Are small medical practices required to comply with HIPAA?

Yes. HIPAA applies to all covered entities — including solo physician practices, small dental offices, and single-provider therapy practices — regardless of size. Small practices that transmit health information electronically (for billing, referrals, or records) are covered entities and must comply with the Privacy Rule, Security Rule, and Breach Notification Rule.

How often should a small practice renew its BAAs?

HIPAA does not require BAA renewal on a fixed schedule — a BAA remains in effect until it is terminated or materially altered. However, best practice is to review BAAs annually and whenever a vendor's services change significantly. You should also execute a new BAA if you switch vendors or if the scope of PHI access changes.

What HIPAA training is required for small practice staff?

Under 45 CFR § 164.530(b), every workforce member with PHI access must receive HIPAA training. Small practices must provide initial training to all new staff before they access PHI, conduct annual refresher training, and update training when policies change. Training records must be retained for at least six years.

What should a small practice do if it discovers a data breach?

Under 45 CFR § 164.400–414, a covered entity must notify affected individuals within 60 days of discovering a breach. If the breach affects 500 or more individuals in a state or jurisdiction, the practice must also notify prominent local media outlets and HHS simultaneously. All breaches, regardless of size, must be logged and reported to HHS annually.

Checklist

HIPAA Compliance Checklist for Small Practices

By BAA Generator Research Team · Published Apr 4, 2026 · Last reviewed Apr 17, 2026 · 4 min read

Need a BAA right now?

Generate my BAA → See pricing →

Family resources. ComplyCreate publishes a broader HIPAA compliance checklist covering NPP and BAA together. Need an NPP for your practice? Generate one at NPP Generator.

Key Takeaways

✓ BAAs with every vendor that touches PHI — most commonly missed item in OCR audits
✓ A Security Risk Assessment (SRA) is required annually under 45 CFR § 164.308(a)(1)
✓ All staff with PHI access must receive HIPAA training — initial and annual refreshers
✓ Breach notification required within 60 days; 500+ individual breaches require media notice
✓ HIPAA applies equally to solo practices, small groups, and large health systems

Quick answer: A small-practice HIPAA compliance checklist covers six essentials: signed Business Associate Agreements with every vendor that touches PHI, a documented Security Risk Assessment under 45 CFR § 164.308(a)(1), workforce HIPAA training, technical safeguards (encryption, access controls, audit logs), physical safeguards (facility access, workstation policy), and a breach-response plan. OCR audits cite missing BAAs and missing SRAs more than any other failure.

Small practices face the same HIPAA obligations as large hospital systems — but typically with fewer compliance resources. The good news: HIPAA compliance is achievable for small organizations that focus on the fundamentals. This checklist covers the key requirements that OCR auditors look for most.

Important: This checklist is a starting point, not a substitute for a formal HIPAA risk assessment or legal counsel. Use it to identify gaps and prioritize action.

1. Business Associate Agreements

BAA Checklist

☐ Identify all vendors with access to PHI (EHR, billing, cloud storage, IT support, etc.)
☐ Confirm a signed BAA exists for each business associate
☐ Verify BAAs contain all required provisions (see HIPAA BAA requirements)
☐ Store all BAAs in a central, accessible location
☐ Review and renew BAAs when HIPAA regulations change or vendor services change
☐ Add BAA execution to your vendor onboarding checklist so no new vendor is missed

2. Security Risk Assessment

The Security Risk Assessment (SRA) is one of the most frequently cited deficiencies in OCR audits. It is required under 45 CFR § 164.308(a)(1) — not optional. Small practices must conduct one, document it, and update it regularly.

Conduct an initial SRA to identify where PHI is stored, received, maintained, and transmitted
Assess threats and vulnerabilities to PHI (ransomware, employee error, lost devices, etc.)
Document the assessment findings and remediation plan
Repeat the SRA when there are significant changes to your environment (new software, new location, etc.)
Use HHS's free SRA Tool at healthit.gov as a starting point

3. Policies and Procedures

HIPAA requires written policies covering how your practice handles PHI. These don't need to be lengthy — they need to be accurate and actually followed.

Privacy Policy describing how PHI is used and disclosed
Notice of Privacy Practices (NPP) provided to patients
Access controls policy (who can access what systems)
Workstation use and security policy
Device and media controls policy (laptops, USB drives, mobile devices)
Breach notification procedures — including internal reporting timelines
Sanction policy for employees who violate HIPAA

4. Workforce Training

Every member of your workforce who accesses PHI — including front desk staff, billing personnel, and part-time employees — must receive HIPAA training. This is required under 45 CFR § 164.530(b).

Provide initial HIPAA training to all new employees before they access PHI
Conduct annual refresher training
Document training dates and retain records for at least six years
Update training when policies change or incidents occur
Include phishing awareness — human error is the leading cause of healthcare breaches

5. Technical Safeguards

For practices using electronic PHI (ePHI), the Security Rule requires specific technical controls:

Unique login credentials for each user — no shared passwords
Automatic session timeouts on workstations and mobile devices
Audit logs enabled to track access to ePHI
Encryption for ePHI at rest and in transit (required for mobile devices and email containing PHI)
Regular data backups with tested restoration procedures
Firewall and antivirus software on all systems

6. Breach Response Preparedness

Breaches happen — even to compliant organizations. What matters is how quickly and correctly you respond. Under 45 CFR § 164.400–414, you must:

Notify affected individuals within 60 days of discovering a breach
Report breaches affecting 500+ individuals to HHS and local media simultaneously
Log all breaches (including small ones) in your breach log annually submitted to HHS
Designate a breach response team and assign responsibility before an incident occurs

7. Physical Safeguards

Restrict access to areas where PHI is stored or visible (exam rooms, file rooms, front desk screens)
Use screen privacy filters on workstations visible to waiting areas
Shred or cross-cut all paper containing PHI — use a BAA-covered shredding service
Implement a clean desk policy for workstations with access to PHI
Secure medical records storage (locked filing cabinets or access-controlled rooms)

BAAs are the most commonly missing compliance item in small practices. If you haven't addressed them yet, that's the place to start. Read our guide on what a Business Associate Agreement is, or find out which of your vendors requires one. We also have practice-specific guides for mental health practices, dental offices, and physical therapy clinics.

Generate a compliant BAA in 5 minutes

HHS model BAA provisions · 45 CFR § 164.504(e) compliant · clean PDF + editable Word