Help Center › Policy management

Policy management

Ten plain-English HIPAA policy/procedure templates you can edit to fit your practice — with local version history and workforce attestation tracking.

1. What the Policies tab gives you

The HIPAA Security Rule requires written policies and procedures for each safeguard. Most small practices don’t have them — or have stale ones nobody has read. The Policies tab seeds you with ten editable starter policies, each tagged to its 45 CFR §164 citation, then lets you:

A stats strip shows: total policies, how many you’ve customized, and how many have at least one attestation. Everything stays in your browser.

Templates only — not legal advice. These are plain-English starting points, not a finished compliance program. Edit them to reflect your real practices and have qualified counsel review them. Placeholders like [Practice] are meant to be replaced.

2. The ten templates

Ward seeds these on first use (version 1, no attestations):

#PolicyCategoryCFR
P1Security Management & Risk AnalysisAdministrative164.308(a)(1)
P2Assigned Security ResponsibilityAdministrative164.308(a)(2)
P3Workforce Security & Access ManagementAdministrative164.308(a)(3) & (a)(4)
P4Security Awareness & TrainingAdministrative164.308(a)(5)
P5Incident Response & Breach NotificationAdministrative164.308(a)(6) & 164.400-414
P6Contingency Plan & BackupAdministrative164.308(a)(7)
P7Facility & Device/Media ControlsPhysical164.310
P8Access Control & Audit ControlsTechnical164.312(a),(b),(d)
P9Encryption & Transmission SecurityTechnical164.312(a)(2)(iv) & (e)
P10Business Associate ManagementOrganizational164.308(b) & 164.314

Several templates already include 2026 expectations — e.g. P3’s 1-hour access revocation on termination, P5’s 24-hour BA incident-activation notice, P8’s MFA requirement, P9’s “no longer addressable” encryption, and P10’s annual BA written verification.

3. Editing a policy

  1. Open the Policies tab.
  2. Each policy is a card with its title, CFR citation, version, and an editable text area.
  3. Type directly into the text area to adapt the language. Replace placeholders like [Practice] with your organization’s name and real procedures. Edits save automatically as you type.

4. Versioning & dated history

When you’ve made meaningful changes and want to lock them in, click “Save new version.” Ward:

The card then notes how many prior versions are kept and the date of the latest. This gives you a defensible paper trail: “our encryption policy was v1 on hire, updated to v2 on 2026-03-01.” All history is stored locally and included in your policy export.

When to save a version: after any substantive edit, on your annual policy review, or whenever you change a procedure. Routine typing between versions is auto-saved but doesn’t create a history entry until you click “Save new version.”

5. Workforce attestation

HIPAA expects your workforce to be aware of, and acknowledge, your policies. To record an attestation:

  1. Click “+ Attest” on a policy card.
  2. Enter the person’s name when prompted.
  3. Ward records the name, today’s date, and the policy version they attested to.

Each attestation is tied to a specific version, so if you later update the policy you can see who acknowledged which version and re-collect attestations as needed. The card lists everyone who has attested.

6. Resetting to the template

If your edits went sideways, click “Reset to template.” Ward first saves your current text as a version (so nothing is lost), then restores the original starter language. You can always recover the prior text from the history.

7. Exporting your policy manual

Click “⬇ Export policy manual (Markdown)” to download all policies as a single document — each with its CFR citation, version, full body, and the list of attesters. The same manual is bundled into the audit binder ZIP as 09-policies.md (“HIPAA policies & procedures — versioned, with attestation”).

Launch the free SRA → Next: Scan / pen-test / IR cadence →