HIPAA Compliance Checklist for Small Practices

The HHS HIPAA guidance runs over 100 pages. Most small practices do not have the time to read it, let alone implement it systematically. A compliance checklist gives you a concrete starting point — something you can work through with your team and actually mark done.

HIPAA is designed to be scalable. The Security Rule explicitly recognizes that the measures a small practice implements may differ from those of a large health system. What matters is that you address every requirement in a manner that is reasonable and appropriate for your size, complexity, and risk profile.

This checklist covers all three major rules: Privacy, Security, and Breach Notification. It also covers organizational requirements and annual maintenance tasks. Where a topic runs deep, we link to a dedicated guide so you can go further when you need to. Use it as a starting point for a new program or as a gap assessment tool for an existing one.

This is not a substitute for a formal HIPAA gap analysis. But it is the fastest way to identify where you stand and what needs attention first.

HIPAA compliance checklist for small medical practices showing required safeguards and documentation

The Complete HIPAA Compliance Checklist for Small Healthcare Practices

Designate a Privacy and Security Officer

Every covered entity must designate a privacy officer responsible for Privacy Rule compliance and a security officer responsible for Security Rule compliance (45 CFR 164.530(a)(1) and 45 CFR 164.308(a)(2)). In small practices, one person often fills both roles. This is acceptable under HIPAA, but the designation must be formal and documented.

Appoint a privacy officer in writing with a defined start date
Appoint a security officer in writing (may be the same person)
Document the officers' responsibilities and authority in a written job description or policy
Ensure the designated individuals have adequate training in HIPAA requirements
Communicate the officers' names and contact information to all workforce members
Include the privacy officer's contact information in your Notice of Privacy Practices

The privacy and security officer does not need to be a compliance professional by background. Many small practices designate the practice manager or a senior clinician. What matters is that the person understands the role, has the authority to enforce policies, and has access to the training and resources needed to fulfill the responsibilities.

Conduct a Risk Assessment

The HIPAA risk assessment is the foundation of your compliance program. OCR identifies the failure to conduct a risk analysis as the most common deficiency in enforcement actions — regardless of practice size. Small practices are not exempt.

Inventory all ePHI — identify every system, device, and location where electronic protected health information is created, received, stored, or transmitted
Identify threats — document potential threats to ePHI including cyberattacks, device theft, insider threats, and natural disasters
Identify vulnerabilities — assess weaknesses in your current security posture
Assess current controls — evaluate the effectiveness of existing safeguards
Determine risk levels — rate each risk based on likelihood and potential impact
Create a remediation plan — prioritize and schedule actions to address identified risks
Document everything — maintain written records of the entire risk assessment process
Schedule annual reassessment — set a recurring date for your next comprehensive risk analysis

HHS provides a free Security Risk Assessment (SRA) Tool designed for small and medium practices. While the tool does not replace expert judgment, it provides a structured framework that helps small practices organize and document their risk analysis. If you have not done a risk analysis, start with our how to conduct a HIPAA risk assessment guide.

Privacy Rule Requirements

The Privacy Rule governs how covered entities handle protected health information (PHI). It sets patient rights, limits on use and disclosure, and documentation requirements. For a full breakdown, see our understanding the HIPAA Privacy Rule guide.

Notice of Privacy Practices

The Notice of Privacy Practices (NPP) is one of the most visible compliance requirements. Patients must receive it at the first point of service.

Your NPP is written in plain language a patient can actually understand
The NPP describes all uses and disclosures of PHI your practice makes
The NPP includes patient rights (access, amendment, restriction, accounting)
The NPP lists your complaint process and includes the HHS complaint address
You give the NPP to new patients at the first service delivery
You make a good-faith effort to get a signed acknowledgment from each patient
You keep signed acknowledgments on file (or document why you could not obtain one)
The NPP is posted in your facility in a clear, readable location
The NPP is available on your website if you have one
Your NPP is reviewed and updated whenever your privacy practices change

Patient Rights

Patients have specific rights under the Privacy Rule. Your practice must be able to fulfill each one when a patient asks.

You have a process for handling requests to access PHI (45 CFR 164.524)
You respond to access requests within 30 days (or 60 with one 30-day extension)
You have a process for requests to amend PHI (45 CFR 164.526)
You respond to amendment requests within 60 days
You have a process for accounting of disclosures requests (45 CFR 164.528)
You can provide an accounting of disclosures for the prior six years
You have a process for requests to restrict use or disclosure of PHI
You honor requests to restrict disclosure to health plans for services paid out-of-pocket in full
You have a process for patients requesting confidential communications
Staff know how to route patient rights requests to the right person

Minimum Necessary Standard

The minimum necessary standard requires that you limit PHI use, disclosure, and requests to the least amount needed to accomplish the purpose.

