Compliance & Legal

How to run an annual policy attestation cycle as Independent Clinic Owner-Operators

Compliance & LegalFor Independent Clinic Owner-Operators3 apps10 steps~20 min to set up

Once a year you realize your staff handbook has been sitting unsigned in a shared Google Drive folder since you updated it eight months ago. Nobody chased it. You're not sure which of your three providers signed the HIPAA privacy policy versus the updated one from last January. Your billing person printed acknowledgment forms, collected signatures on paper, and filed them somewhere. An audit notice would send you scrambling through a filing cabinet. You have no audit trail, no reminder system, and no easy way to prove who attested to what and when. Enterprise compliance software costs more than your front desk's monthly salary and was built for a hospital system, not a three-provider primary care or therapy practice.

Build this on Starch → See the apps used

Compliance & LegalFor Independent Clinic Owner-Operators3 apps10 steps~20 min to set up

Outcome

What you'll set up

A tracked annual attestation workflow that sends the right policy documents to each staff member, collects acknowledgments, and logs who responded and when — all without printing a single form

Automated reminder emails that escalate on a schedule until the attestation is complete, so you're not the one texting your part-time MA at 9pm

A plain-English summary report you can pull before any audit, credentialing renewal, or board review showing the status of every policy cycle across your clinic

The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used

Email Agent Knowledge Management Task Manager

Data sources & config

Connect Gmail from Starch's scheduled-sync providers so outgoing attestation emails and inbound confirmation replies are tracked in real time. Connect Google Drive through Starch's integration catalog (live query) to pull current policy document versions. Connect Google Calendar through Starch's scheduled-sync so attestation deadlines appear against your actual clinic schedule. For any staff portal or HR system without a direct API (e.g., your ADP or Paylocity employee roster for pulling the current staff list), Starch syncs your ADP or Paylocity data on a schedule so the recipient list stays current.

Prompts to copy

Build me a policy attestation tracker that lists every staff member, which policies they need to sign this cycle (HIPAA Notice of Privacy Practices, Employee Handbook, Social Media Policy, OSHA Safety Plan), their attestation status (pending / completed / overdue), and the date they completed each one.

Create an automated email sequence that sends each staff member a personalized attestation request with a link to the relevant policy document, then sends a reminder every 5 business days until they confirm, and flags me when anyone hits 15 days without responding.

Set up a Knowledge Management space for clinic policies where each policy document shows its version date, who it applies to, and the last attestation completion rate, and alerts me when a document is more than 12 months old.

Run these in Starch → or paste them into your favorite agent

Walkthrough

Step-by-step

1 Pull your current staff roster from Paylocity or ADP — Starch syncs your employee data on a schedule — and tell Starch: 'Create a policy attestation list for all active staff, grouped by role: providers, front desk, and billing.'

2 Upload your policy documents (HIPAA NPP, Employee Handbook, OSHA Safety Plan, Social Media Policy) to the Knowledge Management app and tell Starch to tag each one with an effective date, an applicability rule (e.g., 'all staff' or 'providers only'), and a 12-month review alert.

3 In the Email Agent, describe the attestation email you want sent: 'Draft a personalized email to each staff member that names the specific policies they need to acknowledge this cycle, includes a link to each document in our Knowledge Management space, and asks them to reply with a single confirmation line.'

4 Set up the reminder sequence: tell the Email Agent 'Send a follow-up every 5 business days to anyone who hasn't confirmed. After 15 days, send me a Slack message or a separate flag email listing who's still outstanding.'

5 Add a task in the Task Manager for each staff member's attestation as a P2 item with a due date 30 days from cycle start, so overdue alerts surface automatically without you manually tracking a spreadsheet.

6 As confirmations come in, tell Starch 'Update the attestation tracker when a staff member's reply confirmation email is received — mark them complete and log the date.'

7 At day 15, review the outstanding list. For the one provider who's traveling or the MA who's been on leave, trigger a manual one-off email directly from the Email Agent with a revised deadline and a note about why it matters.

8 At cycle close, ask Starch to generate an attestation summary report: 'Create a summary showing each staff member, each policy, their completion date or outstanding status, and the email thread where confirmation was received.'

9 Save that summary as a versioned document in the Knowledge Management space under a folder named by year and cycle (e.g., 'Attestations / 2026 Annual Cycle') so it's findable in 18 months when your malpractice carrier asks.

10 Set a recurring Google Calendar event for the following year's cycle start, and tell Starch 'Remind me 6 weeks before next year's attestation deadline to review all policy documents for updates before sending them out again.'

