A practical 2026 HIPAA rule-keeping checklist for small habits, including risk analysis, training, policies, BAAs, and incident response. This guide is written for rule-keeping leaders, founders, and operations teams that need practical execution, not theory.
2026 Small Practice Checklist
- Assign privacy and security ownership.
- Run an annual SRA.
- keep written policies/steps.
- Train team annually.
- Execute BAAs with vendors.
- Implement access controls + MFA.
- Encrypt devices and backups.
- Test incident response + breach workflow.
- keep written records for 6+ years.
Most Missed Items
Small teams often skip formal written records updates, vendor risk reviews, and evidence retention. Those are common failure points during reviews.
90-Day Execution Plan
Weeks 1-2 review, weeks 3-6 policy and training updates, weeks 7-10 tech controls, weeks 11-12 tabletop and proof gathering.
Small Practice Checklist Final Takeaway
The groups that perform best in audits are those with clear steps, assigned ownership, and clear evidence. Build rule-keeping as an daily habit, not a one-time event.
Related resources: What is HIPAA, HIPAA Compliance Guide 2026, HIPAA Risk review Process, and contact us for setup support.
Need setup help? One Guy Consulting provides practical HIPAA guidance for covered groups and business associates. Book a consultation. Start with a risk assessment Train your team Execute BAAs with vendors written policies and procedures Identify your compliance gaps