No Risk Assessment, No HIPAA Policies: What Small Clinics Risk

Practical guidance for healthcare teams and business associates

In April 2024, OCR settled with Dental Management of Scottsdale for $25,000 after determining the small practice had never conducted a Security Risk Assessment. The practice had five locations but zero documentation proving they’d identified risks to patient data. The Department of Health and Human Services made the point clear: size does not exempt you from the Health Insurance Portability and Accountability Act.

If your small clinic has no risk assessment and no HIPAA policies in place, you are not “flying under the radar.” You are one patient complaint away from an investigation where you have nothing to show.

What a Small Healthcare Practice Actually Risks Without Compliance

The Security Rule applies to every covered entity that handles electronic Protected Health Information (ePHI), as defined under 45 CFR 160.103. That includes solo practitioners, small clinics, group practices, health plans, covered entities of all sizes, and any business associate that touches patient data on their behalf. The rule applies regardless of whether you have 3 employees or 3,000.

Here’s what “no compliance” actually looks like from an enforcement perspective:

No Security Risk Assessment means:

  • You cannot demonstrate the risk assessment process required under 45 CFR 164.308(a)(1)(ii)(A)
  • You have no documented hazard identification for your systems, workflows, or physical spaces
  • You have no basis for selecting control measures because you never identified what you’re controlling against
  • OCR’s first question in any investigation is “show us your SRA” - if the answer is “we don’t have one,” the investigation is already lost

No written HIPAA policies means:

  • No evidence of administrative safeguards (the largest section of the Security Rule)
  • No proof staff were trained on anything
  • No incident response plan for when a breach occurs
  • No documentation showing how you protect ePHI during day-to-day care service delivery

No Business Associate Agreements means:

  • Every vendor with access to patient data represents an unmanaged risk
  • Your EHR vendor, billing company, IT support, cloud storage, shredding service - all require a signed BAA
  • One Guy Consulting helps small healthcare practices and business associates close exactly these gaps

The Enforcement Math

OCR penalty tiers under the Insurance Portability and Accountability Act start at $141 per violation for unknowing violations and climb to $71,162 per violation for willful neglect. A small clinic with no policies, no SRA, and no BAA management isn’t facing one violation. Each missing safeguard, each untrained employee, each unsigned BAA is a separate violation category.

The level of risk compounds fast. A 4-provider behavioral health practice with 8 staff, 3 vendors, and no compliance program could face dozens of violation categories across administrative, physical, and technical safeguards.

Identifying the Gaps: Where Small Clinics Typically Start

Most small clinics that contact One Guy Consulting for business associate and compliance support share the same starting state:

  1. No SRA ever conducted - They know the requirement exists but never completed the risk assessment process
  2. Policies downloaded once, never implemented - A PDF sits in a folder that no employee has read
  3. Vendors operating without BAAs - The EHR company probably has one, but IT support, the answering service, and the billing company do not
  4. Training is informal - “We told everyone to be careful” does not meet the standard under 45 CFR 164.308(a)(5)
  5. No incident response - When something goes wrong, there’s no documented safety management plan for identifying, containing, or reporting it

This isn’t negligence by intent. It’s what happens when a small clinic - whether a 2-provider dental office, a chiropractic practice, or a behavioral health group - lacks the internal bandwidth to build a compliance program from scratch. The type of risk isn’t technical. It’s organizational.

What “Getting Compliant” Actually Involves

The risk assessment process is the foundation. Everything else builds from it. A proper SRA identifies:

  • Where ePHI lives in your environment (systems, devices, paper)
  • What threats exist (external attacks, internal errors, physical theft)
  • Identifying hazards and vulnerabilities each threat could exploit
  • What control measures are already in place vs. missing
  • The level of risk for each identified gap

From there, written policies document how your practice handles each requirement. Training ensures staff understand their responsibilities. BAA management ensures every vendor relationship is covered. Ongoing monitoring ensures nothing drifts.

If you have not done a HIPAA risk assessment yet, start there first, document the gaps you find, and then write the policies and procedures needed to fix them. HHS says the Security Rule requires a risk analysis and written policies and procedures, with documentation maintained over time.

For a small clinic, this process typically takes 4-6 weeks with guided support. It is not a multi-year enterprise project.

FAQs

Does state law require anything beyond federal HIPAA?

Yes. Many states have breach notification laws, patient privacy statutes, and health and safety requirements that exceed HIPAA minimums. Texas, California, and New York impose additional penalties for healthcare data exposure. Your compliance program should address both federal and applicable state requirements.

Can a small clinic handle HIPAA compliance without outside help?

Technically yes, but most small practices lack the bandwidth. The Department of Health and Human Services provides guidance, but translating regulations into operational policies, training materials, and documentation requires subject matter expertise that most 3-10 person offices don’t have in-house.

What’s the difference between a risk assessment and a gap analysis?

A Security Risk Assessment identifies threats and vulnerabilities to ePHI and assigns risk levels. A gap analysis compares your current safeguards against HIPAA requirements and identifies what’s missing. Both are necessary. The SRA is federally mandated; the gap analysis shows you what to fix first.

How often does the risk assessment need to be updated?

The Security Rule requires ongoing risk management, and OCR expects the SRA to be reviewed and updated at minimum annually - or whenever significant changes occur (new systems, new locations, workforce changes, security incidents).

Conclusion

A small clinic operating with no risk assessment and no HIPAA policies has no defensible position in an investigation. The fix is straightforward: conduct the SRA, implement policies, train staff, manage BAAs, and document everything. The organizations that get fined are not the ones who tried and made mistakes. They’re the ones who never started.

One Guy Consulting offers affordable HIPAA compliance packages for practices of all sizes. Learn more

Sources

  1. HHS OCR Enforcement Highlights
  2. 45 CFR 160.103 - Definitions
  3. Security Rule Guidance on Risk Analysis
  4. 45 CFR 164.308 - Administrative Safeguards
  5. OCR HIPAA Penalty Structure