HIPAA compliance is one of those things that small healthcare practices know they need but struggle to get right. The regulations are dense, the guidance from HHS is often vague, and hiring a dedicated compliance officer is not realistic when you have a 15-person practice. So things get patched together — a locked filing cabinet here, an encrypted laptop there — and everyone hopes for the best.
That approach stops working fast. The Office for Civil Rights (OCR) does not care whether you have 10 employees or 10,000. The same rules apply, and the fines can be devastating. Anthem paid $16 million after a breach affecting 78.8 million records. Premera Blue Cross settled for $6.85 million. But smaller organizations get hit too — a single-physician practice in Arizona was fined $100,000 for impermissible disclosure of patient information on social media.
Here is what small healthcare organizations actually need to do to get HIPAA right, broken down by the three categories of safeguards the Security Rule requires.
Administrative Safeguards: The Paperwork That Actually Matters
Administrative safeguards are the policies, procedures, and documentation that form the backbone of your compliance program. They are also where most small practices fall short, because this is the least technical but most labor-intensive part of HIPAA.
Conduct a Risk Assessment
This is not optional. HHS has said repeatedly that failure to perform a risk assessment is the most common HIPAA violation they find during investigations. You need to document every place where protected health information (PHI) lives — your EHR system, email, paper charts, fax machines, billing software, even text messages.
For each location, identify what threats exist (unauthorized access, data loss, theft, ransomware) and what controls you currently have in place. HHS offers a free Security Risk Assessment Tool (SRA) that walks you through this process. It is basic, but it covers the requirements.
Document the results. Document what you plan to fix and when. Then actually fix it. The risk assessment is not a one-time checkbox — you need to repeat it annually or whenever your environment changes significantly.
Designate a Security Officer
Every covered entity needs a designated Security Officer and a Privacy Officer. In a small practice, this is often the same person, and it does not need to be their full-time job. But someone needs to own it — to track compliance tasks, manage policies, and be the point of contact for any incidents.
Write and Maintain Policies
You need written policies covering at minimum: access control, data backup, incident response, workforce training, device and media controls, and business associate management. These policies cannot be templates you downloaded and never read. They need to reflect how your specific practice operates.
When OCR investigates a breach, one of the first things they ask for is your policies. If you cannot produce them, or if they obviously do not match your actual practices, that becomes a separate violation.
Train Your Workforce
Every employee who touches PHI — clinicians, front desk staff, billing — needs HIPAA training at hire and at least annually after that. Training should cover what PHI is, how to handle it, how to spot phishing emails, what constitutes a breach, and how to report one.
Keep records of who was trained, when, and what material was covered. Platforms like KnowBe4 or Proofpoint offer HIPAA-specific training modules that handle this documentation automatically.
Manage Business Associate Agreements
Anyone who handles PHI on your behalf — your EHR vendor, your cloud hosting provider, your IT company, your shredding service — needs a signed Business Associate Agreement (BAA). This is a legal contract that requires them to protect PHI according to HIPAA standards and notify you of any breaches.
This gets missed constantly. A common blind spot: cloud services. If you store any patient data in Google Workspace, Microsoft 365, Dropbox, or similar platforms, you need a BAA with that provider. Google and Microsoft will sign BAAs for their business-tier products, but not for free consumer accounts. If your practice uses personal Gmail accounts for anything involving PHI, that is a violation.
Physical Safeguards: Protecting the Physical Environment
Physical safeguards address the actual, tangible security of locations and equipment where PHI exists. Small practices tend to think of this as “lock the doors,” but it goes further.
Facility Access Controls
Limit physical access to areas where PHI is stored or accessible. Server rooms (even if it is a closet with a single server) should be locked. Workstations in patient areas should be positioned so screens face away from public view, or use privacy filters.
If your practice has a check-in area, make sure the sign-in sheet does not expose other patients’ information. Sounds basic, but it is a violation OCR has cited repeatedly.
Workstation Security
Every workstation that accesses PHI should auto-lock after a short period of inactivity — no more than 5 minutes. Screensaver passwords are not sufficient; use the operating system’s lock screen. Workstations should be physically secured so they cannot be easily stolen — cable locks for laptops, and desktops bolted or secured to furniture if they are in accessible areas.
Device and Media Controls
When a computer, hard drive, or mobile device is retired, the data on it must be properly destroyed. Deleting files and emptying the recycle bin does not count. Use NIST 800-88 compliant data wiping tools like DBAN for hard drives, or physically destroy the media. Document the destruction — date, device serial number, method used, and who performed it.
The same applies to paper records. Cross-cut shredding or a certified shredding service with a certificate of destruction.
