HIPAA Compliance Checklist for Small Practices 2026

Why Small Practices Face the Same HIPAA Exposure as Large Health Systems

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) does not scale its enforcement expectations based on practice size. A solo family medicine physician and a 500-bed hospital are held to identical standards under the HIPAA Security Rule — and OCR's enforcement record makes that unmistakably clear. This HIPAA compliance checklist for small practices is designed to close the gap between what the regulation demands and what most small clinics, dental offices, and mental health practices have actually implemented.

Small practices frequently assume that limited patient volume reduces their breach risk or enforcement exposure. Neither assumption holds. Threat actors specifically target small healthcare providers because they operate with weaker security controls, older infrastructure, and minimal IT staff. The HHS breach portal logged 725 large breaches — each affecting 500 or more individuals — in 2023 alone, with independent practices and specialty clinics representing a significant share of those filings.

Working through this checklist section by section will help you document your current posture, identify gaps, and build a remediation roadmap that satisfies OCR's required and addressable implementation specifications under 45 C.F.R. Part 164. Pair this guide with structured HIPAA cybersecurity requirements to turn your findings into a defensible compliance program. HIPAA compliance is not a one-time project — it is a living program that must evolve as your practice changes, new threats emerge, and regulations are updated.

Section 1: Administrative Safeguards (45 C.F.R. §164.308)

Administrative safeguards account for the largest share of the HIPAA Security Rule's required and addressable implementation specifications. They are also the most frequently cited area in OCR investigations because they demand written policies, documented training, and ongoing governance — all things small practices tend to handle informally or skip entirely.

Security Management Process (§164.308(a)(1))

Every covered entity must conduct a thorough risk analysis — an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI) your organization creates, receives, maintains, or transmits. This is not a one-time project. OCR expects periodic reviews and a documented risk management plan that tracks how identified risks are being reduced to a reasonable and appropriate level.

Your administrative checklist for this specification should confirm that a written risk analysis exists and was completed or reviewed within the past 12 months, that a risk management plan documents controls implemented for each identified risk, that a sanctions policy is in writing and applied consistently to workforce members who violate HIPAA policies, and that information system activity is reviewed on a defined schedule through audit log analysis.

Designated Security Official (§164.308(a)(2))

The regulation requires one individual — not a committee and not a vendor — to be formally designated as your Security Official, responsible for developing and implementing your HIPAA security policies. For small practices, this is often the practice owner or office manager. What matters is that the designation is documented and the person understands their responsibilities. Pairing that individual with a qualified managed HIPAA security provider is a practical model for practices that cannot staff a dedicated security role.

Workforce Training and Access Management (§164.308(a)(3) and §164.308(a)(4))

All workforce members who interact with ePHI — including front desk staff, billing personnel, and clinical assistants — must receive security awareness training. The training must be documented, role-appropriate, and repeated when significant operational changes or new threat categories emerge. Access authorization procedures must ensure that each user accesses only the ePHI necessary for their job function, consistent with HIPAA's minimum necessary standard.

Generic annual video modules completed without documentation rarely satisfy OCR's expectation of meaningful, ongoing security education. For deeper guidance on building a training program that holds up to scrutiny, see our overview of security awareness training requirements.

Contingency Planning (§164.308(a)(7))

Your practice must have a documented contingency plan covering data backup, disaster recovery, emergency mode operations, and procedures for testing and revising those plans. Ransomware incidents — which routinely render ePHI inaccessible — have elevated this requirement from a formality to an operational necessity. A well-structured healthcare data breach prevention strategy provides a documentation framework that integrates directly with HIPAA contingency requirements and prepares your team to make breach-or-not determinations quickly and accurately under pressure.

Section 2: Physical Safeguards (45 C.F.R. §164.310)

Physical safeguards govern how your practice controls physical access to systems and media containing ePHI. OCR investigators consistently find violations in this area because small practices focus on digital security while overlooking the physical controls the regulation explicitly requires.

Facility Access Controls (§164.310(a)(1))

Your practice must implement policies and procedures to limit physical access to electronic information systems — and the facilities where they are housed — to authorized users only. For a typical small practice this means locked server rooms or equipment closets with access logs maintained for all entries, visitor access policies that require sign-in and escort procedures in areas where ePHI is accessible, and a documented process for revoking access badges and credentials when a workforce member departs.

Workstation Use and Security (§164.310(b) and §164.310(c))

Every workstation that accesses ePHI must have a documented acceptable use policy defining how that workstation may be used and the physical safeguards surrounding it. Screens that display ePHI must not be visible to unauthorized individuals. In practice, this means screen privacy filters at check-in workstations in patient-facing areas and automatic lock timers configured to 15 minutes or fewer. These are low-cost controls that eliminate a significant category of incidental disclosure.

