Compliance Guide

What HIPAA actually requires of a small medical practice

The core safeguards in plain English — what you genuinely need, where small practices usually fall short, and what to ignore.

Start here
HIPAA is about safeguards, not a single checkbox

HIPAA does not certify software or hand out a pass/fail badge. It requires “reasonable and appropriate” administrative, physical, and technical safeguards for protected health information (PHI). For a small practice, that translates into a manageable set of concrete steps — not a six-figure project.

The core obligations come from two rules: the Privacy Rule (who can access PHI and how it’s used) and the Security Rule (how electronic PHI is protected technically and operationally).

The essentials
What a small practice actually needs
  • A risk analysis. A documented assessment of where PHI lives and what could go wrong. This is the single most commonly missing item in audits.
  • Business Associate Agreements (BAAs). Signed with every vendor that touches PHI — your EHR, email provider, cloud backup, billing service, and IT provider. Microsoft and Google both sign BAAs on eligible plans.
  • Access controls. Unique logins per person, MFA, and least-privilege access — no shared ‘frontdesk’ accounts.
  • Encryption. Encrypted laptops/phones and encrypted email when PHI is sent externally.
  • Audit logging & backups. The ability to see who accessed records, plus tested backups you can actually restore.
  • Policies & training. Written policies and annual staff training, with records that it happened.
Common gaps
Where small practices usually fall short

In our experience the failures are rarely exotic. They are:

  • No documented risk analysis (or one done years ago and never updated)
  • Texting or emailing PHI without encryption
  • A missing BAA with the IT company or a backup vendor
  • Staff sharing a single login to the practice management system
  • No tested backup — backups ‘running’ but never restore-tested
The “HIPAA-compliant software” myth

No product can make you HIPAA compliant on its own. A vendor can be HIPAA-eligible and sign a BAA, but compliance is about how you configure and operate it. Be skeptical of any tool marketed as “instant HIPAA compliance.”

Common questions
FAQ
Do we need a HIPAA certification?
There is no official government HIPAA certification. Third-party assessments and attestations exist and can be useful for demonstrating diligence, but no certificate makes you ‘HIPAA certified’ in a legal sense. What matters is documented safeguards and a current risk analysis.
Is regular email HIPAA compliant?
Standard email is not, by itself. You need encryption for PHI sent outside your organization and a BAA with your email provider. Microsoft 365 and Google Workspace can both be configured for this on the right plans.
How much does HIPAA readiness cost a small practice?
Far less than most expect. The big costs are usually a proper risk analysis and closing technical gaps (MFA, encryption, backup). For most small practices it is a modest project plus ongoing maintenance — not a major capital expense.
What happens if we have a breach?
The Breach Notification Rule requires notifying affected individuals (and, above certain thresholds, HHS and the media) within set timeframes. Having a documented risk analysis, encryption, and an incident plan dramatically reduces both the likelihood and the penalty exposure.

Need to get your practice HIPAA-ready?

We run the risk analysis, close the technical gaps, and put the BAAs and policies in place — then keep you compliant year-round. A certified engineer owns the outcome.

Get a Free IT Assessment →