place for workforce members who violate HIPAA policies.
Action: Adopt a written sanction policy with graduated consequences and distribute to all workforce members with signed acknowledgment.
Document California-specific patient access timelines
Due
2026-05-29
Current: Practice operates in California, which mandates patient record access within 15 days, stricter than the HIPAA 30-day federal floor.
Action: Update the Patient Right of Access policy to reflect the California 15-day standard and train front-desk staff on the shorter timeline.
Configure automatic logoff on PHI workstations
Due
2026-05-22
Current: Workstations do not have automatic logoff configured.
Action: Set automatic screen lock after 10 minutes of inactivity on all PHI workstations via Group Policy or local security policy.
Document data backup and disaster recovery plan
Due
2026-06-14
Current: Backups appear to run automatically but no written contingency plan exists.
Action: Document the backup schedule, restoration test cadence, and emergency mode operation procedure in a written contingency plan.
Sample Oracle Answer
Every TrackHIPAA subscriber gets unlimited access to the Oracle — an AI assistant that answers HIPAA questions with citations to the actual CFR sections. Here's a real example of the depth and accuracy you can expect.
Sample Oracle Answer
Question: Do I need a Business Associate Agreement with my dental lab if I send them x-rays and patient names?
Answer:
Yes. A dental lab that receives x-rays tied to a patient name is handling Protected Health Information on your behalf, which makes them a Business Associate under HIPAA. A Business Associate Agreement (BAA) is required before you transmit any further PHI to them.
The relevant rule is 45 CFR § 160.103, which defines a Business Associate as a person or entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. A dental lab fitting crowns from your impressions clearly falls within this definition. The contracting requirement is set out in 45 CFR § 164.308(b)(1) for the Security Rule and 45 CFR § 164.502(e)(1) for the Privacy Rule. Sending PHI to a vendor without a BAA in place is a separate violation from any downstream breach the vendor might cause, and HHS has issued enforcement actions for missing BAAs alone — most notably the $750,000 settlement against Cancer Care Group in 2015.
A compliant BAA must include the elements listed in 45 CFR § 164.504(e)(2): a description of permitted uses, a prohibition on further disclosure beyond what the contract or law allows, a requirement that the lab implement appropriate safeguards, a breach-reporting obligation back to your practice, and termination rights if the lab violates the agreement. The HHS Office for Civil Rights publishes a free sample BAA on its website that meets the regulatory floor; most labs will sign their own version, which you should review for these required elements before signing.
TrackHIPAA generates a customized BAA for every vendor in your practice in under two minutes, with the required clauses pre-populated for dental practices specifically.
Sources cited:
- 45 CFR § 160.103 (Definitions)
- 45 CFR § 164.308(b)(1) (Business associate contracts)
- 45 CFR § 164.502(e)(1) (Disclosures to business associates)
- 45 CFR § 164.504(e)(2) (Required BAA elements)
- HHS sample BAA template (hhs.gov/hipaa)
Sample answer based on an actual question from the public TrackHIPAA Oracle. Your customized answers will be specific to your practice type, state, and the systems you use.