Device and Media Controls (§164.310(d)(1))

Before any hardware is retired, donated, or transferred, you must document a process for sanitizing it — overwriting storage media or physically destroying it. This specification also requires tracking which hardware and media contain ePHI and maintaining an inventory. A missing workstation or a stolen laptop is a reportable breach if the device held unencrypted ePHI.

Encrypting all endpoints removes the breach notification obligation for stolen devices under the HIPAA Safe Harbor provision, making endpoint encryption and asset tracking one of the highest-return controls available to small practices. AES-256 encryption is the accepted standard for ePHI at rest. For network-level hardening guidance that complements physical controls, see our HIPAA compliance guide for dental offices.

Section 3: Technical Safeguards (45 C.F.R. §164.312)

The HIPAA Security Rule's technical safeguards define the technology-side controls you must implement to protect ePHI at rest and in transit. Unlike administrative and physical requirements, technical safeguards map directly to specific software configurations, infrastructure decisions, and access control mechanisms that your IT environment must enforce.

Access Controls (§164.312(a)(1))

You must implement technical policies and procedures allowing only authorized persons to access ePHI. The four implementation specifications under this standard are:

• Unique user identification (Required): Assign each user a unique name or number for tracking system activity. Shared login credentials are a direct violation of this requirement and among the easiest gaps for OCR to identify in audit logs.
• Emergency access procedure (Required): Establish a process for obtaining ePHI during an emergency when normal access controls are unavailable — for example, during a ransomware incident or system outage.
• Automatic logoff (Addressable): Implement electronic procedures that terminate a session after a defined period of inactivity. Configure this at 10–15 minutes on all ePHI-accessing systems.
• Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI. While classified as addressable, OCR consistently expects encryption to be deployed — or a clearly documented rationale for why it is not — and has cited its absence in enforcement actions against small practices. AES-256 is the recommended standard for ePHI at rest.

Audit Controls (§164.312(b))

Audit controls carry no addressable alternative — you must implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. Your Electronic Health Record (EHR) system must generate access logs, those logs must be retained for a minimum of six years, and someone at your practice must review them on a defined schedule. Anomalous access patterns — a staff member pulling records outside their care team, or access from an unrecognized IP address — should trigger investigation. Our guide to the MITRE ATT&CK framework covers methodologies for identifying anomalous activity in log data that apply directly to ePHI system monitoring.

Integrity Controls and Transmission Security (§164.312(c) and §164.312(e))

Integrity controls require that ePHI is not improperly altered or destroyed. Transmission security requires that ePHI sent over electronic communications networks is protected against unauthorized access. Any transmission of ePHI over public or untrusted networks — including email and patient portal communications — must use encryption. Transport Layer Security (TLS) 1.2 or higher is the accepted standard for data in transit, and most modern EHR and email platforms support it by default. Verify that your configurations enforce TLS rather than permitting downgrade to unencrypted connections.

NIST SP 800-66 Rev. 2 provides detailed implementation guidance for applying the Security Rule's technical safeguards across common healthcare IT environments. If you are evaluating detection and response tools for your EHR environment, our comparison of Endpoint Detection and Response (EDR) threats and defenses explains what level of coverage small practices typically need.

Section 4: Business Associate Agreements (45 C.F.R. §164.308(b))

Any vendor, contractor, or service provider that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate (BA) under HIPAA. Before sharing any patient data with a BA, you must execute a written Business Associate Agreement (BAA) that contractually obligates them to protect ePHI and comply with applicable HIPAA provisions. This is a required specification — there is no workaround.

Completing this section of your HIPAA compliance checklist for small practices means auditing every vendor relationship where ePHI is shared and confirming a signed agreement is on file. Small practices frequently miss BAAs with vendors they do not immediately associate with healthcare data. The following relationships commonly require a signed BAA:

• Cloud-based EHR and practice management software vendors
• Medical billing and revenue cycle management companies
• IT service providers and managed security partners with access to systems containing ePHI
• Medical transcription and dictation services
• Off-site records storage and document shredding companies
• Answering services that handle patient communications
• Cloud backup providers storing ePHI
• Telehealth platforms that transmit or store patient visit data

A valid BAA must contain specific elements: a description of permitted uses and disclosures of ePHI, obligations to report breaches within 60 days of discovery, requirements to safeguard ePHI in accordance with the Security Rule, and provisions for returning or destroying ePHI upon contract termination.

Executing a BAA does not transfer your compliance obligations. If your vendor suffers a breach attributable in part to your failure to vet their security posture, OCR can investigate both parties. Vet prospective BAs by requesting their most recent SOC 2 Type II report or ISO 27001:2022 certification before executing an agreement. These attestations confirm that an independent auditor has evaluated the vendor's security controls against a recognized standard — self-assessments are not an acceptable substitute. Our guide to HIPAA cybersecurity requirements covers vendor risk management practices that apply directly to BA oversight.

