Compliance & Legal

How to track hipaa compliance obligations as Small HR Teams

Compliance & LegalFor Small HR Teams2 apps11 steps~22 min to set up

HIPAA compliance for a 2-person HR team supporting 150 employees isn't a project — it's a background anxiety that never resolves. You're responsible for ensuring workforce training completions are documented, tracking who has signed the privacy notice, monitoring Business Associate Agreement renewals with your benefits broker and EAP vendor, and maintaining evidence for any audit. None of that lives in one place. Training completions are in a spreadsheet. BAA expiration dates are in someone's calendar. The attestation forms are in a Google Drive folder with a name nobody can remember. When the compliance consultant asks for documentation, you spend three hours assembling it from four different places.

Build this on Starch → See the apps used
Compliance & LegalFor Small HR Teams2 apps11 steps~22 min to set up
Outcome

What you'll set up

A live dashboard showing every employee's HIPAA training status, attestation date, and next required renewal — pulled from your HRIS and document systems, updated automatically
An automated alert system that surfaces expiring Business Associate Agreements, overdue training completions, and unsigned workforce acknowledgments before they become audit findings
A central compliance record surface where you can answer 'are we current on HIPAA?' in under 60 seconds, with evidence attached — not assembled from memory
The Starch recipe

Apps, data, and prompts

The combination of Starch apps, the data sources they pull from, and the prompts you use to drive them.

Apps used
Task Manager Knowledge Management
Data sources & config

Starch syncs your Paylocity data on a schedule — employee roster, departments, hire dates — to power the training tracker. Notion connects from Starch's integration catalog; the agent queries it live to pull your existing policy documents into the knowledge base. Slack connects from Starch's integration catalog so automated alerts land in the right channel. For any vendor BAA portal or benefits broker site that lacks an API, Starch automates it through your browser — no API needed.

Prompts to copy
Build me a HIPAA workforce training tracker that shows each employee's name, department, training completion date, attestation signature date, and whether their annual recertification is due in the next 60 days. Pull employee records from Paylocity and flag anyone overdue in red.
Create a HIPAA obligations dashboard that tracks our Business Associate Agreements — vendor name, BAA execution date, expiration date, and renewal owner. Alert me in Slack 90 days before any BAA expires.
Build a knowledge base section for HIPAA policies so staff can search 'what counts as a breach?' and get the answer from our actual policy documents instead of asking me.
Run these in Starch → or paste them into your favorite agent
Walkthrough

Step-by-step

1 Connect Paylocity to Starch (scheduled sync). Your full employee roster — names, departments, hire dates, employment status — syncs automatically and stays current as people join or leave.
2 Connect Notion from Starch's integration catalog. Any HIPAA policies, training materials, or procedure documents you've already written there become searchable inside Starch's Knowledge Management app.
3 Connect Slack from Starch's integration catalog so Starch can send compliance alerts to your #hr-compliance channel or directly to you without requiring you to log in and check a dashboard.
4 Tell Starch: 'Build me a HIPAA training tracker that shows each active employee, their last training completion date, whether they've signed the annual workforce acknowledgment, and a red flag if either is more than 12 months old or missing.' Starch builds the app against your Paylocity roster.
5 Manually upload or paste your Business Associate Agreement inventory — vendor name, execution date, expiration date, responsible owner. Tell Starch: 'Turn this into a BAA tracker with 90-day and 30-day expiration alerts sent to Slack.'
6 Use the Task Manager app to capture the remediation actions that surface from your tracker — 'send recertification reminder to Finance team by Friday' — with P1–P4 priority levels and due dates so nothing falls through.
7 Set up an automation: 'Every Monday morning, check the HIPAA training tracker and Slack me a list of anyone whose training or attestation expires in the next 30 days, grouped by department manager.'
8 For any vendor whose BAA lives behind a login portal with no API, tell Starch to automate checking that portal through your browser and pulling the current agreement status into your BAA tracker.
9 Publish your HIPAA policies to the Knowledge Management app so employees can search for answers directly — reducing the 'what do I do if I see PHI on a screen?' questions that come to you.
10 Run a quarterly review: tell Starch 'Show me everyone hired in the last 90 days and confirm they completed HIPAA onboarding training.' Starch cross-references your Paylocity hire dates against your training completion records and surfaces the gap list.
11 When an audit or compliance review comes up, pull the evidence package: training completions by employee, BAA inventory with execution dates, policy version history from your knowledge base — all from one surface instead of three spreadsheets and a Drive folder.

See this running on Starch

Connect your tools, describe what you want, and the agent builds it. Closed beta is free.