Your policies define what PHI each job role needs access to
Staff only access PHI relevant to their job function
You have policies limiting incidental disclosures (in waiting rooms, open workstations)
When you share PHI with other providers, you limit what you send to what they need
Fax cover sheets include a confidentiality notice
You do not leave PHI visible on unattended computer screens
Verbal conversations about PHI happen in areas where the public cannot overhear
Waiting room sign-in sheets do not reveal diagnosis or reason for visit

Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate. You need a signed Business Associate Agreement (BAA) with each one. Small practices frequently overlook vendor relationships that qualify, creating significant compliance gaps.

You have a current inventory of all business associates including EHR vendors, billing services, IT support, cloud storage providers, shredding companies, answering services, and accounting firms with PHI access
Every business associate has a signed BAA on file
Each BAA meets the required elements under 45 CFR 164.504(e)
BAAs address the business associate's obligations if a breach occurs
You review BAAs when you add a new vendor or when a vendor's services change
Expired or unsigned BAAs are flagged and resolved promptly
Your BAAs require subcontractors to agree to the same restrictions
You maintain a master list of all active BAAs with execution dates and review schedules
Agreements are properly terminated when vendor relationships end, ensuring PHI is returned or destroyed

Do not assume that a vendor's verbal assurance of HIPAA compliance replaces a written BAA. The regulation requires a written agreement. Without one, every PHI disclosure to that vendor is a potential violation.

Staff Training

Every workforce member who handles PHI must receive HIPAA training. This includes employees, volunteers, trainees, and any other person whose conduct is under the direct control of the practice — regardless of whether they are paid. See our HIPAA employee training guide for what to cover.

All new workforce members complete training before accessing PHI
Training covers your specific policies, not just generic HIPAA concepts
Annual refresher training runs for all existing workforce members
Role-specific training covers the PHI access and responsibilities relevant to each position
Security awareness topics include recognizing phishing, password best practices, device handling, and social engineering
Privacy training covers what constitutes PHI, patient rights, minimum necessary standard, and reporting suspected violations
Additional training triggers when policies change or after a privacy incident
Training completion is documented with dates, content covered, and employee names
Contractors and temporary staff receive training before accessing PHI
Training records are retained for at least six years

Training does not need to be expensive or elaborate. Brief, focused sessions are more effective than lengthy annual lectures. Use real-world scenarios relevant to your practice to make training practical and memorable.

Security Rule: Administrative Safeguards

Administrative safeguards are the policies, procedures, and personnel requirements that form the foundation of your security program. For a deep dive, read our HIPAA Security Rule compliance guide.

Risk Analysis and Risk Management

You have conducted a formal, documented risk analysis (45 CFR 164.308(a)(1))
The risk analysis covers all ePHI your organization creates, receives, maintains, or transmits
Identified risks have been assigned a likelihood and impact rating
You have a written risk management plan to address identified risks
High and medium risks have documented mitigation steps with owners and timelines
The risk analysis is updated at least annually or after significant operational changes

Workforce Management

Your workforce clearance procedure screens new hires before they access ePHI
Access is terminated or modified promptly when employees change roles or leave
Workforce supervision includes monitoring for inappropriate ePHI access
Sanctions are documented and consistently applied when policies are violated

Information Access Management

Access to ePHI is granted based on job function (role-based access control)
A process exists for authorizing access and documenting approvals
Access rights are reviewed when employee roles change

Security Incident Procedures

You have a written security incident response policy
Staff know how to report a suspected security incident
Incidents are logged, investigated, and documented
Your incident response connects to your breach notification procedures

Contingency Planning

You have a data backup plan that creates retrievable, exact copies of ePHI
Backups are tested regularly to confirm they can be restored
You have a disaster recovery plan for restoring data after a failure
Your emergency mode operations plan lets you maintain access to ePHI during a crisis
You have tested your contingency plan within the past year

Security Rule: Physical Safeguards

Physical safeguards protect the facilities and equipment where ePHI is stored and accessed.

Access to areas where ePHI is stored or processed is limited to authorized personnel
Your facility has a documented contingency operations plan for physical access during emergencies
Server rooms, network closets, and storage areas are locked
Visitor access to sensitive areas is controlled and logged
Workstations that access ePHI are positioned to minimize viewing by unauthorized persons
Auto-lock is enabled on all workstations after a defined period of inactivity
You have policies for receiving and removing hardware and electronic media
ePHI is removed from hardware before disposal or re-use (wiping or destruction)
Portable devices that access or store ePHI are tracked and accounted for
Lost or stolen devices are reported immediately and a remote wipe is initiated if possible

Security Rule: Technical Safeguards

Technical safeguards are the technology controls that protect ePHI and control access to it. Small practices do not need enterprise-grade technology, but they do need reasonable protections.

