HIPAA Compliance Checklist for Small Healthcare Practices

Why HIPAA Compliance Matters for Small Practices

If you run a small healthcare practice—whether it’s a dental office, a physical therapy clinic, or a two-physician family practice—you’re held to the same HIPAA standards as a hospital system with thousands of employees. The Office for Civil Rights (OCR) doesn’t grade on a curve based on your size.

That’s not meant to scare you. It’s meant to focus you. Small practices actually have an advantage: fewer systems, fewer people, and fewer moving parts. That makes compliance more achievable—if you know what to do.

This checklist breaks HIPAA down into the three safeguard categories (administrative, physical, and technical), plus the often-overlooked areas like Business Associate Agreements and breach notification. Use it as a working document to identify gaps and take action.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and people-management practices that govern how your organization handles protected health information (PHI). They form the backbone of your compliance program.

1. Conduct a Risk Assessment

This is the single most important step—and the one most small practices skip. A risk assessment identifies where PHI lives in your organization, what threats exist, and how likely those threats are to cause harm.

OCR has fined practices specifically for failing to conduct a risk assessment. It’s not optional. You need to document it, review it annually, and update it when your environment changes (new EHR system, new office location, new vendors).

Your risk assessment should cover:

• Every system that stores, processes, or transmits PHI
• Threats to each system (malware, theft, unauthorized access, natural disaster)
• Current safeguards in place
• Likelihood and impact ratings for each risk
• A remediation plan with owners and deadlines

2. Appoint a Privacy Officer and Security Officer

HIPAA requires a designated Privacy Officer and Security Officer. In a small practice, this can be the same person—often the office manager or practice administrator. What matters is that someone owns it, understands it, and has authority to enforce it.

3. Develop Written Policies and Procedures

You need documented policies covering access to PHI, acceptable use, incident response, workforce sanctions, and more. These don’t need to be 200-page manuals. They need to be clear, specific to your practice, and actually followed.

Common policies every practice needs:

• Access control and authorization policy
• Workstation use and security policy
• Password management policy
• Incident response and breach notification policy
• Data backup and disaster recovery policy
• Social media and communication policy
• Sanctions policy for workforce violations

4. Train Every Employee

Every member of your workforce—from physicians to front desk staff to billing contractors—needs HIPAA training. This isn’t a one-time event. Training should happen at onboarding and at least annually after that.

Training should cover the basics of PHI handling, your practice’s specific policies, how to recognize phishing emails, and what to do if they suspect a breach. Document who attended, what was covered, and when.

5. Manage Business Associate Agreements (BAAs)

Any vendor that handles PHI on your behalf—your EHR provider, billing company, IT support firm, cloud storage provider, even your shredding service—must sign a Business Associate Agreement before they touch any patient data.

Keep an inventory of all business associates. Review BAAs annually. If a vendor won’t sign a BAA, they can’t have access to PHI. Period.

Physical Safeguards

Physical safeguards protect the actual buildings, equipment, and devices where PHI is stored or accessed.

6. Control Facility Access

Limit physical access to areas where PHI is stored or accessible. Server rooms (or closets) should be locked. Workstations in patient areas should be positioned so screens aren’t visible to passersby.

Consider:

• Badge or key access to sensitive areas
• Visitor sign-in logs
• Security cameras in server and records areas
• Clean desk policies for paper records

7. Secure Workstations and Devices

Every computer, laptop, tablet, and phone that accesses PHI needs physical protections. Laptops should be locked to desks or stored in locked drawers when not in use. Mobile devices need remote wipe capability.

This is especially important for practices that allow remote access or have staff working from home. A stolen laptop with an unencrypted hard drive is a reportable breach.

8. Manage Device Disposal

When you retire a computer, copier, or external drive, the data on it doesn’t disappear. Hard drives must be wiped or destroyed. Copiers with internal storage need to be sanitized. Document the disposal process for every device.

Technical Safeguards

Technical safeguards are the technology controls that protect electronic PHI (ePHI). This is where your healthcare IT partner becomes essential.

