HIPAA for Small Practices: What You Actually Have to Do

HIPAA applies to small medical, dental, and therapy practices the same way it applies to large ones — but there is no "HIPAA certification" to buy. Here is what the rules actually require, and where a documented program ends and your daily operation of it begins.

Who HIPAA actually applies to (and the certification myth)

HIPAA — the Health Insurance Portability and Accountability Act — sets federal rules for protecting individually identifiable health information, called protected health information or PHI. Two kinds of organizations are bound by it. Covered entities are health plans, healthcare clearinghouses, and health care providers who transmit health information electronically in connection with certain standard transactions — which, in practice, sweeps in almost every billing medical, dental, and behavioral-health practice, no matter how small. Business associates are the vendors that create, receive, maintain, or transmit PHI on a covered entity's behalf: your billing company, your cloud-based EHR or practice-management software, an IT provider with access to systems that hold PHI, a shredding service, an answering service. If you are a solo dentist, a two-person therapy practice, or a small clinic, there is no headcount or revenue floor that exempts you. The rules apply.

Before anything else, clear up the single biggest misconception: there is no such thing as official "HIPAA certification." HIPAA is enforced by the U.S. Department of Health and Human Services, Office for Civil Rights (HHS OCR), and compliance is self-attested — you are responsible for meeting the requirements, and OCR investigates complaints and breaches rather than issuing certificates. No government body, and no private company, can make your practice "HIPAA certified" or sell you a seal that proves compliance. A vendor advertising a "HIPAA certified" badge as evidence that you are covered is a red flag. Training, software, and policy documents can all genuinely help you build and run a compliant program; none of them confers a certification that does not exist.

This article is general information, not legal, compliance, or audit advice, and it does not create any professional relationship. HIPAA's requirements are detailed and fact-specific, so confirm the current rules for your situation at hhs.gov and, where it matters, with a qualified professional.

The Security Rule: administrative, physical, and technical safeguards

The HIPAA Security Rule governs electronic PHI (ePHI) — anything from your EHR and email to imaging files and backups. It organizes its requirements into three families of safeguards, and a small practice has to address all three.

Administrative safeguards are the policies, assignments, and people-side controls that run the program: designating a security official who is responsible for it, managing who gets access to ePHI and removing it when staff leave, training your workforce, and having procedures for security incidents and contingencies (data backup and a disaster-recovery plan). These are the backbone, and they are where most documentation lives.

Physical safeguards protect the places and devices where ePHI lives: facility access controls, workstation use and security (positioning screens away from the waiting room, locking sessions), and device and media controls covering how laptops, phones, drives, and backups are handled, reused, and disposed of.

Technical safeguards are the technology controls: unique user IDs and access controls so each person sees only what they should, audit controls that log activity in systems containing ePHI, integrity controls, and transmission security. Under the current Security Rule, encryption is an "addressable" implementation specification rather than a flat mandate in every case — meaning you must implement it where reasonable and appropriate, or document why an equivalent alternative is justified. In practice, encrypting laptops, portable media, and PHI in transit is the expected default, and unencrypted PHI is a frequent factor in costly breaches. Note that HHS periodically updates the Security Rule, and the treatment of encryption and other specifications can change, so confirm the current requirements at hhs.gov. Importantly, the Rule is deliberately flexible and scalable: a small practice is expected to implement safeguards reasonable and appropriate for its size and resources, not the controls of a hospital network.

The required risk analysis (45 CFR 164.308(a)(1))

If there is one Security Rule obligation to understand above the rest, it is the risk analysis. Under 45 CFR 164.308(a)(1) — the security management process standard — covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of the ePHI they hold, and then implement security measures sufficient to reduce those risks to a reasonable and appropriate level.

This is not a one-time checkbox or a generic form. A real risk analysis inventories where ePHI is created, received, stored, and transmitted across your practice — your EHR, email, phones, laptops, the front-desk computer, your imaging system, every cloud service and every backup — and then identifies the reasonably foreseeable threats and vulnerabilities to each, rates the likelihood and impact, and drives a plan to address the gaps. It is meant to be repeated and updated when your environment changes (new software, a new location, a move to telehealth).

The risk analysis matters enormously in practice for two reasons. First, it is one of the most commonly cited deficiencies in OCR enforcement — practices are frequently penalized not for a breach alone, but for never having done a proper risk analysis in the first place. Second, it is the step a template cannot do for you. A toolkit can give you a structured risk-assessment workbook and the policies that flow from it, but you and your team have to actually examine your own systems and make the judgment calls. The documentation organizes the work; the work itself is yours.

The Privacy Rule: minimum necessary, the NPP, and patient rights

While the Security Rule covers electronic data, the Privacy Rule governs PHI in any form — paper, electronic, or spoken — and sets the rules for how it may be used and disclosed. A few basics anchor day-to-day compliance for a small practice.

Minimum necessary is the core principle: when you use, disclose, or request PHI, limit it to the minimum reasonably needed for the purpose. Front-desk staff do not need full clinical histories to schedule; a referral should include what the recipient needs, not the entire chart. (Treatment between providers and certain other disclosures are exceptions, but the habit of restraint is the rule.)

The Notice of Privacy Practices (NPP) is the plain-language document telling patients how you use and disclose their PHI and what their rights are. You must provide it, post it, and make a good-faith effort to obtain written acknowledgment that patients received it.

Patient rights are concrete obligations, not slogans. Individuals generally have the right to access and obtain a copy of their records, to request amendments to inaccurate information, to receive an accounting of certain disclosures, to request restrictions and confidential communications, and to file a complaint. The right of access in particular has been a repeated OCR enforcement focus — practices that fail to provide records in a timely manner and at a reasonable cost have faced penalties. Building simple, written procedures for handling these requests keeps you on the right side of the rule.

