Does Your Small Clinic Need a HIPAA Risk Assessment? What Happens After the Gaps Are Found

Practical guidance for healthcare teams and business associates

How One Guy Consulting Helps Small Practices Close HIPAA Gaps

In January 2025, OCR settled with a Massachusetts healthcare services company for $80,000 after a ransomware attack exposed over 31,000 patient records. The root finding: no risk assessment. A month earlier, an Oklahoma EMS provider paid $90,000 for the same gap. Neither organization was large. Both were covered entities that assumed their size made them invisible to regulators. It did not.

If your small clinic still does not have a HIPAA risk assessment or written policies, you are not alone. Most small practices have never completed a formal security risk analysis. But the regulatory requirement does not scale down with your headcount, and OCR's Risk Analysis Initiative - launched in late 2024 - is specifically targeting organizations that have skipped this step.

This article answers two questions: do you actually need a risk assessment (yes), and what happens after it reveals the gaps you already suspect are there.

Yes, Your Clinic Needs a Security Risk Assessment

The requirement is unambiguous. 45 CFR 164.308(a)(1)(ii)(A) requires every covered entity and business associate to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Health Insurance Portability and Accountability Act does not exempt small practices. A two-provider dental office has the same obligation as a hospital system.

The scope should be proportional. A small clinic does not need a 200-page report. But it does need a documented risk assessment process that identifies where ePHI lives, what threats exist, what control measures are in place, and where gaps remain. The process is fundamentally about identifying hazards to patient data and your practice's health and safety obligations under federal law. Without that baseline, every other compliance activity - policies, training, vendor management - is built on guesswork rather than evidence.

Most small clinics that contact One Guy Consulting have never completed one. That is not shameful. It is the starting point.

What the Assessment Typically Finds

The gaps at small healthcare practices are predictable. After conducting assessments for clinics, therapy practices, and specialty offices, the same findings surface repeatedly:

  • No written HIPAA policies - the practice operates on informal rules that have never been documented. Without written policies, there is nothing to train against, nothing to audit against, and nothing to show a regulator.
  • No Business Associate Agreements - vendors that handle PHI (EHR platforms, IT support, billing services, cloud storage) are operating without signed BAAs. This is a standalone violation under the Security Rule.
  • No training documentation - staff may have received verbal instructions at some point, but there are no records showing who was trained, when, and on what topics.
  • No encryption on portable devices - laptops, tablets, and phones that access or store patient data are unencrypted, which means a lost device becomes a reportable breach.
  • No incident response plan - if a breach happens tomorrow, nobody knows who to call, what to document, or how to notify affected patients within the 60-day window.

These are not edge cases. They are the standard starting position for a small practice that has been focused on patient care rather than regulatory compliance. The risk assessment makes them visible so they can be addressed in order of severity. For a broader look at what these gaps mean in enforcement terms, see our guide on what small clinics risk without a risk assessment or HIPAA policies.

The Remediation Lifecycle

Finding gaps is the easy part. What separates a functional compliance program from a binder collecting dust is what happens next. The remediation lifecycle has five stages, and each one requires action, not just awareness.

Step 1: Prioritize by level of risk. Each gap gets ranked by two factors - how likely the threat is and how much damage it would cause. A clinic with no encryption on laptops that leave the building faces a high-likelihood, high-impact risk. A missing policy document that covers an area your practice does not engage in is low on both scales. Critical items that create direct PHI exposure get fixed first. This is hazard identification applied to your specific environment, not a generic checklist.

Step 2: Assign owners and deadlines. Every gap needs a person responsible for closing it and a target date. In a small clinic, one person often owns most items - typically the office manager or practice administrator. That is fine. What matters is that the assignment exists and someone is accountable. A remediation plan without ownership is a wish list.

Step 3: Implement controls. This is where the actual work happens. Written policies get drafted and distributed. Staff complete HIPAA training with documented completion records. BAAs get signed with every vendor that touches PHI. Technical fixes - encryption, access controls, audit logging - get configured. Each type of risk gets a corresponding control measure.

Step 4: Document everything. Auditors want to trace a line from the finding to the fix. Save the dated SRA report, the prioritized remediation plan, updated policies, training records, and signed BAAs. Documentation is proof that the program is real and not just a one-time exercise. The Department of Health and Human Services expects evidence of ongoing safety management, not just a snapshot.

Step 5: Re-assess annually. The Security Rule requires periodic review. Your practice changes - new vendors, new staff, new technology, new state law requirements. The risk assessment is not a one-time event. It is an annual process that keeps the program current and catches new gaps before they become incidents.

Typical Timeline for a Small Clinic

With guided support, most small practices move from no risk assessment to a documented compliance program in four to six weeks:

  • Week 1-2: Assessment - inventory ePHI, evaluate current controls, identify gaps, produce the SRA report.
  • Week 3-4: Remediation planning - prioritize findings, assign owners, draft missing policies, initiate BAA collection.
  • Week 5-6: Implementation - distribute policies, complete initial workforce training, deploy technical fixes, document the care service workflow for handling PHI.

After that, the program shifts to maintenance mode - annual reassessment, periodic training refreshers, vendor reviews, and incident response drills.

FAQs

Can a small clinic do a security risk assessment without outside help?

Yes. HHS provides a free Security Risk Assessment Tool designed for small practices. The challenge is not the tool itself - it is knowing how to interpret findings, assign accurate risk levels, and build a remediation plan that actually gets executed. Many small practices benefit from an experienced consultant who can identify blind spots and keep the process on track, but the requirement can technically be met internally if someone on staff understands the Security Rule's administrative, physical, and technical safeguard requirements.

What if we cannot fix every gap right away?

You do not have to. The Security Rule does not require perfection on day one. What it requires is a documented plan with prioritized findings, assigned owners, and realistic deadlines. OCR looks for evidence of good-faith effort and forward progress. A practice that has identified its gaps, prioritized them by risk level, and is actively working through remediation is in a fundamentally different position than one that has never assessed at all. Document the timeline, track your progress, and keep moving.

How does One Guy Consulting help business associates with risk assessments?

Business associates have the same risk assessment obligation as covered entities under the HIPAA Omnibus Rule. One Guy Consulting works with IT companies, billing services, cloud platforms, and other BAs to scope their assessment appropriately - focusing on the specific ePHI they create, receive, maintain, or transmit. The process is the same (assess, prioritize, remediate, document, re-assess) but the environment and threat profile differ. For a deeper look at BA-specific requirements, see our HIPAA risk assessment guide for business associates.

How often does the security risk assessment need to be updated?

The regulation requires periodic reassessment but does not specify an exact frequency. Industry standard and OCR guidance both point to annual reassessment as a minimum. You should also reassess after significant changes - new EHR systems, office moves, major staffing changes, security incidents, or new vendor relationships. The goal is to ensure the assessment reflects your current environment, not a snapshot from two years ago.

Conclusion

One Guy Consulting helps small healthcare practices and business associates conduct HIPAA security risk assessments and build practical remediation plans that close compliance gaps. Book a free 30-minute intro to talk through your situation and figure out where to start.

This content is for educational and informational purposes only and should not be construed as legal advice.

Sources

Related Reading