Each user has a unique login ID — no shared accounts
Strong passwords are enforced with minimum complexity requirements
Multi-factor authentication is implemented for ePHI system access, especially remote access
You have an emergency access procedure for obtaining ePHI during an emergency
Automatic logoff is implemented on systems containing ePHI
ePHI is encrypted at rest on all devices (laptops, desktops, portable media) and in transit (TLS for email, HTTPS for web applications)
Systems containing ePHI generate audit logs capturing who accessed what, when, and what action was taken
Audit logs are reviewed regularly for anomalies
You have mechanisms to confirm ePHI has not been altered or destroyed without authorization
Antivirus and anti-malware protection is installed and maintained on all systems
Security updates are applied to operating systems and applications promptly
Regular automated backups are performed and restoration procedures are tested

For specifics on what encryption is required and what counts as sufficient, see our HIPAA encryption requirements guide.

Breach Notification Rule

When a breach of unsecured PHI occurs, HIPAA requires specific notifications within defined timeframes. Your full breach response plan should be documented in advance — not after a breach happens. Read our HIPAA breach response plan guide to build one from scratch.

Breach Detection and Assessment

You have a process for identifying potential breaches as quickly as possible
Staff know how to report suspected breaches internally
A designated person is responsible for investigating breach reports
Your investigation includes the four-factor risk assessment: nature of PHI involved, who accessed it, whether PHI was acquired or viewed, and extent of mitigation
Unsecured PHI that has been breached is presumed reportable unless the four-factor test shows low probability of compromise

Notification Requirements

Individual notifications go out within 60 days of discovering the breach
Notifications are sent by first-class mail (or email if the patient has agreed)
Your notification includes all required elements: description of the breach, types of PHI involved, steps individuals should take, what you are doing to investigate and prevent recurrence, and your contact information
Breaches affecting 500 or more individuals are reported to HHS within 60 days via the HHS Breach Reporting Portal
Breaches affecting fewer than 500 individuals are logged and reported to HHS annually by March 1
Breaches affecting 500 or more residents of a state or jurisdiction trigger media notification within 60 days
All breach investigations are documented, including the four-factor risk assessment
Documentation is retained for at least six years

Organizational Requirements

Beyond the three major rules, HIPAA has organizational requirements that apply to every covered entity. These are frequently overlooked.

Policies and Procedures

You have written policies and procedures for all required HIPAA safeguards
Policies are specific to your organization — not just a generic template
Policies are reviewed and updated when operations, technology, or regulations change
Staff can locate and reference policies when needed
Policies cover privacy, access control, training, breach response, BAAs, device disposal, and contingency planning at minimum
Version control and revision tracking are in place

Documentation Retention

All HIPAA-required documentation is retained for at least six years from the date of creation or last effective date
This includes training records, BAAs, breach documentation, risk analysis documentation, policies (current and historical versions), and incident reports
You have a documented records retention schedule

Complaint Process and Sanctions

You have a documented process for receiving and handling patient complaints about privacy practices
Patient complaints are documented and investigated
You do not retaliate against anyone who files a complaint in good faith
You have a written sanctions policy for workforce members who violate HIPAA policies
Sanctions are applied consistently and documented

Annual Maintenance

HIPAA compliance is not a one-time project. It requires ongoing maintenance. Use this section at least once a year — or whenever significant changes occur in your operations, technology, or workforce.

Update your risk analysis to reflect new systems, new staff, new services, or new threats
Review your risk management plan and close out completed items
Review and update your policies and procedures for any changes in operations or law
Deliver annual HIPAA refresher training to all workforce members
Audit your business associate list and confirm every vendor has a current, signed BAA
Review system access logs to confirm access rights match current job functions
Terminate access for any former employees or contractors that was not already removed
Test your data backup and disaster recovery procedures
Audit workstation configurations for auto-lock, encryption, and software updates
Confirm all portable devices are inventoried and accounted for
Submit your annual breach log to HHS by March 1 for incidents from the prior year (if any)
Review the Security Officer and Privacy Officer designations — are these still the right people?

Triggered Reviews

These items should happen in response to specific events, not just annually:

After a breach or near-miss: conduct a root cause analysis and update controls
After a new technology deployment: update the risk analysis before go-live
After a significant staff change: review access rights and training status
After a merger or acquisition: assess the new entity's HIPAA posture and integrate it
After a major HIPAA regulatory change: update policies, train staff, and document the update

What Happens If You Are Not Compliant

HIPAA violations carry civil and criminal penalties. Civil penalties range from $141 to $71,162 per violation, with annual caps up to $2,134,831 per violation category (2026 adjusted amounts). Criminal penalties apply when violations are willful.