Try it on Starch →
Worked example

Q1 2026 HIPAA readiness check — 150 employees, 11 BAAs

Sample numbers from a real run
Employees with training completed and current138
Employees with overdue annual recertification (>12 months)9
Employees missing initial attestation signature3
BAAs tracked in the system11
BAAs expiring within 90 days (EAP vendor, dental broker)2
Hours to assemble this view (before Starch)4
Hours to assemble this view (with Starch dashboard)0.2

Coming into Q1 2026 compliance review, your HR team of two needed to confirm HIPAA readiness before a broker audit. Before Starch, that meant pulling the Paylocity headcount export, cross-referencing it against a Google Sheet of training completions you'd been maintaining manually, and then digging through a Drive folder called 'BAA Agreements — FINAL' to find which ones were still active. It took about four hours and you still weren't confident you'd caught everything. With the Starch training tracker live, the Monday morning Slack automation flagged 9 employees with overdue recertification and 3 missing initial attestations two weeks before the audit — enough time to chase managers and close the gaps. The BAA tracker surfaced that your EAP vendor's agreement expires in 67 days and your dental broker's in 41 days. Both renewals got captured as P1 tasks in the Task Manager with the renewal owner assigned. On audit day, generating the evidence package took 12 minutes: training completions export by department, BAA inventory with execution dates, and a policy version log from the Knowledge Management app. The compliance consultant's exact words: 'This is more organized than companies three times your size.'

Measurement

How you'll know it's working

% of active employees with current HIPAA training (target: 100%, alert at <95%)
Number of BAAs expiring within 90 days with no renewal initiated
Days to close a compliance gap (from identification to documented resolution)
Number of overdue workforce acknowledgment signatures
Hours spent assembling compliance evidence per audit or review cycle
Comparison

What this replaces

The other ways teams handle this today, and how the Starch version compares.

Rippling or BambooHR compliance module
Tracks training completions inside your HRIS but doesn't handle BAA management, policy search, or cross-system evidence assembly — you still need something else for the full picture.
Google Sheets + Drive folder + calendar reminders
Free and already in use, but the manual reconciliation step is the problem — nothing alerts you proactively and the sheet is only as current as the last time someone updated it.
Dedicated compliance platforms (Vanta, Drata)
Purpose-built for SOC 2 and security compliance frameworks, not HIPAA workforce training and BAA tracking specifically — and priced for engineering teams, not a 2-person HR function.
Lattice or 15Five (if already used for reviews)
Good for performance and engagement workflows but have no HIPAA compliance tracking features — you're solving a different problem than what these tools were built for.
On Starch RECOMMENDED

One platform — task manager, knowledge management all running on connected data. Setup in plain English; numbers stay current via scheduled syncs and live agent queries.

Try it on Starch →
FAQ

Frequently asked questions

Does Starch store our employee PHI or HIPAA-sensitive documents?
Starch syncs employee roster data from Paylocity (names, departments, hire dates, employment status) to power the training tracker. It does not ingest medical records, health plan enrollment details, or clinical information. Starch is not SOC 2 Type II certified today — that's worth knowing if your organization has strict vendor security requirements. For most small HR teams tracking training completions and BAA expiration dates, this is workable; for a covered entity handling clinical data directly, check with your privacy officer first.
What if our BAA documents live in a vendor portal that doesn't have an API?
Starch automates it through your browser — no API needed. If your benefits broker or EAP vendor has a login portal where you can view your agreement status, Starch can navigate that site, pull the relevant data, and bring it into your BAA tracker. This is how Starch handles any website a human can log into and click through.
We use Gusto, not Paylocity or ADP — can we still build the training tracker?
Yes. Gusto connects from Starch's integration catalog; the agent queries it live when your training tracker needs to check who's an active employee. It won't be a scheduled sync the way Paylocity is, but your tracker will still have access to your current roster when it runs.
Can Starch send the overdue-training alerts somewhere other than Slack?
Yes. Starch connects directly to Gmail and Outlook — you can have the Monday morning compliance digest sent as an email to you and the relevant department managers instead of (or in addition to) Slack.
What about Contract Lifecycle Management for our BAAs — is that available now?
Contract Lifecycle Management — which would handle BAA drafting, e-signature collection, approval routing, and renewal tracking in one place — is coming soon. You can request beta access to get notified when it launches. In the meantime, the approach above (building a BAA tracker as a custom Starch app on top of your existing documents) handles the monitoring and alerting side of the problem today.
We don't have a formal training program — we just send a PDF and ask people to reply. Can Starch track that?
Starch syncs Gmail data on a schedule, so you can build a tracker that monitors reply confirmations against your employee roster from Paylocity — flagging anyone who received the PDF but hasn't replied. It's not a formal LMS, but it's a practical way to maintain a documentation trail when your training delivery is email-based.

Ready to run track hipaa compliance obligations on Starch?

Request closed-beta access. Everything is free during beta.

You're on the list! We'll be in touch soon.