Technical Safeguards: The IT Controls
Technical safeguards are where IT meets compliance. These are the technology-based protections that keep electronic PHI (ePHI) confidential and intact.
Access Controls
Every user who accesses ePHI must have a unique login. No shared accounts, no generic logins like “frontdesk1.” Each user should have the minimum level of access necessary for their job — a receptionist does not need access to clinical notes.
Implement role-based access controls (RBAC) in your EHR system and any other platform that houses PHI. Terminate access immediately when an employee leaves. “Immediately” means the same day, ideally before they walk out the door.
Multi-Factor Authentication
MFA is not explicitly required by HIPAA, but it is strongly recommended by HHS and has become a de facto requirement for any organization serious about compliance. Enable MFA on your EHR system, email, VPN, and any cloud service that accesses PHI.
Microsoft Authenticator, Duo Security, and Google Authenticator are all solid options. Hardware keys like YubiKey provide the strongest protection and are practical for small offices where the same people use the same workstations daily.
Encryption
HIPAA does not technically mandate encryption — it is listed as an “addressable” requirement, meaning you can use an alternative if you document why encryption is not reasonable. In practice, there is no good reason not to encrypt in 2026. The tools are built into the operating systems and cost nothing extra.
Encrypt data at rest: enable BitLocker on Windows devices, FileVault on Macs. Encrypt data in transit: require TLS for email (Microsoft 365 and Google Workspace handle this by default for their own services), use encrypted messaging for any patient communication, and ensure your EHR vendor uses HTTPS and TLS 1.2 or higher.
For email specifically, if you are sending PHI via email, consider a solution like Virtru, Paubox, or Microsoft 365 Message Encryption. Standard email, even with TLS, may not meet the standard depending on your risk assessment.
Audit Logging
You must be able to track who accessed what PHI and when. Your EHR system should have audit logging built in — make sure it is turned on and that you actually review the logs periodically. Look for unusual access patterns: a billing clerk accessing clinical records they have no reason to view, or logins at unusual hours.
If you use cloud services, enable audit logging there too. Microsoft 365 has a unified audit log in the compliance center. AWS has CloudTrail. Azure has Activity Logs. These logs need to be retained — HIPAA does not specify a retention period, but six years is the standard since that matches the HIPAA documentation retention requirement.
Backup and Recovery
Back up ePHI regularly and test your restores. A backup that has never been tested is not a backup — it is a hope. Your backup and disaster recovery plan should define your recovery time objective (how long you can be down) and recovery point objective (how much data you can afford to lose).
For a small practice, cloud-based backup solutions are usually the most practical. Just make sure the backup provider has signed a BAA.
Common HIPAA Violations That Catch Small Practices
Understanding where others have failed helps you avoid the same mistakes. These are the violations OCR cites most frequently:
Failure to perform a risk assessment. This appears in nearly every OCR settlement. It is the single most impactful thing you can do for compliance.
Lack of a BAA. Especially with cloud services and IT vendors. If your IT support company has access to your network and could potentially view PHI, they need a BAA.
Impermissible disclosures. Discussing patient information in public areas, posting about patients on social media (even without names — enough detail to identify someone counts), or faxing records to the wrong number.
Insufficient access controls. Shared user accounts, failure to terminate access for former employees, and excessive access privileges.
Failure to encrypt portable devices. Lost or stolen unencrypted laptops and phones are one of the most common breach triggers. An encrypted device that gets stolen is generally not considered a breach under HIPAA because the data is unreadable.
What to Do After a Breach
If a breach occurs, you have specific obligations:
- Notify affected individuals within 60 days of discovering the breach
- If 500 or more individuals are affected, notify OCR and prominent local media within the same timeframe
- If fewer than 500 individuals are affected, notify OCR within 60 days of the end of the calendar year
- Document your investigation, findings, and corrective actions
Having an incident response plan before a breach happens means you are not scrambling to figure out your obligations while the clock is ticking.
Building a Sustainable Compliance Program
HIPAA compliance is not a project with a finish line — it is an ongoing operational requirement. Small practices that treat it as a one-time effort inevitably fall out of compliance as staff changes, technology evolves, and new threats emerge.
The most effective approach for small healthcare organizations is to partner with an IT provider that understands both the technical and regulatory sides of HIPAA. You need someone who can implement the technical controls, help you build the documentation, and keep everything current as the rules and your environment evolve.
Exodata provides HIPAA compliance services tailored to small and mid-sized healthcare organizations in Nashville and across the Southeast. From risk assessments to technical safeguard implementation to ongoing compliance management, our team helps you build a program that passes scrutiny without consuming all your time. Contact us to discuss where your practice stands and what it would take to close the gaps.