HIPAA Compliance Checklist for Small Practices

If you run a small medical practice, dental office, behavioral health clinic, or any organization that handles protected health information (PHI), HIPAA compliance isn’t optional — it’s the law. But for practices without a dedicated compliance officer, knowing where to start can feel overwhelming.

This HIPAA compliance checklist breaks down the essential IT requirements into actionable steps. It’s not a substitute for a formal risk assessment, but it will help you identify gaps and prioritize the areas that matter most.

Why HIPAA Compliance Matters for Small Practices

Many small practice owners assume HIPAA enforcement targets large hospital systems. That assumption is dangerous. The Office for Civil Rights (OCR) has increasingly pursued enforcement actions against small providers, with settlements ranging from $50,000 to over $1 million — amounts that can be existential for a small practice.

Beyond the financial penalties, a data breach damages patient trust, disrupts operations, and can trigger state-level investigations on top of federal enforcement.

The good news: HIPAA compliance for small practices is entirely achievable with the right approach and the right IT partner.

The HIPAA IT Compliance Checklist

1. Conduct a Formal Risk Assessment

This is the single most important requirement — and the one most commonly neglected. HIPAA’s Security Rule requires covered entities to conduct a thorough risk assessment that identifies where PHI is stored, transmitted, and processed, and evaluates the threats to that data.

Action items:
– Document every system that touches PHI (EHR, email, file storage, fax, billing)
– Identify threats to each system (unauthorized access, ransomware, physical theft, human error)
– Evaluate existing safeguards and identify gaps
– Document everything — OCR wants to see your work
– Review and update the risk assessment annually

2. Implement Access Controls

Not every employee needs access to every patient’s records. HIPAA requires you to implement the minimum necessary standard — users should only access the PHI they need to perform their job.

Action items:
– Enforce unique user accounts for every staff member (no shared logins)
– Implement role-based access controls in your EHR and other PHI systems
– Require strong passwords (minimum 12 characters) and multi-factor authentication (MFA)
– Establish procedures for granting and revoking access when staff join or leave
– Audit access logs regularly to detect unauthorized access attempts

3. Encrypt PHI at Rest and in Transit

Encryption is your most effective safeguard against data breaches. If encrypted PHI is lost or stolen, it’s generally not considered a reportable breach under HIPAA — which can save your practice from enormous liability.

Action items:
– Enable full-disk encryption on all workstations and laptops (BitLocker for Windows, FileVault for Mac)
– Encrypt all mobile devices that access PHI
– Use TLS encryption for email containing PHI (or use a secure messaging portal)
– Ensure your EHR vendor encrypts data at rest and in transit
– Encrypt all backups

4. Secure Your Network

Your practice’s network is the perimeter that protects PHI from external threats. A poorly configured network is an open invitation to attackers.

Action items:
– Deploy a business-grade firewall with intrusion detection/prevention (not a consumer router)
– Segment your network — patient-facing Wi-Fi should be completely separate from clinical systems
– Use a VPN for any remote access to practice systems
– Disable unused network ports and services
– Monitor network traffic for anomalies

5. Implement Backup and Disaster Recovery

HIPAA requires you to maintain retrievable exact copies of PHI and have a disaster recovery plan. Ransomware is the most common disaster scenario for small practices in 2026 — your backup strategy is your last line of defense.

Action items:
– Back up all systems containing PHI at least daily
– Store backups in a separate location (cloud or offsite) — not just on a local drive
– Encrypt all backups
– Test backup restoration quarterly (untested backups are not backups)
– Document your disaster recovery plan with specific procedures and responsible parties

6. Deploy Endpoint Security

Every workstation, laptop, and mobile device in your practice is a potential entry point for malware, ransomware, and phishing attacks.

Action items:
– Install managed endpoint detection and response (EDR) on all devices
– Keep all operating systems and applications patched and up to date
– Disable USB storage devices on workstations unless specifically needed
– Implement DNS filtering to block malicious websites
– Deploy email security with anti-phishing capabilities

7. Establish Business Associate Agreements (BAAs)

Every vendor that accesses, stores, or transmits PHI on your behalf must sign a Business Associate Agreement. This includes your IT provider, EHR vendor, cloud storage provider, billing company, shredding service, and answering service.

Action items:
– Inventory every vendor that touches PHI
– Verify a signed BAA is in place for each one
– Review BAAs when contracts renew
– If a vendor refuses to sign a BAA, find a different vendor

8. Train Your Staff

Human error causes more HIPAA breaches than sophisticated cyberattacks. Your team is your first line of defense — and your greatest vulnerability.

Action items:
– Conduct HIPAA security awareness training for all staff at hire and annually
– Include phishing awareness and social engineering training
– Document all training sessions with dates, attendees, and topics covered
– Test staff with simulated phishing exercises
– Establish clear procedures for reporting suspected breaches or security incidents

9. Develop HIPAA Policies and Procedures

HIPAA requires documented policies covering data access, breach notification, device management, and more. “We follow best practices” isn’t sufficient — you need written documentation.

Action items:
– Create written policies for: access management, data backup, breach notification, device and media handling, remote access, password management, and incident response
– Make policies available to all staff
– Review and update policies annually
– Document policy acknowledgment by all employees

10. Prepare a Breach Notification Plan

If a breach occurs, HIPAA mandates specific notification timelines and procedures. Having a plan in place before an incident occurs is essential.

Action items:
– Document your breach notification procedures
– Identify your breach response team (internal staff, IT provider, legal counsel)
– Understand the 60-day notification requirement for breaches affecting 500+ individuals
– Maintain a breach log even for small incidents
– Know your state’s breach notification requirements (they may be stricter than federal)

Common HIPAA Mistakes Small Practices Make

Using personal email for patient communication. Gmail, Yahoo, and Outlook.com are not HIPAA-compliant without additional configuration and a BAA.
Texting PHI on personal phones. Standard SMS is not encrypted and not compliant.
No BAA with their IT provider. If your IT company accesses systems containing PHI and hasn’t signed a BAA, you’re both at risk.
Skipping the risk assessment. OCR’s most common finding in enforcement actions is the absence of a risk assessment.
Assuming cloud = compliant. Using a cloud-based EHR doesn’t absolve you of responsibility. You’re still accountable for access controls, training, and all other safeguards.

Getting Started

HIPAA compliance isn’t a one-time project — it’s an ongoing program that requires regular attention. But it doesn’t have to be overwhelming, especially with the right IT partner.

At Brightworks IT, we’ve helped medical practices, dental offices, behavioral health providers, and other covered entities across the Northeast build and maintain HIPAA-compliant IT environments. From risk assessments to ongoing monitoring and staff training, we handle the technical complexity so you can focus on patient care.

Need help with HIPAA compliance? Contact Brightworks IT for a free consultation.