How to Become HIPAA Compliant: A Step-by-Step Guide for Small Practices
TLDR
Becoming HIPAA compliant requires six core steps: designate a Privacy and Security Officer, conduct a documented risk assessment, write your policies, train your staff, sign BAAs with all vendors, and document everything for audit readiness. Most small practices fail not because they skip steps — but because they can't prove they completed them.
Step 1: Designate a Privacy Officer and Security Officer
Every covered entity needs a named Privacy Officer and a named Security Officer. The Privacy Officer owns your privacy policies and handles patient rights requests. The Security Officer owns your technical and physical security safeguards.
In small practices, one person holds both roles. That’s fine and common. What’s not optional: documenting it. Write down the name and the date they took on the role. If that person leaves, update the documentation immediately and designate a replacement before their last day.
OCR auditors ask for this documentation early. “We all kind of handle it together” is not an answer that satisfies an audit.
Step 2: Conduct a risk analysis
A risk analysis identifies every place your practice creates, stores, or transmits electronic protected health information (ePHI), then evaluates the threats to each location.
Start by listing every system: your EHR, scheduling software, billing platform, email, task management tool, cloud file storage, laptops, workstations, tablets, smartphones, and any fax machines that handle PHI. For each one, document what threats exist (ransomware, device theft, employee error, vendor breach), what vulnerabilities are present (weak passwords, no encryption, outdated software), and what safeguards you currently have in place.
Rate each risk as high, medium, or low based on likelihood and potential impact. Write a remediation plan for anything rated high or medium.
HHS provides a free Security Risk Assessment (SRA) tool that structures this process. A 10-person practice can complete an initial assessment in 4-8 hours. Update it annually, and whenever something significant changes: a new software tool, an office move, a major staff change.
Step 3: Write your policies
Your practice needs four written policies at minimum:
A privacy policy covering how staff access and handle PHI, including the minimum necessary standard (staff should access only the PHI they need for their specific job function).
A security policy covering technical safeguards (encryption, access controls, audit logging) and physical safeguards (workstation placement, screen locks, locked file cabinets for paper records).
A breach notification policy describing how your practice identifies, contains, and reports a breach, including your 60-day notification window to affected patients.
A workforce training policy covering when training happens, what it covers, and how you document it.
Template policies are available from multiple sources and work fine as starting points. The key step is customizing them to your actual workflows, not filing away a template that describes a practice that doesn’t resemble yours.
Step 4: Train all staff
Training applies to everyone in your workforce: full-time staff, part-time staff, contractors, temps, and volunteers. It must happen at onboarding and annually after that.
Document each training session with a date, the topics covered, and a list of who attended. A sign-in sheet works. A learning management system works better if you have staff turnover, because it keeps records automatically.
The content doesn’t need to be elaborate. Staff need to understand what PHI is, how your practice handles it, what they are and aren’t allowed to do with patient information, how to recognize a phishing attempt, and what to do if they think a breach occurred.
Step 5: Sign BAAs with every vendor that touches PHI
A Business Associate Agreement (BAA) is a contract that makes a vendor legally responsible for protecting any PHI they handle on your behalf. If a vendor stores or transmits PHI and won’t sign a BAA, you cannot legally use them with patient data.
Work through your tool stack: EHR, scheduling software, billing platform, task management, email provider, file storage, texting service, analytics tools. For each one, confirm whether PHI flows through it, and whether you have a signed BAA on file.
Common gap: personal Gmail or Google Drive. Consumer Google accounts don’t come with BAA coverage. Google Workspace (paid) can be HIPAA-configured and includes a BAA. Consumer accounts cannot.
Keep copies of every executed BAA in your compliance files.
Step 6: Document everything
Compliance is documentation. An audit doesn’t test whether you did the right things. It tests whether you can prove you did.
Keep records of your risk assessments (including the date and who conducted them), your policy documents (with version dates each time you update them), staff training (attendee names, dates, topics), signed BAAs, and any incidents or breaches.
HIPAA requires retaining most compliance records for six years from creation or last effective date, whichever is later. Use a folder structure that makes these records easy to pull: auditors ask for them, and scrambling to find a two-year-old training sign-in sheet is not a situation you want to be in.
Compliance software (including PHIGuard) automates this record-keeping. Shared drives and spreadsheets work too, as long as someone is maintaining them consistently.
The practices that get into trouble with OCR audits usually didn’t skip the actual compliance work. They just couldn’t prove they did it.
Like what you're reading?
Try PHIGuard free — no credit card required.
- Privacy Officer
- The designated person responsible for your practice's HIPAA privacy policies and procedures. Required by the HIPAA Privacy Rule.
DEFINITION
- Security Officer
- The designated person responsible for your practice's HIPAA security policies and procedures. Required by the HIPAA Security Rule.
DEFINITION
- Risk Analysis
- A HIPAA-required assessment that identifies threats and vulnerabilities to electronic protected health information (ePHI) and evaluates existing security measures.
DEFINITION
Q&A
What are the steps to become HIPAA compliant?
Six steps: (1) designate a Privacy Officer and Security Officer, (2) conduct a documented risk analysis, (3) write and implement privacy and security policies, (4) train all staff, (5) sign BAAs with every vendor that handles PHI, and (6) document everything and maintain records for six years.
Q&A
How do small practices verify HIPAA compliance?
Keep documented records of your risk analysis, policies (with revision dates), staff training (with attendee lists and topics), executed BAAs, and any incidents. Compliance software automates this tracking — paper processes work but are harder to maintain during an audit.
Want to learn more?
How long does it take to become HIPAA compliant?
Do small practices really need a formal HIPAA compliance program?
How much does HIPAA compliance cost for a small practice?
Can I use free tools like personal Gmail or Google Drive for my practice?
Keep reading
What Is a Business Associate Agreement (BAA)? HIPAA Explained
A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.
HIPAA Compliance Checklist for Small Medical Practices
A step-by-step HIPAA compliance checklist for small medical practices. Covers risk assessments, policies, training, tools, and documentation — the practical version.
Best HIPAA Compliance Software for Small Medical Practices (2026)
We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.
Best Asana HIPAA Alternative for Medical Practices
Looking for an Asana alternative that handles HIPAA without degrading features? PHIGuard is built for small clinics — $20/mo flat, BAA included, audit-ready from day one.