Section 5: HIPAA Privacy Rule Essentials

The HIPAA Privacy Rule (45 C.F.R. Part 164, Subpart E) governs how Protected Health Information (PHI) — in any format, not just electronic — may be used and disclosed. While the Security Rule focuses on ePHI, the Privacy Rule covers all PHI and carries its own set of required policies and patient rights obligations that small practices must address.

Notice of Privacy Practices (NPP)

Every covered entity must provide patients with a Notice of Privacy Practices describing how PHI is used and disclosed, patient rights regarding their health information, and how to file a complaint with HHS. The NPP must be posted prominently at your practice and made available on your website if you maintain one. Patients must receive the NPP at their first visit and must sign an acknowledgment of receipt — that acknowledgment record must be retained for six years.

Patient Rights and Minimum Necessary Standard

Patients have the right to access, amend, and request an accounting of disclosures of their PHI. Your practice must have written procedures for responding to these requests within the regulatory timeframes — 30 days for access requests, with a single 30-day extension permitted. All uses and disclosures of PHI must comply with the minimum necessary standard: disclose only the amount of information required to accomplish the intended purpose. This standard applies to internal access as well — workforce members should not access PHI beyond what their role requires.

For practices operating in telehealth or handling electronic communications with patients, the intersection of the Privacy Rule with technical controls becomes especially relevant. Review your encryption practices to ensure patient communications are protected end-to-end in compliance with both the Privacy and Security Rules.

The Five Most Common HIPAA Violations in Small Practices

OCR enforcement patterns reveal a consistent set of failures that appear across solo practices, group clinics, and specialty offices. Understanding where small practices most often fall short helps you prioritize your remediation efforts — and makes the difference between a documented, good-faith compliance program and an enforcement target.

1. No documented risk analysis — The single most common finding in OCR investigations. Many practices assume a verbal security review satisfies the requirement. It does not. OCR expects a written document that identifies each ePHI system, assesses threats and vulnerabilities, and is reviewed at least annually.
2. Missing Business Associate Agreements — Small practices routinely share ePHI with vendors — billing companies, IT providers, cloud storage services — without executing a written BAA. Every BA relationship without a signed agreement is a separate, independently penalizable violation.
3. Insufficient access controls — Shared login credentials, absent role-based access restrictions, and failure to terminate access when employees depart are the most frequently cited access control failures. Each instance of unauthorized ePHI access attributable to these gaps can be counted as a separate violation under OCR's penalty structure.
4. Untested contingency plans — A backup plan that has never been tested provides no assurance that ePHI can actually be recovered after a ransomware incident or hardware failure. OCR expects evidence that the plan works, not just that it exists on paper. Our ransomware protection guide covers backup validation practices directly applicable to healthcare environments.
5. Inadequate training documentation — Security awareness training that cannot be demonstrated with completion records, dated materials, and role-appropriate content will not satisfy OCR's standard. A staff email reminder or informal walkthrough does not qualify. Review the HHS guidance on HIPAA Security Rule guidance for documentation expectations.

Section 6: Breach Notification and Civil Monetary Penalties (45 C.F.R. Part 164, Subpart D)

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases prominent media outlets following a breach of unsecured ePHI. The notification timelines are strict and the financial exposure for non-compliance is substantial.

Notification Timeline Requirements

Individual notification must occur within 60 days of discovering a breach. If the breach affects 500 or more individuals in a single state, you must also notify prominent media outlets in that state within the same 60-day window. Breaches affecting 500 or more individuals must be reported to HHS simultaneously with individual notification; smaller breaches may be compiled into an annual log submitted to HHS within 60 days of the calendar year's end.

Documenting the breach discovery date is operationally essential — the 60-day clock starts when the breach is known or reasonably should have been known, not when your investigation concludes. Delaying a formal discovery determination to extend the investigation window is a compliance risk, not a legal strategy. Healthcare breach costs consistently rank highest among all industries, as documented in the IBM Cost of Data Breach Report, and the notification process itself — legal review, patient communications, credit monitoring services — drives a significant share of those costs.

Civil Monetary Penalty Structure

The most effective way to position your practice in the lowest possible penalty tier — should an incident occur — is to demonstrate a documented, good-faith compliance program maintained before the breach event. That means your risk analysis, policies, training records, and BAAs are in order before OCR investigates, not after.

What OCR Requests During an Investigation

When OCR initiates a compliance review — whether triggered by a breach report, a patient complaint, or a random desk audit — investigators typically request the following documentation: your written risk analysis and risk management plan; a list of all systems and applications that access or store ePHI; sample audit logs from your EHR and network systems; workforce security training documentation including attendance records and training materials; copies of all executed Business Associate Agreements; your written HIPAA policies and procedures; and evidence that your contingency plan has been tested.

Practices that cannot produce these documents on demand are immediately positioned in the higher penalty tiers. Building and maintaining this documentation before an incident is your primary legal defense — and the core purpose of every item in a HIPAA compliance checklist for small practices. A documented HIPAA incident response plan provides the framework to make breach-or-not determinations quickly and accurately when time pressure is highest.