Skip to main content
PHIGuard logo

HIPAA Compliance for Small Medical Practices: A Practical Overview

Last updated: March 20, 2026

TLDR

Small medical practices — from solo providers to 20-person clinics — face the same HIPAA requirements as large health systems but without dedicated compliance staff. The requirements aren't optional based on size: risk assessments, written policies, staff training, vendor BAAs, and documentation are mandatory for every covered entity.

The same rules, without the compliance department

A 500-bed hospital has a compliance department, a security team, a legal team, and a VP of Privacy. A 6-person family practice has an office manager who also handles scheduling, billing questions, and staff onboarding.

The HIPAA requirements are identical.

This isn’t a design flaw. It’s how the law works. Every covered entity, regardless of size, must conduct documented risk assessments, maintain written policies, train every workforce member, sign BAAs with vendors, and keep six years of records. No provision in HIPAA adjusts these requirements based on headcount.

What this means for small practices: compliance is a real administrative burden, and ignoring it carries real risk. The OCR has fined solo providers. It has fined 2-physician practices. Small size provides no protection.

What compliance actually requires

A designated Privacy and Security Officer. This is a person, not a shared responsibility. Write down who it is and when they took on the role. In most small practices, this is the practice manager or office administrator.

An annual risk assessment. A documented evaluation of every place your practice stores or transmits ePHI, the threats to each location, your current safeguards, and your plan to address gaps. This is the most commonly cited deficiency in OCR enforcement actions against small practices.

Written policies. At minimum: a privacy policy (who accesses PHI and under what conditions), a security policy (technical and physical safeguards), a breach notification policy (how you respond to and report incidents), and a training policy (when training happens and what it covers).

Staff training. Every person who works at your practice (clinical and administrative, full-time and part-time, contractors and volunteers) must complete HIPAA training at onboarding and annually. You must document who attended, what was covered, and when.

Business Associate Agreements. Any vendor that stores or transmits PHI on your behalf must sign a BAA. This includes your EHR, scheduling software, billing system, email provider, task management tool, cloud storage, and any texting or patient communication platform. No BAA means you cannot use the tool with patient data.

Six years of records. Risk assessments, policy versions, training documentation, signed BAAs, and incident reports all need to be retained for six years from creation or last effective date.

Where small practices actually struggle

The compliance requirements are knowable. The gap is usually time and systems, not intention.

A physician practice manager handles compliance alongside 15 other operational responsibilities. The annual risk assessment gets pushed when a provider calls in sick. The training sign-in sheet from 2023 is somewhere in a drawer. The BAA for the patient texting service the front desk started using six months ago was never requested.

These aren’t bad actors. They’re busy practices without the infrastructure to maintain compliance consistently.

The common failure modes:

Risk assessments that aren’t documented. A practice may have thought through its security risks without writing anything down. That doesn’t satisfy HIPAA. The requirement is a documented assessment. The documentation is the compliance.

Training with no records. Staff may have received HIPAA training at onboarding. Without a sign-in sheet or completion record, there’s no way to prove it during an audit.

Tool sprawl without BAA coverage. Staff adopt tools (messaging apps, cloud drives, scheduling tools) that touch patient data without anyone auditing whether a BAA is in place. The gap can sit unnoticed for years.

Outdated documentation. A risk assessment from three years ago, policies that haven’t been updated since the practice opened, training records for staff who have since left and no records for staff who replaced them.

What a practical compliance setup looks like

For a small practice with limited administrative bandwidth, the goal is a system that stays current with minimal ongoing effort.

A compliance software platform (PHIGuard starts at $20/month) handles the tracking layer: risk assessment records, BAA documentation, training completion logs, and incident records in one place, accessible during an audit without digging through folders.

Your office manager or designated Privacy Officer needs a quarterly calendar item to review compliance status: Is the risk assessment current? Has anyone new joined who needs training? Are there new vendors that need BAAs?

Annual risk assessments take 4-8 hours for an initial assessment, 2-3 hours for updates if you keep the base assessment maintained year over year.

The practices that maintain clean compliance records aren’t doing anything extraordinary. They’ve built the administrative habit and have a system that makes record-keeping automatic rather than a manual task.

Like what you're reading?

Try PHIGuard free — no credit card required.

DEFINITION

Covered Entity
A healthcare provider, health plan, or healthcare clearinghouse that must comply with HIPAA. Medical practices of all sizes that transmit health information electronically are covered entities.

Q&A

What are the HIPAA requirements for small medical practices?

Small practices must: designate a Privacy and Security Officer, conduct annual risk assessments, maintain written policies, train all staff, sign BAAs with every vendor handling PHI, and retain compliance documentation for six years.

Want to learn more?

Learn More
Do small medical practices need to be HIPAA compliant?
Yes. HIPAA applies to every covered entity regardless of size. A solo physician practice has the same core compliance requirements as a 500-bed hospital. The penalties are also the same — the OCR has fined solo providers for HIPAA violations.
What does HIPAA compliance cost for a small practice?
Budget $100-$400/month for compliance software or coaching. A practice using PHIGuard for task management and compliance tracking pays $20-$99/month. Practices that need dedicated compliance coaching pay $300+/month for services like Compliancy Group.
What's the most common HIPAA violation for small practices?
Missing or inadequate risk assessments. The OCR consistently cites the absence of a documented risk assessment as the primary deficiency in enforcement actions against small practices. Training records and BAA gaps are close seconds.

Keep reading

HIPAA Compliance Checklist for Small Medical Practices

A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.

How to Become HIPAA Compliant: A Step-by-Step Guide for Small Practices

A practical guide to becoming HIPAA compliant for small medical practices. Covers the required steps: risk assessment, policies, training, tools, and documentation.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.