Compliance Operations
Compliance Work Plan Template
Build an annual compliance calendar tailored to your practice. Select applicable compliance areas — HIPAA, OSHA, billing, credentialing, and corporate compliance — to generate a month-by-month plan with training deadlines, risk assessment schedules, policy review dates, and audit timelines.
Select Compliance Areas
Choose the areas relevant to your organization. Activities will populate automatically in the calendar below.
Active Areas: HIPAA Privacy & Security, OSHA Workplace Safety, Billing & Coding Compliance, Credentialing & Enrollment, Corporate Compliance (OIG 7 Elements)
Total Activities
49
Completed
0/49
Progress
0%
Hard Deadlines
3
Annual HIPAA Security Risk Assessment
Conduct or update SRA per 45 CFR 164.308(a)(1). Document threats, vulnerabilities, and risk levels for all ePHI systems.
Post OSHA 300A Summary
Post prior year's OSHA 300A summary in visible workplace location. Required Feb 1 - Apr 30.
OIG Exclusion List Check (Q1)
Screen all employees, providers, and vendors against OIG LEIE and SAM.gov exclusion databases.
CAQH ProView Attestation (Q1)
Re-attest all provider profiles in CAQH ProView. Verify demographics, education, malpractice history.
Compliance Committee Meeting (Q1)
Review compliance program status, open investigations, training completion, and work plan progress.
Privacy & Security Policy Review
Review and update P&P documents. Ensure alignment with any regulatory changes from prior year.
Sharps Injury Log & ECP Review
Review sharps injury log. Update Exposure Control Plan with new safer devices if available.
License & Certification Renewal Tracker
Review all provider licenses, certifications, and board certifications. Flag any expiring within 90 days.
Code of Conduct Annual Distribution
Distribute updated Code of Conduct to all employees. Collect signed acknowledgments.
Business Associate Agreement Audit
Inventory all BAs. Verify current BAAs on file. Terminate agreements with vendors no longer in use.
Annual Bloodborne Pathogens Training
Train all at-risk employees on BBP exposure plan, post-exposure procedures, and PPE use.
Internal Coding & Documentation Audit
Audit sample of 20-30 claims per provider. Check E/M level accuracy, modifier usage, documentation support.
Compliance Hotline & Reporting Review
Test compliance hotline functionality. Review all reports received in prior year. Ensure non-retaliation.
Q1 Breach Log Review
Review breach log for Q1. Determine if any incidents require 60-day HHS notification or were properly documented.
OIG Exclusion List Check (Q2)
Quarterly re-screening of workforce and vendors against OIG LEIE and SAM.gov.
DEA Registration Review
Verify DEA registrations are current for all prescribing providers. File renewals 45 days before expiration.
CAQH ProView Attestation (Q2)
Quarterly CAQH re-attestation. Update any changes to practice locations, group affiliations, or malpractice.
Compliance Committee Meeting (Q2)
Mid-year review of work plan. Discuss audit findings, training gaps, and regulatory updates.
Annual HIPAA Workforce Training
Deliver Privacy & Security Rule training to all workforce members. Document attendance and quiz scores.
Hazard Communication Program Review
Update SDS binder, verify container labels, review HazCom program. Train on any new chemicals.
Annual Fraud, Waste & Abuse Training
Train all billing staff and providers on FWA identification, False Claims Act, and reporting obligations.
ePHI Access Control Review
Audit user access to EHR, email, file shares. Remove terminated users, verify role-based access.
Fire/Emergency Drill & Exit Inspection
Conduct evacuation drill. Inspect exit signs, fire extinguishers, and emergency lighting.
Fee Schedule & Payer Contract Review
Review Medicare/Medicaid fee schedules for annual updates. Verify payer contract terms and reimbursement rates.
Hospital Privilege & Panel Review
Verify hospital privileges and insurance panel participation. Initiate re-credentialing applications as needed.
