HIPAA Compliance Checklist for Small Practices

7 min read · HIPAA Compliance

Small practices face the same HIPAA obligations as large hospital systems — but typically with fewer compliance resources. The good news: HIPAA compliance is achievable for small organizations that focus on the fundamentals. This checklist covers the key requirements that OCR auditors look for most.

Important: This checklist is a starting point, not a substitute for a formal HIPAA risk assessment or legal counsel. Use it to identify gaps and prioritize action.

1. Business Associate Agreements

2. Security Risk Assessment

The Security Risk Assessment (SRA) is one of the most frequently cited deficiencies in OCR audits. It is required under 45 CFR § 164.308(a)(1) — not optional. Small practices must conduct one, document it, and update it regularly.

• Conduct an initial SRA to identify where PHI is stored, received, maintained, and transmitted
• Assess threats and vulnerabilities to PHI (ransomware, employee error, lost devices, etc.)
• Document the assessment findings and remediation plan
• Repeat the SRA when there are significant changes to your environment (new software, new location, etc.)
• Use HHS's free SRA Tool at healthit.gov as a starting point

3. Policies and Procedures

HIPAA requires written policies covering how your practice handles PHI. These don't need to be lengthy — they need to be accurate and actually followed.

• Privacy Policy describing how PHI is used and disclosed
• Notice of Privacy Practices (NPP) provided to patients
• Access controls policy (who can access what systems)
• Workstation use and security policy
• Device and media controls policy (laptops, USB drives, mobile devices)
• Breach notification procedures — including internal reporting timelines
• Sanction policy for employees who violate HIPAA

4. Workforce Training

Every member of your workforce who accesses PHI — including front desk staff, billing personnel, and part-time employees — must receive HIPAA training. This is required under 45 CFR § 164.530(b).

• Provide initial HIPAA training to all new employees before they access PHI
• Conduct annual refresher training
• Document training dates and retain records for at least six years
• Update training when policies change or incidents occur
• Include phishing awareness — human error is the leading cause of healthcare breaches

5. Technical Safeguards

For practices using electronic PHI (ePHI), the Security Rule requires specific technical controls:

• Unique login credentials for each user — no shared passwords
• Automatic session timeouts on workstations and mobile devices
• Audit logs enabled to track access to ePHI
• Encryption for ePHI at rest and in transit (required for mobile devices and email containing PHI)
• Regular data backups with tested restoration procedures
• Firewall and antivirus software on all systems

6. Breach Response Preparedness

Breaches happen — even to compliant organizations. What matters is how quickly and correctly you respond. Under 45 CFR § 164.400–414, you must:

• Notify affected individuals within 60 days of discovering a breach
• Report breaches affecting 500+ individuals to HHS and local media simultaneously
• Log all breaches (including small ones) in your breach log annually submitted to HHS
• Designate a breach response team and assign responsibility before an incident occurs

7. Physical Safeguards

• Restrict access to areas where PHI is stored or visible (exam rooms, file rooms, front desk screens)
• Use screen privacy filters on workstations visible to waiting areas
• Shred or cross-cut all paper containing PHI — use a BAA-covered shredding service
• Implement a clean desk policy for workstations with access to PHI
• Secure medical records storage (locked filing cabinets or access-controlled rooms)

BAAs are the most commonly missing compliance item in small practices. If you haven't addressed them yet, that's the place to start. Read our guide on what a Business Associate Agreement is, or find out which of your vendors requires one.