10 Essential Steps for HIPAA Compliance in Small Medical Practices
By Nicole Statley at Healthcare Compliance Pros
A structured, repeatable approach to HIPAA, grounded in HHS
Office for Civil Rights (OCR) guidance and the federal regulatory text, allows
small practices to build an audit-ready compliance program without a dedicated
compliance department. The steps below follow the Security Rule, Privacy Rule,
and Breach Notification Rule as published by HHS.
1. Conduct a Comprehensive Security Risk Analysis
OCR guidance identifies risk analysis as the first step in
Security Rule compliance and describes it as an ongoing process, not a one-time
task. The analysis must accurately and thoroughly assess potential risks and
vulnerabilities to the confidentiality, integrity, and availability of
electronic protected health information (ePHI) that the practice creates,
receives, maintains, or transmits.
OCR's cybersecurity newsletters continue to stress that the
risk analysis requirement applies regardless of practice size, and incomplete
or missing analyses remain a recurring finding in enforcement actions. HHS also
offers a free Security Risk Assessment (SRA) Tool built specifically to help
smaller providers walk through this requirement.
Practical actions
- Review
the HHS "Basics of Risk Analysis and Risk Management" guidance
paper to structure your assessment around required elements.
- Repeat
and update the analysis whenever your practice changes systems, vendors,
or workflows involving ePHI.
2. Inventory All Places PHI Is Stored and Shared
A risk analysis is only as good as the inventory behind it.
OCR guidance directs covered entities to identify everywhere ePHI is created,
received, maintained, or transmitted before assessing risk. This includes EHRs,
email, backups, mobile devices, and cloud services used by the practice or its
vendors.
Practical actions
- List
every system and device that touches PHI, including staff phones, billing
software, and any cloud storage.
- Note
which of these are managed by outside vendors, since that determines where
business associate agreements are required.
3. Develop, Update, and Version-Control Policies and Procedures
The Security Rule requires reasonable and appropriate
administrative, physical, and technical safeguards, implemented through written
policies and procedures. The Privacy Rule separately requires a covered entity
to have appropriate safeguards to protect PHI privacy, documented in writing.
Practical actions
- Maintain
a single policy log covering administrative safeguards (45 CFR 164.308),
physical safeguards (45 CFR 164.310), and technical safeguards (45 CFR
164.312).
- Keep
dated versions of every policy change so you can show what was in effect
at any point in time.
4. Implement Workforce HIPAA Training and Track Completion
Under 45 CFR 164.530, a covered entity must train all
workforce members on the policies and procedures relevant to their duties, as
necessary and appropriate for them to carry out their functions. This is an
administrative requirement of the Privacy Rule and applies to every practice,
regardless of size.
Practical actions
- Provide
role-based training so clinical and front-office staff learn the
PHI-handling rules relevant to their jobs.
- Retrain
staff when policies change materially or when a workforce member's duties
change.
5. Maintain Up-to-Date Business Associate Agreements (BAAs)
HHS explains that a covered entity generally must have a
written contract, or other arrangement, with a business associate that meets
the requirements of 45 CFR 164.504(e) before sharing PHI with that vendor. HHS
publishes sample business associate agreement provisions to help covered
entities and business associates meet these requirements.
Not every vendor needs a BAA. HHS specifically excludes
"conduits" such as the U.S. Postal Service and certain electronic
equivalents, along with entities whose access to PHI is purely incidental.
Practical actions
- Cross-check
your PHI inventory against your vendor list to confirm every business
associate has a signed agreement.
- Use
the HHS sample provisions as your starting template rather than a generic
online form.
6. Apply Physical Safeguards
The Security Rule's physical safeguards standard, at 45 CFR
164.310, requires policies and procedures to limit physical access to
facilities and equipment while ensuring properly authorized access is allowed.
This standard also covers workstation use, workstation security, and control of
devices and media containing ePHI.
Practical actions
- Restrict
and log physical access to areas where servers, files, or backup media are
stored.