Annual Compliance Risk Assessment
Identify top compliance risks across all areas. Prioritize by likelihood and impact. Update work plan.
Q2 Breach Log Review
Review Q2 breach incidents. Update risk mitigation strategies based on incident patterns.
TB Risk Assessment Update
Evaluate TB exposure risk for the practice. Update screening protocols if risk classification changed.
OIG Exclusion List Check (Q3)
Quarterly re-screening of all personnel against federal exclusion databases.
CAQH ProView Attestation (Q3)
Quarterly re-attestation of all provider profiles in CAQH ProView.
Compliance Committee Meeting (Q3)
Q3 progress review. Evaluate effectiveness of corrective actions. Plan year-end activities.
Encryption & Device Inventory Audit
Verify encryption status on all devices storing ePHI. Update device inventory and disposal logs.
License Renewal Tracker (Mid-Year)
Mid-year review of provider credentials. Ensure no licenses or certifications lapse.
Disciplinary Standards & Sanctions Review
Review enforcement of disciplinary standards for compliance violations. Update policies as needed.
Notice of Privacy Practices Review
Review NPP for accuracy. Update if any uses/disclosures or patient rights have changed.
Ergonomic & Workplace Hazard Assessment
Assess workstations, patient handling areas, and clinical spaces for ergonomic and slip/trip hazards.
Second Semi-Annual Coding Audit
Follow-up coding audit. Compare results to Q1 audit and measure improvement on identified deficiencies.
Q3 Breach Log Review
Review Q3 breach log. Prepare for annual HHS breach report (due Feb 28 for breaches < 500).
OIG Exclusion List Check (Q4)
Final quarterly screening of workforce and vendors against exclusion databases.
Malpractice Insurance Verification
Verify current malpractice coverage for all providers. Confirm adequate limits and tail coverage.
CAQH ProView Attestation (Q4)
Final quarterly re-attestation. Prepare for year-end re-credentialing cycles.
Compliance Committee Meeting (Q4)
Year-end review. Approve next year's work plan and budget. Present annual compliance report to board.
Disaster Recovery & Contingency Test
Test backup restoration, failover procedures, and emergency access protocols for ePHI systems.
OSHA 300 Log Review & Electronic Filing
Review OSHA 300 Log accuracy. Eligible employers must file electronically via ITA portal.
Review OIG Annual Work Plan Priorities
Review newly released OIG Work Plan for enforcement focus areas. Adjust internal audit priorities.
Annual Compliance Program Report
Compile annual report documenting program activities, audit results, training metrics, and incidents.
HIPAA Annual Compliance Report & Breach Submission
Compile annual breach report for HHS (breaches < 500). Document compliance posture for leadership.
Second Semi-Annual Fire/Emergency Drill
Conduct second evacuation drill. Document participation and any corrective findings.
Develop Next Year's Compliance Work Plan
Draft and approve the following year's work plan based on risk assessment findings and OIG priorities.
Generated on March 9, 2026 via HipaaKit (hipaakit.co)
What Is a Compliance Work Plan?
A compliance work plan is a structured, month-by-month calendar of all required compliance activities for a healthcare organization. It transforms scattered regulatory obligations into a single actionable timeline. The OIG's seven elements of an effective compliance program explicitly call for organizations to designate a compliance officer who oversees a documented work plan reviewed by a compliance committee.
Unlike a one-time compliance checklist, a work plan is a living document. It maps every training deadline, risk assessment schedule, policy review date, audit cycle, and reporting requirement to a specific month — ensuring nothing falls through the cracks across HIPAA, OSHA, billing, and credentialing obligations.
Why Every Practice Needs One
Regulatory Requirement
OIG compliance guidance expects a documented annual work plan. Medicare Advantage and Medicaid managed care contracts require one explicitly.
Audit Readiness
When OCR or state surveyors arrive, a completed work plan with evidence of execution is your strongest defense. It proves systematic compliance — not reactive fixes.