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →

Worked example

May 2026 Annual Attestation Cycle — 3-Provider Family Practice

Sample numbers from a real run

Staff covered	7
Policies in scope	4
Attestations completed on first send	5
Reminders required to close remaining 2	3
Days to 100% completion	12
Hours spent by owner-operator	1.5

In May 2026, the clinic ran its annual attestation cycle covering 7 staff: 3 providers, 2 front desk staff, and 1 billing coordinator, plus 1 part-time MA. Four policies were in scope. On day 1, the Email Agent sent personalized attestation requests to all 7 staff, linking to each policy in the Knowledge Management space. Five staff confirmed within 48 hours. The two holdouts — one provider on a conference trip and the front desk lead who was on PTO for the first week of the month — each received two automated reminders. Both completed their attestations by day 12. The owner-operator spent about 90 minutes total: 30 minutes upfront configuring the recipient list and document links, and two short check-ins to review the outstanding flags. The final audit report, auto-generated and saved to the 2026 Attestation folder in Knowledge Management, showed all 7 staff confirmed, with timestamps and email thread references for each. When the clinic's liability insurer asked for proof of HIPAA acknowledgment during a routine renewal in August, the owner-operator pulled the document in under 2 minutes.

Measurement

How you'll know it's working

% of staff with completed attestations by cycle deadline (target: 100% within 30 days)

Days to full cycle completion from first send

Number of manual follow-up interventions required by the owner-operator

Policy document age at time of attestation (flag anything over 12 months)

Time to produce audit-ready attestation report when requested

Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Google Forms + Drive folder + calendar reminder

Free to set up, but you're manually building the recipient list every year, chasing non-respondents yourself, and hoping the right form version is the one you linked — no automated reminders, no audit log, and no version control.

ComplianceBridge / Compli / PolicyMedical

Purpose-built compliance platforms with formal attestation workflows, but they're priced for multi-site health systems — monthly costs typically start in the hundreds of dollars — and they don't connect to your inbox, calendar, or HR system without IT work.

DocuSign or Adobe Sign standalone

Good for collecting signed acknowledgments, but has no reminder logic, no roster sync, and no way to generate a cycle summary report — you're still doing the coordination manually around it.

Your EHR's document management module

If your EHR has one, it's designed for clinical documents and patient consents, not internal staff policy attestations — staff members who aren't clinical users often don't have logins.

On Starch RECOMMENDED

One platform — email agent, knowledge management, task manager all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →

FAQ

Frequently asked questions

Can Starch actually send emails to my staff, or does it just draft them for me to send?

The Email Agent can send emails directly through your connected Gmail account — Starch syncs your Gmail on a schedule and can send on your behalf. Your staff will see the emails coming from your actual clinic email address, not some third-party system. You can review the drafts before the first send if you want, then automate the reminder sequence from there.

What if my staff acknowledge the email verbally or in person instead of replying?

The automated tracking only captures email replies. For walk-in confirmations, you'd update the tracker manually — tell Starch 'Mark [name] as complete on [date] for the HIPAA policy' and it will log that. It's not perfect, but it gives you one source of truth instead of a mix of signed papers and memory.

Does this replace a formal compliance platform for a regulated healthcare environment?

Starch is not a purpose-built compliance or HIPAA audit platform, and it's not SOC 2 Type II certified today. For a three-provider clinic running an annual attestation cycle, it's a practical operational tool — it closes the gap between 'we have policies' and 'we can prove everyone acknowledged them.' If your risk posture or insurer requires a certified compliance management system, that's a separate decision, and Starch would be the coordination layer on top of it, not a replacement.

How does Starch get my current staff list without me manually entering everyone?

If you use Paylocity or ADP for payroll, Starch syncs your employee data from either on a schedule — active staff, roles, and contact details come over automatically. If you're running a simpler setup, you can paste a staff list into the app directly and Starch builds the tracker from that. Either way, you're not maintaining a separate spreadsheet.

Can the Knowledge Management app store the actual policy documents, or just links to them?

You can store policy documents directly in the Knowledge Management app and link out to your Google Drive copies — connect Google Drive from Starch's integration catalog and the agent can query the latest version live. The Knowledge Management space is where you set version dates and review alerts; the actual document can live wherever your team already keeps it.

What if a policy changes mid-year and I need to run an off-cycle attestation?

Just describe the one-off cycle to Starch: 'Send an updated HIPAA acknowledgment request to all providers for the revised NPP dated June 2026, and track replies.' You're not locked into a calendar-year rhythm — you can run as many partial cycles as you need, and each one generates its own audit record.