What types of compliance documents can ComplianceIQ generate?

ComplianceIQ generates privacy policies, terms of service, employee handbooks, data handling policies, OSHA compliance documents, acceptable use policies, HIPAA compliance docs, information security policies, and more — all tailored to your industry.

Are the generated documents legally valid?

ComplianceIQ generates comprehensive, industry-standard compliance documents informed by current regulations. While they provide an excellent foundation, we recommend having critical documents reviewed by legal counsel for your specific jurisdiction.

How does ComplianceIQ stay current with regulations?

Our AI models are continuously updated with the latest regulatory frameworks including GDPR, CCPA, HIPAA, SOC 2, OSHA, and more. Pro and Enterprise plans include regulatory update alerts.

HIPAA compliance · Free audit · No signup

HIPAA Compliance Policy Audit

Audit your HIPAA Privacy and Security Policies against the Privacy Rule (45 CFR §164.500-534) and Security Rule (§164.302-318). Get every gap — minimum necessary, BAA requirements, safeguards, breach notification — with the exact regulatory language to add.

Run free HIPAA audit

Health Insurance Portability and Accountability Act · U.S. healthcare + business associates

What HIPAA non-compliance actually costs

$16M

Anthem (HHS OCR, 2018)

78.8M record breach

$6.85M

Premera Blue Cross (OCR, 2020)

11M record breach + risk analysis failure

$5.1M

Excellus (OCR, 2021)

9.3M PHI exposure

$100K

Doctors' Management Services (OCR, 2023)

First ransomware HIPAA fine

Who must comply with HIPAA?

Covered Entities: health plans, healthcare clearinghouses, healthcare providers that transmit health info electronically
Business Associates: any vendor that creates, receives, maintains, or transmits PHI for a Covered Entity (cloud hosts, SaaS, analytics, billing)
Subcontractors of Business Associates

What this audit checks

12 required clauses, scored as Present / Partial / Missing with the exact regulatory citation and suggested fix.

PHI definition + 18 HIPAA identifiers

45 CFR §160.103

Minimum necessary standard

§164.502(b)

Permitted uses and disclosures of PHI

§164.506

Patient rights (access / amend / accounting of disclosures)

§164.524-528

Business Associate Agreement requirements

§164.504(e)

Administrative, physical, and technical safeguards

§164.308-312 (Security Rule)

Workforce training requirements

§164.530(b)

Risk assessment + risk management process

§164.308(a)(1) — the most-cited audit finding

Encryption of PHI (in transit + at rest)

§164.312(a)(2)(iv) and (e)(2)(ii) — addressable but de-facto required

Audit controls / activity logging

§164.312(b)

Breach notification (60-day rule)

§164.404-410

Sanctions for workforce violations

§164.530(e)

Why HIPAA audits actually fail

Treating HIPAA like a checkbox

OCR enforcement looks at evidence, not policy text. The #1 audit finding is missing or stale risk analysis (§164.308(a)(1)(ii)(A)) — the policy must commit to a documented, ongoing process.

Marketing tracking on PHI pages

December 2022 OCR bulletin: third-party trackers (Meta Pixel, Google Analytics) on portals or appointment pages disclose PHI. Several major hospital systems have settled multi-million dollar suits over this.

Subcontractor BAA chain

If your BA uses sub-processors, they need their own BAAs. The chain often breaks at sub-sub-processors (e.g. logging or analytics SaaS).

Mobile device + remote work

Lost laptop = #2 cause of HIPAA breaches. Policy must address encryption, MDM, and remote-wipe for any device that touches PHI.

HIPAA FAQ

Are SaaS companies that touch PHI automatically Business Associates?

Yes — if you create, receive, maintain, or transmit PHI on behalf of a Covered Entity, you are a Business Associate by statute (§160.103) and need a BAA, a compliant Privacy + Security Policy, and the §164.308-312 safeguards. Whether you market yourself as 'healthcare' is irrelevant.

What are HIPAA fines?

Civil penalties range from $137 to $68,928 per violation (2024 adjustment), capped at $2.07M per year per identical provision. Criminal penalties for wilful neglect can include prison. OCR has collected $144M+ in HIPAA settlements through 2024.

Do I need separate Privacy + Security Policies?

Yes. The Privacy Rule governs use/disclosure of PHI; the Security Rule governs how ePHI is protected technically and physically. They are separate regulations with separate required clauses. ComplianceIQ audits each independently — start with the doc type that matches your current document.

Grade your policy in 20 seconds

Paste your existing document. Get a 12-clause HIPAA scorecard. Generate a fully compliant version for $9 if you don't want to fix it manually.

Run free HIPAA audit