HIPAA FAQ for Small Healthcare Practices

Yes, with no exceptions. The HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)) requires every covered entity and business associate to conduct a Security Risk Assessment, regardless of size. There is no small-practice exemption.

The HHS Office for Civil Rights has stated that failure to perform an SRA is the most common HIPAA violation found during audits and breach investigations. A 5-person medical practice has the same legal obligation as a 500-bed hospital.

One Guy Consulting helps small practices complete their SRA with a structured, guided process that identifies where electronic Protected Health Information (ePHI) is stored, transmitted, and accessed. Learn about our Security Risk Assessment process.

HHS requires the SRA to be reviewed and updated at least annually or whenever there are significant changes to your environment, such as a new EHR system, a new office location, or a change in how you store or transmit ePHI.

Annual updates are included in both the Self-Guided ($675/year) and Full-Scope ($1,300/year) plans from One Guy Consulting. See full pricing details.

At minimum, small practices need policies covering the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The essential policies include:

• Privacy Policy (Notice of Privacy Practices)
• Security Management Process policy
• Access Control and Authorization policy
• Workforce Training policy
• Device and Media Controls policy
• Incident Response and Breach Notification policy
• Business Associate Agreement policy
• Facility Access Controls policy
• Contingency and Disaster Recovery policy
• Sanctions Policy

One Guy Consulting provides a library of over 100 customizable HIPAA policy templates written for small practices, not enterprise-scale hospitals.

Not necessarily. The number of policies you need depends on the complexity of your practice. A solo provider may need 15 to 20 core policies. A 10-person multi-location practice may need 30 to 40. Our library of 100+ templates covers every HIPAA requirement, but we help you select and customize only the ones that apply to your specific environment.

The HIPAA Gap Analysis identifies exactly which policies you are missing so you are not guessing or over-building.

HIPAA requires workforce training upon hiring and periodically thereafter. The HHS interprets this as at least annual training for all workforce members who handle Protected Health Information.

New employees must be trained before they access PHI. Training should cover the Privacy Rule, Security Rule, Breach Notification procedures, phishing awareness, and your organization's specific policies.

One Guy Consulting delivers role-based training modules that take under 60 minutes per session, with completion tracking and attestation certificates. View our training program.

Effective HIPAA training covers:

• Privacy Rule basics: what PHI is, minimum necessary standard, patient rights
• Security Rule basics: password policies, workstation security, mobile device handling
• Breach Notification: how to recognize and report a potential breach internally
• Phishing and social engineering: recognizing suspicious emails, phone calls, and links
• Your practice-specific policies: where PHI is stored, who has access, disposal procedures

Training should be documented with sign-off attestations proving each employee completed it.

Under the HIPAA Breach Notification Rule, if a breach of unsecured PHI occurs, you must:

1. Notify affected individuals within 60 days of discovery
2. Notify the HHS Secretary via the OCR Breach Portal
3. Notify prominent local media if the breach affects 500 or more individuals

For breaches affecting fewer than 500 people, you can submit an annual log to HHS. You must also document your risk assessment of the breach, the individuals affected, what PHI was involved, and your mitigation steps.

One Guy Consulting provides an incident response plan template and guides small practices through the breach assessment and notification process.

HIPAA penalties are tiered based on the level of negligence:

• Tier 1 (Unknowing): $141 to $35,581 per violation
• Tier 2 (Reasonable cause): $1,424 to $71,162 per violation
• Tier 3 (Willful neglect, corrected): $14,232 to $71,162 per violation
• Tier 4 (Willful neglect, not corrected): $71,162 to $2,134,831 per violation

The annual cap per violation category is $2,134,831. Most small practice investigations result from a reported breach or patient complaint. The best defense is a documented compliance program.

You need a BAA with every vendor, contractor, or service provider that creates, receives, maintains, or transmits Protected Health Information on your behalf. Common examples include:

• EHR and practice management vendors
• Medical billing companies
• IT support and managed service providers
• Cloud storage services (Google Workspace, Microsoft 365, Dropbox)
• Email providers used for PHI
• Shredding and document destruction companies
• Answering services
• Telehealth platforms

Failure to execute BAAs is one of the most commonly cited HIPAA violations. One Guy Consulting helps small practices inventory their vendors, determine which require BAAs, and manage the entire BAA execution process.

If a vendor handles PHI and refuses to sign a BAA, you cannot use that vendor for PHI-related services. HIPAA is clear: no BAA means no PHI access. You have three options:

1. Escalate the request — sometimes the initial contact does not know the company offers BAAs. Ask for their compliance or legal team.
2. Find an alternative vendor — many competitors in every category offer BAAs as standard.
3. Restructure the workflow — if the vendor does not need to touch PHI, remove PHI from the data they handle.

Our vendor management service helps you evaluate vendor BAA readiness before you commit.

One Guy Consulting offers flat-rate annual pricing for small practices:

• Self-Guided Plan — $675 per year: Compliance toolkit, policy templates, training modules, risk assessment tools, and vendor management features.
• Full-Scope Plan — $1,300 per year: Everything in Self-Guided plus one-on-one consulting with a Certified HIPAA Professional, including a guided SRA, gap analysis, policy customization, staff training facilitation, and ongoing compliance support.

There are no per-user fees, no setup fees, and no hidden charges. Pricing is based on practice scope, not headcount. See the full pricing breakdown.

Technically yes, but practically it is difficult. HIPAA compliance requires understanding the Privacy Rule, Security Rule, and Breach Notification Rule, then applying them to your specific environment. Many small practices lack the time and HIPAA expertise to do this effectively.

Our Self-Guided plan at $675 per year gives you all the tools, templates, and structure to handle it yourself. The Full-Scope plan at $1,300 per year provides hands-on consulting if you prefer expert-led implementation. Compare both plans.

With the Full-Scope consulting plan, most small practices (1 to 20 employees) reach compliant status within 60 to 90 days. This includes completing the SRA, gap analysis, policy adoption, initial staff training, and vendor BAA review.

The Self-Guided plan typically takes 3 to 6 months depending on how much time your team dedicates each week. Either way, we provide a compliance tracker so you always know exactly where you stand.

If the HHS Office for Civil Rights (OCR) investigates your practice and finds HIPAA violations, penalties range from $141 per violation up to $2,134,831 per violation category per year for willful neglect.

The best defense is a documented compliance program showing your Security Risk Assessment, policies, training records, and BAA inventory. One Guy Consulting has helped support thousands of healthcare organization users over 10 years with zero clients fined and zero failed audits.