HIPAA Hub
Docs← Back to Home

Uploading and Managing Evidence

Connect evidence files to your policies for audit readiness

What is Evidence?

Evidence proves you're following your policies. It's the documentation that shows auditors you're actually compliant, not just compliant on paper.

Examples of evidence:

  • Training certificates
  • Security configuration screenshots
  • Incident reports
  • Audit logs
  • Signed policy acknowledgments
  • Business associate agreements
  • Access control logs
  • Backup verification records

Why Evidence Matters

Auditors don't just want to see your policies. They want to see proof that you're following them. Evidence connects your policies to your actual practices.

Without evidence:

  • Policies are just documents
  • No proof of compliance
  • Auditors may question your practices

With evidence:

  • Policies are supported by proof
  • Clear demonstration of compliance
  • Auditors can verify your practices

How to Upload Evidence

Step 1: Go to Evidence Section

  1. From your Dashboard, click "Evidence" in the sidebar
  2. You'll see a list of all evidence requirements
  3. Each item shows whether evidence has been uploaded

Step 2: Select a Policy

  1. Click on a policy that needs evidence
  2. You'll see what evidence is required for that policy
  3. Click "Upload Evidence" or "Attach Document"

Step 3: Upload Your File

  1. Click "Choose File" or drag and drop
  2. Select your file (PDF, image, Word doc, etc.)
  3. Add a description explaining what the evidence shows
  4. Click "Upload"

Supported formats:

  • PDF files
  • Images (JPG, PNG)
  • Word documents (.docx)
  • Text files

File size limit: 10MB per file

Step 4: Connect to Policies

When you upload evidence, you can connect it to:

  • Specific policies it supports
  • Risk assessment controls
  • Training records
  • Incident reports

Why connect? This creates a clear map showing how your evidence supports your compliance.

Evidence Requirements

HIPAA Hub identifies what evidence you need based on:

  • Your risk assessment answers
  • Your policies
  • HIPAA requirements
  • Best practices

Common evidence requirements:

  • Training completion certificates
  • Security configuration documentation
  • Access control logs
  • Incident response records
  • Business associate agreements
  • Backup verification
  • Encryption documentation

Organizing Your Evidence

By Policy

Group evidence by which policy it supports. This makes it easy for auditors to see how you're following each policy.

By Category

Organize by type:

  • Training records
  • Security documentation
  • Incident reports
  • Administrative records

By Date

Keep evidence organized chronologically, especially for:

  • Annual assessments
  • Training renewals
  • Policy updates

Evidence Status

Each evidence item can have one of these statuses:

Missing

  • Required evidence hasn't been uploaded
  • Shown as an action item
  • Needs attention

Uploaded

  • File has been uploaded
  • Connected to policies
  • Ready for review

Expired

  • Evidence is outdated (e.g., old training certificate)
  • Needs to be updated
  • You'll get a warning

Valid

  • Current and up to date
  • Properly connected
  • Ready for audit

Best Practices

Upload Regularly

  • Don't wait until audit time
  • Upload evidence as you create it
  • Keep it current

Be Descriptive

  • Add clear descriptions
  • Explain what the evidence shows
  • Make it easy for auditors to understand

Keep It Organized

  • Use clear file names
  • Group related evidence
  • Connect to the right policies

Update Expired Evidence

  • Renew training certificates
  • Update security documentation
  • Keep everything current

Common Questions

Q: What if I don't have evidence for something? A: Create it. For example, if you need training certificates, complete the training and generate the certificate.

Q: How much evidence do I need? A: Enough to prove you're following each policy. One piece of evidence per policy is a minimum, but more is better.

Q: Can I upload the same evidence for multiple policies? A: Yes, if it supports multiple policies, you can connect it to all of them.

Q: What if my evidence is confidential? A: All evidence is stored securely and encrypted. Only authorized users can access it.

Q: How long should I keep evidence? A: HIPAA requires keeping documentation for 6 years. HIPAA Hub stores everything securely.

Next Steps

After uploading evidence:

  1. Review what's still missing
  2. Connect evidence to policies
  3. Update expired evidence
  4. Organize by category
  5. Prepare for audit export

Related Guides