What HIPAA Actually Requires of a Small Medical Practice
Most small medical practices either over-engineer HIPAA compliance — building elaborate binders and paying consultants $20,000 for a 5-provider office — or they under-engineer it and hope no one notices. The reality is somewhere in between, and the core requirements are significantly simpler than the consulting industry makes them sound.
This post covers what actually matters for a small practice, what the most common violations look like in the real world, and what HIPAA readiness concretely looks like for a practice with 2–10 providers.
The 3 things that matter most
The Security Risk Analysis (SRA) is the single most cited gap in HIPAA audits. It’s a documented assessment of where PHI lives in your environment, what the risks to that data are, and what you’re doing to mitigate them. It does not have to be a 200-page document. For a small practice, a clear, honest 10-15 page analysis covering your EHR, email, workstations, backups, and physical access is sufficient — but it must be written down, signed, and dated.
Every person who touches PHI should have their own individual login — no shared accounts. Your EHR should log who accessed which records and when. You should be able to answer “who looked at Patient X’s chart on Tuesday?” in under 5 minutes. This is a core HIPAA Technical Safeguard, and it’s also how you detect insider threats and unauthorized access early.
A Business Associate Agreement (BAA) is a contract that makes your vendors legally responsible for protecting PHI. Every vendor that handles, stores, or transmits PHI — your EHR, your email provider (if you use it for patient communication), your cloud backup provider, your IT support company — needs a signed BAA with you. Most major vendors (Microsoft, Google, AWS) offer BAAs at the Business tier or above. Fax services, transcription services, and billing companies are common gaps.
Common violations in small practices
These are the HIPAA gaps we see most frequently when reviewing small medical practices — not theoretical risks, but patterns that show up repeatedly:
- Using personal Gmail or Yahoo for patient communications — neither service signs a BAA at the consumer tier
- No MFA on EHR access — a stolen laptop credential is an open door to your entire patient record system
- Shared login credentials among clinical staff — “everyone uses the front desk password” makes audit logging meaningless
- No formal breach notification procedure — when something happens, you have 60 days to notify affected patients and HHS; without a plan, you’ll miss it
- Workstations without screen locks or automatic timeout — unattended workstations in exam areas are a physical safeguard violation
What HIPAA readiness looks like for a 5-provider practice
Forget the binder. Here’s what concrete readiness actually looks like:
Complete and document a Security Risk Analysis. Map where PHI lives — EHR, email, shared drives, physical records, backups. Assess risks. Document mitigations. Review annually and after any major change.
Enforce individual accounts and MFA on every system that touches PHI. No shared logins. Enable MFA on your EHR, email, and remote access. Confirm your EHR audit logging is turned on.
Inventory your vendors and collect signed BAAs. Go through every vendor that handles patient data. Get signed BAAs on file. This includes your IT company, cloud backup, secure messaging platform, and transcription service.
Write a breach notification procedure. It doesn’t need to be long. It needs to say who is responsible for detecting a breach, who decides whether to notify, and what the notification process is within the required timeframes.
Train staff annually. Document it. HIPAA requires workforce training. A 30-minute annual session covering phishing, proper data handling, and breach reporting — with attendance logged — satisfies this requirement.
What about the fines?
HIPAA fines range from $100 to $50,000 per violation, up to $1.9M per violation category per year. The scary headline numbers ($5M+ settlements) are for large health systems with willful neglect over years — not small practices with a single incident and a documented compliance program.
The Office for Civil Rights (OCR) has historically been more lenient with small practices that have made good-faith efforts to comply. The fine risk is real, but it’s proportional. A practice that has completed its SRA, trains staff, and signs BAAs is in a fundamentally different position than one that has done nothing. The single biggest risk factor in enforcement actions is documented evidence of willful neglect — ignoring known gaps.
Note: This is informational content only, not legal advice. HIPAA compliance involves legal obligations that vary by practice type, state, and specific circumstances. Consult a healthcare attorney for guidance specific to your situation.
Ready to get your practice HIPAA-ready?
We help small medical practices complete their Security Risk Analysis, configure compliant IT environments, and get BAAs in place — without the consultant markup.