Deadline Management
OSHA 300A posting (Feb 1), HIPAA breach reports (Feb 28), CAQH attestations (quarterly) — missing any one deadline creates enforcement risk.
Board & Leadership Reporting
The work plan provides your compliance committee and governing body with measurable metrics. Progress percentage replaces vague status updates.
How to Use This Work Plan
- 1Select the compliance areas relevant to your organization — most practices need all five
- 2Enter your organization name and compliance officer for the printed header
- 3Review each month's activities and check off items as you complete them throughout the year
- 4Note the hard deadlines (marked with warning icons) — these have regulatory consequences if missed
- 5Print or copy the entire plan for your compliance binder or share with your compliance committee
- 6Update the plan quarterly as your risk assessment identifies new priorities
For a focused HIPAA review, our HIPAA Audit Checklist walks through OCR's official audit protocol. Track individual provider credentials with the Credentialing Checklist.
Critical Deadlines to Never Miss
Missing these deadlines carries real consequences — from HIPAA penalties to OSHA citations to payer enrollment holds.
| Deadline | Requirement | Reference |
|---|---|---|
| February 1 | Post OSHA 300A Summary Must remain posted through April 30. Applies to employers with 11+ employees. | 29 CFR 1904.32 |
| February 28 | HIPAA Breach Report to HHS Annual submission for breaches affecting fewer than 500 individuals in the prior calendar year. | 45 CFR 164.408(c) |
| March 2 | OSHA 300A Electronic Filing Eligible establishments must submit prior year's data via OSHA's ITA portal. | 29 CFR 1904.41 |
| Quarterly | OIG Exclusion List Screening Screen all employees, providers, and vendors against LEIE and SAM.gov. OIG recommends monthly. | 42 USC 1320a-7 |
| Quarterly | CAQH ProView Attestation Re-attest provider profiles every 120 days. Failure causes payer enrollment delays. | Payer Requirement |
The OIG's Seven Elements
Every activity in this work plan maps back to one of the OIG's seven elements of an effective compliance program. These elements form the foundation of any healthcare compliance program — whether you're a solo practice or a health system. Your annual risk assessment should inform which elements need the most attention in your work plan each year.
- 1Written policies, procedures, and standards of conduct
- 2Compliance Officer and Compliance Committee
- 3Effective training and education
- 4Effective lines of communication (reporting mechanisms)
- 5Enforcement through well-publicized disciplinary guidelines
- 6Internal monitoring and auditing
- 7Prompt response to detected offenses and corrective action
Pro Tip: Board Presentation
Present your completed work plan to the board or governing body at least annually. Document the presentation in meeting minutes. This satisfies OIG Element 2 and demonstrates active oversight — a key factor OCR considers during enforcement actions.
Customizing Your Work Plan
This template provides a comprehensive starting point, but your final work plan should reflect your organization's specific risk profile. Consider these customizations:
- Add state-specific requirements (many states have breach notification rules stricter than HIPAA)
- Include accreditation activities if you hold Joint Commission, AAAHC, or NCQA accreditation
- Map activities to responsible individuals — not just the compliance officer
- Add budget line items for training platforms, audit services, and compliance software
- Include specialty-specific requirements (e.g., CLIA for labs, radiation safety for imaging)
For HIPAA training requirements specific to your workforce, use our HIPAA Training Quiz to verify staff knowledge after each training session. New hires should complete the Healthcare Onboarding Checklist within their first 30 days.
Related Tools & Guides
HIPAA Compliance Checklist
Interactive checklist covering Privacy Rule, Security Rule, and Breach Notification requirements.
HIPAA Audit Checklist
Internal audit tool based on OCR's official audit protocol with corrective action tracking.
HIPAA Risk Assessment Template
Guided security risk analysis using NIST SP 800-30 methodology with risk scoring.
HIPAA Training Requirements Guide
What HIPAA training is required, how often, and what topics must be covered.
Bloodborne Pathogens Training Guide
OSHA BBP training requirements, exposure control plans, and documentation standards.