Since 2019, OCR has taken 50+ enforcement actions specifically on patient right of access — many against small practices, not hospitals. Gums Dental Care, a solo dental practice in Maryland, was fined $70,000 in 2024 for failing to provide patient records within 30 days. Three more dental practices were fined a combined $135,000 in 2022 for the same violation.

The practical risk is not just the fine. Investigations are time-consuming, public, and damaging to patient trust. A corrective action plan can run for years. Proactive compliance costs far less. Our HIPAA penalties and fines guide covers the full penalty tiers and how OCR determines which tier applies.

FAQs

What should I do first if my small clinic does not have a HIPAA risk assessment or written policies?

Start with three immediate actions: (1) designate a privacy and security officer, (2) conduct a documented risk assessment to understand your current exposure, and (3) use the findings from that risk assessment to develop written policies specific to your practice. HHS guidance confirms that risk analysis is the first step in Security Rule compliance and that it must be documented. The Security Rule also requires written policies and procedures to be maintained in documented form. Do not use generic templates without customizing them to reflect how your practice actually operates.

Is HIPAA compliance different for small practices?

The requirements are the same for all covered entities regardless of size. However, the Security Rule is explicitly designed to be scalable and flexible. Small practices may implement simpler, less costly measures than large health systems, provided those measures are reasonable and appropriate given the practice's size, complexity, and risk profile. The key is addressing every requirement — not matching the implementation of a large hospital.

How often do I need to update my HIPAA compliance program?

At minimum, annually. The risk analysis must be updated whenever there are significant changes to your operations, technology, or workforce — not just on a calendar schedule. Policies should be reviewed annually and updated whenever your practices change. Training must happen at onboarding and at least annually after that. The six-year documentation retention rule applies to everything.

Does HIPAA apply to my small practice with only two employees?

Yes. HIPAA applies to covered entities regardless of size. If you bill insurance electronically, you are a covered entity. Size affects how you implement compliance — not whether you have to comply.

Do I need a HIPAA compliance officer?

Yes. HIPAA requires covered entities to designate a Privacy Officer and a Security Officer. In small practices, these can be the same person. The role can be held by a staff member, a contractor, or an outsourced compliance service. The requirement is that someone is clearly accountable for developing and implementing your privacy and security policies.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule covers all forms of PHI — paper, verbal, and electronic. It sets rules for who can see or use PHI and what rights patients have. The Security Rule covers only electronic PHI (ePHI). It sets requirements for the administrative, physical, and technical controls that protect ePHI from unauthorized access, use, or disclosure. Most practices need to comply with both.

What counts as a HIPAA breach?

A breach is an impermissible use or disclosure of unsecured PHI that compromises the security or privacy of the information. It is presumed to be reportable unless you can demonstrate through a four-factor risk assessment that there is a low probability the PHI was compromised. Common breaches include unauthorized access by a workforce member, a lost or stolen device with unencrypted PHI, a misdirected fax or email, and a ransomware attack.

Can I handle HIPAA compliance without a consultant?

Yes, many small practices manage compliance internally using structured tools and available resources. The privacy and security officer should invest time in understanding HIPAA requirements, use structured tools for the risk assessment, and customize template policies to the practice. External consultants are most valuable for initial assessments, complex situations, or when a practice lacks the internal expertise to address specific technical or regulatory questions.

Conclusion

HIPAA compliance for small practices is achievable, practical, and required. This checklist provides a structured path through every major compliance requirement — from designating officers and conducting risk assessments to implementing safeguards, managing vendors, and preparing for breaches. No single item is optional, but every item is scalable to fit the reality of a small practice.

The practices that succeed with HIPAA compliance treat it as an ongoing operational priority rather than a one-time project. Regular training, annual risk assessments, updated policies, and active vendor management create a compliance program that protects patients, satisfies regulators, and gives your practice the confidence to focus on delivering care.

One Guy Consulting helps small and mid-sized healthcare practices build compliance programs that work. Our 101-policy library provides customizable templates for every item on this checklist, and our platform handles the ongoing work — policy distribution, annual training delivery, BAA tracking, and documentation — all in one place. Book a demo to see how it works.

Sources

Related Reading:

Chuck Weiselberg

HIPAA Compliance Consultant | Certified HIPAA Professional (CHP)

Chuck Weiselberg is a C.H.P. (Certified HIPAA Professional) and Founder of One Guy Consulting, a HIPAA compliance SaaS solution. He has 20+ years experience supporting customers in achieving their goals, with 10 of those years' experience as a HIPAA compliance S.M.E. (Subject Matter Expert).

He has helped support thousands of users at healthcare organizations, where he aided Compliance Officers in implementing sensible compliance solutions without any of them failing an audit, or receiving a fine. This success is attributable to a repeatable and proven process, realistic and applicable policies, and intuitive compliance management software that requires no technological know-how.

Learn more about Chuck Weiselberg

HIPAA Compliance Checklist for Small Practices