Consideration article
HIPAA Compliance for New Covered Entities
What HIPAA requires from a newly established medical practice or newly covered healthcare provider — and the sequence for building a compliant program from the start.
Short answer
A healthcare provider becomes a HIPAA covered entity on the day they first transmit health information in electronic form in connection with a HIPAA standard transaction — which for most practices means the day they submit their first electronic claim. From that day, HIPAA's Privacy and Security Rules apply in full. This guide covers what must be in place at the outset and the sequence for building a compliant program.
When HIPAA Starts
A healthcare provider becomes a HIPAA covered entity on the first day they conduct a HIPAA standard transaction — the first electronic claim submission to an insurance payer is the most common trigger. From that day, the HIPAA Privacy Rule and Security Rule apply in full.
There is no grace period. A practice that submits its first electronic claim without a BAA with its clearinghouse, without a Notice of Privacy Practices, and without any security policies in place is in violation from day one.
Most newly opening practices can get the essential elements in place within their first few weeks if they know what to prioritize. The problem is that HIPAA compliance tends to get treated as something to figure out “once we get established” — when the obligation actually begins the moment the first electronic transaction occurs.
Are You Actually a Covered Entity?
Three types of entities are covered under HIPAA:
- Healthcare providers who transmit health information electronically in connection with certain transactions (claim submission, eligibility inquiries, referral requests, etc.)
- Health plans (insurance companies, HMOs, government health programs)
- Healthcare clearinghouses that process health information for payers
For most newly opening medical practices, the trigger is #1. If you are a healthcare provider who:
- Bills insurance electronically (or uses a billing service that does on your behalf)
- Submits claims through a clearinghouse
- Checks patient eligibility electronically
…you are a HIPAA covered entity from the first day any of those transactions occur.
The cash-only exception: A healthcare provider who does not transmit health information electronically in connection with any HIPAA standard transaction is not a HIPAA covered entity. A strictly cash-pay practice that does not bill insurance, check eligibility electronically, or submit any electronic transactions falls outside HIPAA’s scope. If the practice later begins billing insurance electronically, it becomes a covered entity at that point.
What Must Be In Place From the Start
Before the First Electronic Transaction
1. Execute BAAs with billing vendors. If you’re using a clearinghouse, a billing software platform, or an outsourced billing service to submit your first electronic claim, those entities handle your PHI. A BAA must be in place before PHI is transmitted.
Clearinghouses and billing software vendors typically have standard BAAs available in their enrollment documentation or practice portal. Locate and execute the BAA during your practice setup — before your first claim.
2. Execute a BAA with your EHR vendor. Your EHR stores and processes ePHI. The EHR vendor is a business associate. A BAA must be in place before the EHR is used for any patient data.
Most EHR vendors present the BAA as part of the subscription agreement or in a separate compliance document. Confirm that the BAA is executed — not just that you agreed to the general terms of service.
3. Designate a Privacy Officer. Every covered entity must designate a Privacy Officer responsible for developing and implementing privacy policies (45 CFR §164.530(a)(1)). For a small practice, this is typically the practice owner, the office manager, or the most senior administrative staff member. The designation should be in writing.
4. Prepare a Notice of Privacy Practices. The NPP must be distributed to patients at their first visit and available on request. Have it ready before you see your first patient. HHS provides model NPP language for small healthcare providers at hhs.gov — you don’t need to write it from scratch.
In the First 30 Days
5. Basic written policies. The Privacy Rule and Security Rule require written policies covering privacy practices, access controls, workforce security, breach response, and sanctions. For a new small practice, these can be a single short document. The key is that they exist in writing, are dated, and are reviewed at least annually.
6. Staff orientation to HIPAA. Any staff member with access to PHI must receive HIPAA training (45 CFR §164.308(a)(5)). For a new practice with one front desk hire, a one-hour orientation covering the basics — what PHI is, how to handle it, how to report an incident, and the sanctions for violations — satisfies the initial training requirement. Document the training (date, content, attendee, verifier).
In the First 90 Days
7. Complete the initial risk analysis. The annual risk analysis (45 CFR §164.308(a)(1)(ii)(A)) is a requirement from the first day of covered entity status. For a newly opened practice, the first risk analysis assesses the security of the ePHI environment as it exists in the first weeks of operation — before risks have time to accumulate without assessment.
A first-year risk analysis might cover: the EHR security configuration, the devices in use, the physical security of the office, the billing workflow, and any vendors handling PHI. This is a manageable scope for a one-location small practice.
8. Establish an incident log. Even if no incidents have occurred, establish the incident log. An incident log that exists from the practice’s opening date — and has no entries because nothing has happened — is stronger documentation than one created after the first incident.
The New Practice Compliance Timeline
| Priority | Action | When |
|---|---|---|
| Before first electronic transaction | BAA with clearinghouse and billing software | Pre-opening |
| Before first electronic transaction | BAA with EHR vendor | Pre-opening |
| Before first patient visit | Designate Privacy Officer | Pre-opening |
| Before first patient visit | NPP prepared and ready to distribute | Pre-opening |
| Week 1-2 | Basic written policies document | First weeks |
| Week 1-2 | Staff HIPAA orientation (if any staff) | Before PHI access |
| Days 1-90 | Initial risk analysis | First 90 days |
| Day 1 ongoing | Incident log | Immediately |
| Day 1 ongoing | BAA tracking (add new vendors as relationships form) | Ongoing |
| Annually | Risk analysis update | Each year |
| Annually | Staff training | Each year |
The Most Common First-Year Mistakes
Assuming the EHR subscription includes all HIPAA compliance. An EHR subscription provides access to a HIPAA-capable platform. It does not create HIPAA compliance for the practice. The BAA with the EHR vendor must be separately executed. The Privacy Officer must be separately designated. The policies must be separately written. Compliance is the practice’s responsibility — the EHR vendor provides a tool, not a compliance program.
Waiting to execute BAAs until “everything is set up.” The BAA with the clearinghouse must be in place before the first claim is transmitted. Waiting until after the practice is running to execute BAAs means the first days or weeks of operation may have been out of compliance.
No NPP at patient intake. The NPP requirement takes effect at the first patient visit. If the NPP isn’t prepared when the practice opens, every patient intake during the gap is a Privacy Rule violation.
“We’ll figure out the policies later.” The Security Rule has no grace period. Policies are required from the day the covered entity relationship begins. Writing them after the fact and backdating them is document falsification. Write them before opening.
Treating compliance as a one-time project. HIPAA compliance is a recurring operational program — annual risk analysis, annual training, ongoing BAA management, incident tracking. New practices that treat the initial setup as a project that “finishes” inevitably find themselves with outdated documentation and unmanaged risks within a year or two.
Building It Right From the Start
A new practice has one thing established practices don’t: a blank slate. No legacy systems to assess, no outdated policies written by someone who left three years ago, no accumulated access drift from years without a review.
Getting it right from the start — policies written before opening, BAAs executed before the first claim, the Privacy Officer designated before the first patient, and an initial risk analysis done in the first 90 days — creates a foundation that’s genuinely easy to maintain. Building the compliance program retroactively, after years of operation, is a much harder project.
The upfront setup costs a few days of the owner’s time. An OCR investigation costs considerably more.
Compliance Operations
Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.
The Anti-Kickback Statute: What Clinic Owners Need to Know
Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...
California's CMIA: When State Law Is Stricter Than HIPAA
California CMIA vs HIPAA: key differences in scope, enforcement, and liability. California clinics must comply with both — the stricter standard controls.