9. Implement Access Controls

Every user who accesses ePHI should have a unique login. No shared accounts. Access should be role-based—front desk staff don’t need the same access as physicians. Implement automatic logoff on workstations after a period of inactivity.

10. Encrypt Data at Rest and in Transit

Encryption is listed as “addressable” in HIPAA, which does not mean optional. It means you must implement it or document why an equivalent alternative is in place. In practice, there’s no good reason not to encrypt.

Encrypt:

• Hard drives on all workstations and laptops (BitLocker, FileVault)
• Email containing PHI (TLS at minimum, portal-based encryption preferred)
• Data backups
• Mobile devices

11. Maintain Audit Logs

Your systems need to log who accessed what PHI and when. Your EHR system likely does this natively, but you also need logging on your network, email system, and file servers. Review logs regularly—not just after something goes wrong.

12. Protect Your Network

Basic network security isn’t optional:

• Firewalls configured and monitored
• Antivirus and anti-malware on every endpoint
• Regular patching of operating systems and applications
• Secure Wi-Fi with WPA3 and separate guest networks
• Multi-factor authentication for remote access and email

13. Back Up Data and Plan for Disasters

You need regular, encrypted backups of all ePHI. Backups should be stored offsite or in a compliant cloud environment. Test your restores—a backup you can’t restore from is not a backup.

Your disaster recovery plan should document how you’ll maintain access to patient records during an outage, who’s responsible for what, and how quickly you need to be operational again.

Breach Notification Requirements

Even with strong safeguards, incidents happen. HIPAA has specific rules about what to do when they do.

14. Know What Constitutes a Breach

A breach is any unauthorized acquisition, access, use, or disclosure of unsecured PHI. There’s a presumption that any impermissible use or disclosure is a breach unless you can demonstrate a low probability of compromise through a four-factor risk assessment.

15. Follow the Notification Timeline

If a breach affects fewer than 500 individuals, you must notify affected individuals within 60 days of discovery and report to OCR within 60 days of the end of the calendar year in which the breach was discovered.

If a breach affects 500 or more individuals, you must notify affected individuals within 60 days, notify OCR within 60 days, and notify prominent media outlets in the affected state within 60 days.

16. Document Everything

Every suspected incident needs to be investigated and documented—even if it turns out not to be a breach. Your documentation should include what happened, what PHI was involved, who was affected, what you did about it, and what you’re doing to prevent it from happening again.

Ongoing Compliance Maintenance

17. Review and Update Annually

HIPAA compliance isn’t a project with an end date. It’s an ongoing program. At minimum, you should annually:

• Repeat or update your risk assessment
• Review and update all policies and procedures
• Conduct workforce training
• Audit BAA inventory
• Test your backup and disaster recovery plan
• Review access logs and user accounts

18. Stay Current on Guidance

OCR regularly publishes guidance, FAQs, and enforcement actions. Pay attention to them. The regulatory landscape shifts, and what was acceptable two years ago might not be today.

Getting Started Without Getting Overwhelmed

If your practice hasn’t done much with HIPAA compliance, this list might feel heavy. Here’s a practical starting point:

1. Do the risk assessment first. Everything else flows from it.
2. Fix the highest-risk items. Encryption, access controls, and backups usually top the list.
3. Get your BAAs in order. Audit every vendor that touches PHI.
4. Train your team. Even a 30-minute session closes major gaps.
5. Document as you go. If it’s not written down, it didn’t happen—at least as far as OCR is concerned.

You don’t have to do this alone. A qualified HIPAA compliance partner can conduct your risk assessment, identify gaps, implement technical controls, and build a compliance program that holds up to scrutiny—without pulling your staff away from patient care.

Take the Next Step

Not sure where your practice stands? BrightWorks IT works with small healthcare practices to build and maintain HIPAA compliance programs that actually work. Schedule a free assessment and we’ll help you identify your biggest risks and a clear path to address them.