Business Associate Agreements, workforce training, and breach notification

Three more obligations round out what a small practice has to operate.

Business Associate Agreements (BAAs). Before a vendor that will handle PHI on your behalf starts work, you need a signed BAA — a contract in which the business associate agrees to safeguard PHI and use it only as permitted. This applies to your EHR vendor, billing service, cloud storage, IT support with PHI access, and similar partners. Two practical traps: assuming a vendor is automatically covered without a signed agreement, and using a consumer-grade service (a personal email or file-sharing account) that will not sign a BAA at all. If a vendor touches PHI, get the BAA in writing first.

Workforce training. Every member of your workforce who handles PHI must receive security awareness and HIPAA training appropriate to their role, and you should keep a record that it happened. For a small practice this can be lightweight, but it has to be real and repeated — at onboarding and periodically thereafter — and reinforced against everyday threats like phishing, which is a leading cause of healthcare breaches.

Breach notification. The HIPAA Breach Notification Rule requires that, following a breach of unsecured PHI, you notify affected individuals without unreasonable delay and generally no later than 60 calendar days after discovery. Notification to HHS follows two separate tracks: a breach affecting 500 or more individuals must be reported to HHS without unreasonable delay (and within that same 60-day window), while breaches affecting fewer than 500 individuals are logged and reported to HHS annually, within 60 days after the end of the calendar year. Media notification is a distinct trigger: a breach affecting more than 500 residents of a single state or jurisdiction also requires notifying prominent media serving that area. The exact thresholds, timing, and what counts as a reportable breach are detailed, so confirm the current specifics at hhs.gov before you rely on them. The practical move is to have a written incident-response and breach-notification procedure ready before you need it — discovering you have no plan during an actual incident is the worst time to learn the rules.

What a toolkit does — and what only you can do

Here is the honest division of labor, because it is easy for a busy practice to over-buy or under-do. A documentation toolkit — policies, procedures, a risk-assessment workbook, training materials, a BAA template, an incident runbook — gives you the written program HIPAA expects you to have, structured to the Security and Privacy Rules and ready for you to tailor to how your office actually works. Starting from a complete, practice-specific set turns weeks of drafting into hours of editing, and it makes sure you are not missing a required policy.

What a toolkit cannot do is make you compliant on its own. Compliance is the program operating, not the binder existing. You still have to designate your security official, run your own risk analysis against your real systems, implement the safeguards the analysis calls for, sign BAAs with your vendors, train your people, and follow your incident procedure if something goes wrong. There is no certificate at the end and no shortcut around the operating part — OCR's enforcement consistently looks at whether the program was real, especially whether a genuine risk analysis was done.

Think of it this way: documentation is the fastest part to get right and the part that stalls practices longest when they start from a blank page; the daily operation is the part only your team can own. Get the documentation done quickly so you can spend your limited time on the work that actually protects your patients' information. And because HIPAA's requirements are detailed and updated over time, confirm the current rules at hhs.gov and consult a qualified professional for your specific situation — this article is general information, not legal advice.

Frequently asked questions

Is there such a thing as HIPAA certification?

No. HIPAA has no official certification and no government-issued certificate. Compliance is self-attested and enforced by HHS OCR, which investigates complaints and breaches rather than certifying organizations. No agency or private company can make your practice "HIPAA certified," and a vendor selling a "HIPAA certified" seal as proof of compliance is a red flag. Training and tools can genuinely help you build and run a compliant program, but they do not confer a certification that does not exist.

Does HIPAA apply to a small or solo practice?

Yes. There is no headcount or revenue exemption. If you are a health care provider who transmits health information electronically for standard transactions — which covers almost every billing medical, dental, or behavioral-health practice — you are a covered entity bound by HIPAA. The Security Rule is scalable, so a small practice is expected to implement safeguards that are reasonable and appropriate for its size and resources, not the controls of a large hospital, but the obligations themselves still apply.

What is the HIPAA risk analysis, and do I really have to do one?

Yes — it is required by the Security Rule at 45 CFR 164.308(a)(1). A risk analysis is an accurate, thorough assessment of the risks and vulnerabilities to the electronic PHI your practice holds: where it lives, the threats to it, and how you will reduce those risks to a reasonable level. It must be repeated and updated as your environment changes. Failing to conduct a proper risk analysis is one of the most commonly cited problems in OCR enforcement. A toolkit can give you a structured workbook, but you and your team have to assess your own systems — that part cannot be outsourced to a template.

How fast do I have to report a HIPAA breach?

Under the Breach Notification Rule, you must notify affected individuals without unreasonable delay and generally no later than 60 calendar days after discovering a breach of unsecured PHI. For notice to HHS, a breach affecting 500 or more individuals must be reported without unreasonable delay (within that same 60-day window), while breaches affecting fewer than 500 individuals are reported to HHS annually, within 60 days after the end of the calendar year. Separately, a breach affecting more than 500 residents of a single state or jurisdiction also requires notifying prominent media serving that area. The exact thresholds and timing are detailed, so confirm the current specifics at hhs.gov, and have a written breach-notification procedure ready before an incident happens.

Will buying a HIPAA toolkit make my practice compliant?

No. A toolkit gives you the documented program HIPAA expects — policies, procedures, a risk-assessment workbook, a BAA template, training materials, and an incident runbook — and it removes the slowest part, drafting from scratch. But compliance is the program operating, not the documents existing. You still have to designate your security official, run your own risk analysis, implement the safeguards, sign BAAs with vendors, train staff, and follow your incident plan. There is no certificate at the end, and OCR enforces based on whether the program is genuinely in place.

Related guides: HIPAA

Toolkits that help

← All articles