HIPAA compliance for small medical practices: what you actually need in 2026

HIPAA compliance for small practices comes down to a manageable core: complete a documented Security Risk Assessment, sign Business Associate Agreements with every vendor that touches patient data, implement the administrative, physical, and technical safeguards the Security Rule requires, train your staff, and keep dated records that prove you did all of it. You do not need a hospital-sized compliance department or an enterprise GRC platform. You need the right small set of controls, done honestly and maintained over time.

The reason this trips up so many practices is that HIPAA is principles-based, not a checklist handed to you by the government. The regulations tell you what outcomes to achieve and leave the how to your judgment, scaled to your size and risk. That flexibility is a gift for a five-person clinic, but it also means nobody hands you a finish line. This guide draws one.

What HIPAA actually requires of a small practice

If you are a covered entity, a healthcare provider, a clinic, or a billing-connected practice, three rules govern most of your obligations.

The Privacy Rule governs how you use and disclose Protected Health Information (PHI) and gives patients rights over their records, including the right to access and to request corrections. The Security Rule applies specifically to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards. The Breach Notification Rule dictates what you must do when PHI is exposed, including notifying affected individuals and the U.S. Department of Health and Human Services (HHS), whose Office for Civil Rights (OCR) enforces HIPAA.

A note on the regulatory environment. In late 2024, OCR issued a Notice of Proposed Rulemaking to strengthen the Security Rule; it was published in the Federal Register in early January 2025, and the comment period has since closed. As of 2026 that rule is not yet final. The proposal would, among other things, remove the long-standing “required” versus “addressable” distinction and make safeguards such as encryption and multi-factor authentication explicitly mandatory, with limited exceptions. Treat the established safeguard requirements below as your foundation today, and confirm current rule text and deadlines before finalizing your program, because the bar is moving in one direction: stricter.

The Security Risk Assessment is non-negotiable

The single most important and most commonly missed requirement is the Security Risk Assessment (SRA), sometimes called a risk analysis. It is a documented evaluation of where ePHI lives, what threats it faces, and how you are mitigating those risks. It is not optional, it is not a one-time event, and “we use a secure EHR” does not satisfy it.

A practical SRA inventories your systems (EHR, email, billing software, devices, backups, cloud apps), identifies realistic threats (ransomware, a lost laptop, phishing, internal snooping, a vendor breach), rates likelihood and impact, and records the safeguards you already have in place plus a remediation plan for the gaps. HHS, through ASTP/ONC and OCR, publishes a free SRA Tool aimed at small and mid-sized practices, available as a Windows application and an Excel workbook; everything you enter stays on your own machine. It is a reasonable starting point, though it identifies gaps rather than fixing them, so the remediation work is still yours. Redo the assessment at least annually and whenever something material changes, such as a new system, a new location, or a vendor switch.

If you do only one thing this quarter, make it a documented SRA. In enforcement actions, the absence of a current risk analysis is one of the most frequently cited failures.

The safeguards you need, in plain terms

The Security Rule organizes controls into three buckets. Here is what each looks like at small-practice scale.

Administrative safeguards

These are your policies, people, and processes, and they carry the most weight.

• A designated Security Official and Privacy Official. In a small practice, this can be one person wearing two hats.
• Written policies and procedures covering access, incident response, breach notification, sanctions for violations, and data backup.
• Workforce training at onboarding and on a recurring basis, with sign-off records.
• A documented incident response and breach process, so a lost phone or a suspicious login does not become an improvised scramble.
• Regular review of who has access to what, with prompt removal when someone leaves.

Physical safeguards

These protect the spaces and devices that hold ePHI: locked offices and server closets, screens angled away from waiting-room sightlines, a clear policy for workstations and mobile devices, and secure disposal of old hardware and paper. A laptop stolen from a car is a classic, avoidable breach.

