Home
Documentation
  1. HIPAA Compliance
  2. BAA and Compliance Administration

Policies and Training Requirements

What You'll Learn

This article covers the organizational side of HIPAA compliance. Your Knack app is one piece of the puzzle. HIPAA also requires written policies, employee training, risk assessments, and documentation. These responsibilities fall on you as the covered entity.

Why This Matters

Building a compliant app on Knack is necessary but not sufficient. HIPAA requires covered entities to maintain a compliance program that goes beyond the technology. If your app is configured correctly but your team doesn't know how to handle PHI, or you don't have written policies, you're still at risk.

Auditors don't just look at your software. They look at your processes, your documentation, and whether your team is trained.

Written Policies and Procedures

HIPAA requires you to have documented policies covering how your organization handles PHI. At minimum, your policies should address:

  • Privacy practices — how PHI is collected, used, stored, and shared
  • Access controls — who has access to PHI and how access is granted, modified, and revoked
  • Data handling — how PHI is transmitted, exported, and disposed of
  • Breach notification — your process for identifying, reporting, and responding to breaches
  • Device and workstation security — how physical devices that access PHI are secured
  • Sanctions — consequences for employees who violate HIPAA policies

These don't need to be complex. They need to be written, accessible to your team, and followed consistently.

📘

Document what you actually do. Policies that describe ideal behavior but don't match reality are a liability during an audit. Write policies that reflect your actual processes, then improve them over time.

Employee Training

Every employee who handles PHI or has access to systems containing PHI must receive HIPAA training. This includes:

  • Initial training — when an employee joins or first gains access to PHI
  • Ongoing training — HIPAA requires periodic refresher training (annually is a common standard)
  • Role-specific training — employees with different levels of access may need different training (an admin with full access needs more than a receptionist with limited access)

Training should cover:

  • What PHI is and why it needs to be protected
  • Your organization's specific policies and procedures
  • How to use your Knack app in a compliant way (which pages to use, what not to share, how to handle patient requests)
  • How to report a potential breach or security incident
  • The consequences of non-compliance
📘

Keep training records. Document who was trained, when, and what was covered. HIPAA requires you to retain this documentation for a minimum of six years.

Risk Assessments

HIPAA requires covered entities to conduct regular risk assessments to identify vulnerabilities in how PHI is handled. A risk assessment should evaluate:

  • Where PHI is stored (your Knack app, exports, emails, local devices)
  • Who has access and whether that access is appropriate
  • How PHI moves between systems (API, Flows, manual exports)
  • What safeguards are in place and whether they're effective
  • What gaps exist and how they'll be addressed

Risk assessments should be conducted:

  • When you first implement your HIPAA compliance program
  • Annually or on a regular schedule
  • Whenever there's a significant change to your systems, processes, or team

Document your findings and your remediation plan. This documentation is critical if you're ever audited.

Incident Response Plan

You need a documented plan for how your organization will respond to a potential breach or security incident. Your plan should include:

  • How to identify a potential breach
  • Who to notify internally
  • How to investigate and contain the incident
  • Breach notification procedures (affected individuals must be notified within 60 days; HHS must be notified as well)
  • How to document the incident and your response

Having a plan before an incident happens is the difference between a controlled response and a scramble.

Documentation Retention

HIPAA requires certain documentation to be retained for a minimum of six years. This includes:

  • Written policies and procedures
  • Training records
  • Risk assessments and remediation plans
  • BAAs
  • Breach notification records
  • Any other compliance-related documentation

Make sure your documentation is stored securely and is accessible when needed.

Next Steps

Updated about 7 hours ago