- Establish
written procedures for the disposal and reuse of hardware and media that
may contain ePHI.
7. Enforce Technical Safeguards
Under 45 CFR 164.312, covered entities must implement
technical safeguards including access control, audit controls, integrity
controls, and transmission security to protect ePHI, particularly when it is
transmitted over an electronic network. OCR's cybersecurity newsletters
continue to highlight authentication and access management as recurring weak
points identified during investigations.
Practical actions
- Assign
unique user identification to every person accessing ePHI systems, as
contemplated by the access control standard.
- Implement
transmission security measures, such as encryption, when ePHI is sent
electronically.
8. Prepare for and Manage Breach Notification
The Breach Notification Rule at 45 CFR 164.400-414 requires
covered entities to notify affected individuals, the HHS Secretary, and in some
cases the media, following a breach of unsecured PHI. Notification to affected
individuals must occur without unreasonable delay, and notification to the
Secretary for breaches involving 500 or more individuals must occur no later
than 60 days after discovery. For breaches affecting fewer than 500
individuals, the practice may submit an annual report to HHS, and each incident
must be submitted as a separate notice through the OCR breach reporting portal.
Practical actions
- Build
a written incident-response procedure describing who investigates a
suspected breach and how you determine reportability.
- Know
how to access and complete the HHS breach reporting portal in advance of
any incident.
9. Support Patient Rights Under HIPAA
The Privacy Rule gives individuals the right to access and
obtain copies of PHI held in a designated record set by their provider, with
limited exceptions such as psychotherapy notes. HHS materials for consumers
describe patients' rights to see and get copies of records, request
corrections, and receive an accounting of certain disclosures.
Practical actions
- Use
HHS's "Right to Access and Research" FAQ page to confirm what
must be included in a designated record set for access purposes.
- Document
every access request, along with the response and any denial rationale.
10. Maintain Audit-Ready Documentation for All Steps
Documentation obligations run throughout the Privacy and
Security Rules — for example, the Privacy Rule's administrative requirements
direct covered entities to have documented safeguards, and OCR guidance
emphasizes that the risk analysis itself should be a retrievable, written
product. Keeping records organized by rule and topic makes it possible to
respond quickly to an OCR inquiry.
Practical actions
- Store
risk analyses, policies, training records, BAAs, and breach investigation
files in a central, well-organized repository.
- Periodically
test whether you can retrieve a specific record, such as last year's risk
analysis or a signed BAA, within a short timeframe.
Frequently Asked Questions
Is a written risk analysis legally required, even for a
one-provider practice?
Yes. OCR guidance states that risk analysis is required of all covered entities
under the Security Rule, regardless of size, as the first step toward
implementing appropriate safeguards.
Does every vendor that touches patient data need a BAA?
No. HHS excludes certain relationships from the BAA requirement, including
conduits like postal or courier services and vendors whose access to PHI is
purely incidental to unrelated services.
How quickly must a small practice report a breach?
Notification to affected individuals must occur without unreasonable delay; for
breaches affecting 500 or more people, HHS must also be notified no later than
60 days after discovery, while smaller breaches can be reported annually
through the OCR portal.
What changed for substance use disorder records in 2026?
HHS's 2024 final rule updating 42 CFR Part 2 required full compliance by
February 16, 2026, more closely aligning SUD record confidentiality protections
with HIPAA.
Where can a small practice find free federal tools to
start this work?
HHS's Security Rule Guidance Material page links directly to the Security Risk
Assessment Tool and related federal guidance papers designed for smaller
providers.
Ready to Simplify HIPAA Compliance?
Building each of these ten elements from primary federal
sources takes time that many small practices don't have to spare. If you'd like
help translating these HHS and OCR requirements into practical templates and
workflows for your practice, consider scheduling a compliance review or
requesting a sample checklist from Healthcare Compliance Pros.
Resources
Basics
of Risk Analysis and Risk Management
HHS
Security Risk Analysis Guidance