Technical safeguards

These are the controls inside your systems:

• Access controls with unique user IDs, no shared logins, and role-based permissions.
• Encryption of ePHI in transit and at rest. Encryption is currently an “addressable” specification rather than a flat mandate, but in practice it is the most effective protection you have and is widely expected, and the proposed rule would make it explicit. Encrypted data that is lost while the keys stay secure can fall under the breach notification safe harbor; unencrypted data almost never does.
• Audit logging, so you can see who accessed which records and when.
• Multi-factor authentication on email, your EHR, and remote access. MFA is now a baseline expectation, not a nice-to-have.
• Automatic logoff, current patching, and tested backups.

Business Associate Agreements: the vendor piece everyone forgets

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate, and you must have a signed Business Associate Agreement (BAA) with each one before they handle that data. That includes your EHR vendor, billing company, cloud storage and email provider, IT support, transcription service, secure-messaging tools, and analytics vendors that see PHI.

Two traps catch small practices repeatedly. First, free or consumer-tier services. A standard consumer email account or a free file-sharing plan typically will not sign a BAA, which means you cannot use it for PHI even when it feels convenient. Second, assuming a signed BAA makes a tool compliant on its own. The BAA assigns responsibility; you still have to configure and use the tool securely. Keep a living vendor inventory with each BAA’s status, and revisit it whenever you adopt a new app. Our deeper guide to Business Associate Agreements walks through what belongs in one.

A realistic 12-month plan

You do not have to do everything at once. A sane sequence for HIPAA compliance for small practices looks like this.

Months 1-2: Establish the foundation. Name your Security and Privacy Officials. Complete your first documented SRA. Inventory every system and vendor that touches PHI.

Months 2-4: Close the obvious gaps. Turn on MFA everywhere. Confirm encryption on devices and in transit. Collect missing BAAs. Replace any non-compliant tools.

Months 3-5: Write it down. Adopt the required written policies and procedures. Generic templates are fine as a starting point, but tailor them to how your practice actually operates. Policies you do not follow are worse than none.

Months 4-6: Train and operationalize. Run workforce training with documented sign-off. Stand up a simple incident-response process. Establish recurring access reviews.

Ongoing: Maintain and prove it. HIPAA is not a certification you earn once; there is no official “HIPAA certified” stamp from the government. It is a continuous program. Keep dated evidence, training logs, access reviews, SRA updates, and BAA records, so that if OCR or a partner ever asks, you can demonstrate an active program rather than reconstruct one under pressure. This is exactly where continuous control monitoring earns its keep, replacing annual fire drills with always-current evidence.

What “good enough” looks like (and what overkill looks like)

Right-sizing matters. A solo or small-group practice does not need a 24/7 security operations center or a six-figure GRC suite. It needs an honest, current SRA, the safeguards above, signed BAAs, trained staff, and organized documentation. That is genuinely achievable.

Overkill usually means buying enterprise tooling you cannot fully use, or chasing certifications you do not need. Underkill, the more common failure, means relying on a vague sense that “the EHR handles compliance.” It does not. Your EHR vendor secures their platform; you remain responsible for how PHI flows through your practice, your devices, your email, and your people. For a line-by-line view, pair this with our HIPAA compliance checklist and a structured Security Risk Assessment guide.

Where a compliance platform helps

You can run a small-practice HIPAA program on spreadsheets and shared drives, and plenty of practices do. The friction shows up in maintenance: keeping evidence current, tracking BAA renewals, proving training happened, and updating the SRA without it becoming a once-a-year panic.

That maintenance burden is what Forteri is built to remove. It is a multi-framework compliance platform that covers HIPAA alongside SOC 2, ISO 27001, NIST CSF, and more, aimed at SMBs and startups priced out of the larger tools. It handles policy management, continuous control monitoring, evidence collection, vendor and BAA tracking, and audit support in one place. If your practice has outgrown spreadsheets but does not have a compliance team, that is the gap it fills. Start with a documented risk assessment either way, then decide whether a platform earns its place in your workflow.