HIPAA for Solo Practitioners

A solo practice - one provider, maybe one or two support staff - is a covered entity under HIPAA with the same legal obligations as a 50-provider hospital system. The Privacy Rule’s minimum requirements have no size exemption. The Security Rule’s safeguard requirements scale with complexity and resources, but they don’t disappear.

Most compliance guidance written for healthcare organizations assumes a team: a Privacy Officer, a Security Officer, an IT department. Solo practitioners read that guidance and reasonably conclude HIPAA compliance is designed for larger organizations. That conclusion is wrong, and it’s easy to understand why someone would reach it.

This guide covers what a practice of 1-3 people actually needs: what’s required, what can be simplified, and what the minimal viable compliance program looks like.

What HIPAA Actually Requires of You

Privacy Officer Designation

Under 45 CFR §164.530(a), every covered entity must designate a Privacy Officer. For a solo practice, that person is you. The requirement is to designate someone - it is not to hire a dedicated compliance professional.

Document it somewhere: a simple memo, a note in your policy binder, or the header of your NPP. “Dr. [Name] is Privacy Officer for [Practice Name]” is sufficient.

Notice of Privacy Practices

Every covered entity must provide patients with a Notice of Privacy Practices (NPP) describing how their PHI is used and disclosed (45 CFR §164.520). The NPP must be provided to patients at the first service delivery and be available on request.

For a solo practice, the NPP can be a one-page document used consistently at intake. HHS provides NPP model language for small provider use. Adapt the model language to your practice and use it. Document that patients receive it (a checkbox on your intake form, a signature line at the bottom of the NPP itself).

Policies and Procedures

You need written policies - but for a solo practice, written policies can be short. A four-page document covering: how PHI is used and disclosed, your access control approach, your breach response process, your sanction policy, and your workforce security approach covers the required categories.

The policies need to exist, be dated, and be followed.

Risk Analysis

The annual risk analysis (45 CFR §164.308(a)(1)(ii)(A)) is required regardless of practice size. For a solo practice, the risk analysis is simpler than for a multi-site organization because the scope is smaller.

A solo practice risk analysis might cover:

• The EHR (the primary ePHI system)
• The billing system or clearinghouse
• Email used for any patient communication
• Any patient portal
• Clinic devices (laptop, desktop, any tablets or phones used for work)
• Physical space (records storage, workstation security)
• The one or two administrative staff members who handle PHI

This is a manageable scope. A risk analysis for this environment can be completed in a half-day using a structured template.

Training

The workforce training requirement (45 CFR §164.308(a)(5)) applies to “all members of its workforce.” For a solo practice with one administrative staff member, workforce training is a one-hour conversation with that staff member - documented with the date, what was covered, and both parties’ signatures.

For a truly solo practice with no staff, workforce training means ensuring that the solo provider themselves is current on HIPAA requirements. Document this as annual self-training - the date you completed it and the resources you reviewed.

BAAs

Every vendor who handles your PHI as a business associate requires a signed BAA. For a solo practice, this is typically:

• Your EHR vendor (most have standard BAAs available online)
• Your billing clearinghouse
• Your medical billing service (if outsourced)
• Your email platform (if you use it for patient communication)
• Any cloud storage vendor where PHI is stored

Execute these BAAs and keep them in a folder. This is not complex - most EHR vendors have a standard BAA available in their compliance documentation or through the practice portal.

What Can Be Appropriately Simplified

The HIPAA Security Rule requires “reasonable and appropriate” safeguards, and explicitly states that covered entities must take into account “the size, complexity, and capabilities of the covered entity” (45 CFR §164.306(b)(2)(i)).

This is a genuine scaling provision. What is reasonable and appropriate for a solo practitioner is not the same as what is reasonable and appropriate for a 200-person organization. Some examples:

Quarterly access reviews: For a solo practice with one administrative staff member, a “quarterly access review” is a five-minute confirmation that the staff member’s access still fits their role. Document it as such. No formal grid required.

Risk analysis methodology: For a solo practice, the risk analysis can be a structured checklist rather than a formal assessment with probability-impact matrices. HHS provides a Security Risk Assessment tool specifically designed for small practices - it’s available free at hhs.gov.

Incident response procedures: The incident response procedure can be one page: “If a suspected PHI incident occurs, I will immediately assess the situation, apply the 4-factor test, and determine whether notification is required. I will document the assessment and the outcome.” That’s it.

Audit logging: A modern EHR’s built-in audit logging likely satisfies the audit control requirement (45 CFR §164.312(b)). You don’t need separate audit infrastructure. Confirm the EHR logs are enabled and review them periodically.

The Minimal Viable Compliance Program

A solo practitioner with one administrative staff member needs:

Written documentation (one-time setup, annual review):

• NPP - provided to all patients at first visit, available on request
• Basic policies document - 4-6 pages covering privacy, security, access, breach response, and sanctions
• Risk analysis - completed annually, documented, with a corresponding list of remediation actions

BAAs (ongoing, tracked):

• EHR vendor BAA - executed, filed
• Billing clearinghouse BAA - executed, filed
• Email platform BAA (if used for patient communication)
• Any other business associate - executed, filed

Training (annually):

• Training session with administrative staff - documented (date, content covered, signatures)
• Solo provider self-training - documented (date, resources reviewed)

Incident log (ongoing):

• Running log of any security events or potential incidents - date, description, disposition
• Annual breach report submitted to HHS by March 1 for any sub-500 breaches in the prior year

Privacy Officer:

• Documented designation (a note in the policy document is sufficient)
• Contact information available to patients

This entire program can be maintained by a solo practitioner in approximately 10-15 hours per year - plus the one-time setup time of perhaps 8-12 hours to create the initial documentation.

The Documentation Problem

The most common compliance failure for solo practitioners isn’t ignoring HIPAA. Most solo practitioners do protect patient information, don’t share it inappropriately, and use an EHR covered by a BAA. They’ve told their one staff member about HIPAA. None of it is documented. When OCR investigates a complaint - often from a disgruntled patient or a former employee - and asks for the privacy policy, the training records, the risk analysis, and the incident log, the solo practitioner can’t produce any of it.

From OCR’s perspective, undocumented compliance is the same as no compliance. The 6-year documentation retention requirement at 45 CFR §164.530(j) is how covered entities demonstrate, years after the fact, that they had a functioning compliance program.

The initial setup takes a weekend. Ongoing maintenance runs a few hours per year. What makes the difference when OCR asks questions isn’t whether you followed the rules - it’s whether you can show that you did.

Where to Start

If you are a solo practitioner reading this and realizing your compliance program has gaps:

1. This week: Execute BAAs with your EHR vendor and any other business associates. Most EHR vendors have these available in your practice portal - this is a 30-minute task.

2. This month: Create a simple policies document using HHS’s model language as a starting point. Create or update your NPP. Document yourself as Privacy Officer.

3. This quarter: Complete the HHS Security Risk Assessment tool (available free at hhs.gov). Create an incident log even if it has no entries.

4. Annually: Train yourself and any staff on HIPAA basics. Review and update the risk analysis. Review your vendor BAAs.

The solo practice compliance program is a documented, deliberate set of practices - scaled to the size and complexity of a one-provider practice. Nothing more, nothing less. That’s what HIPAA requires.