You've probably heard "HIPAA applies to hospitals, not us." That assumption just cost several small practices a combined $2.3 million in recent settlements.
2024 was one of the busiest years on record for HHS Office for Civil Rights (OCR) enforcement — 22 settlements and civil monetary penalties totaling $9.94 million. Small and mid-sized practices accounted for the majority of cases. Here's what's changed:
The Risk Analysis Initiative: In October 2024, OCR launched a targeted enforcement campaign specifically focused on practices that haven't conducted adequate security risk analyses. By early 2026, this initiative alone produced 11+ enforcement actions. Vision Upright MRI paid $5,000. Northeast Radiology paid $350,000. Top of the World Ranch paid $103,000. None of them were hospital systems.
Audit cadence is up: OCR's HIPAA audit program resumed in late 2024 with automated evidence collection. Selection is random — being a small practice is not protection.
Fines hit harder at small scale: A $350,000 settlement that a health system treats as a rounding error is existential for a 10-provider practice. OCR knows this. There's no size-based exemption in HIPAA. The Security Rule and all three safeguard categories apply to you the same as they apply to Mayo Clinic.
What changed under HITECH: The HITECH Act (2009) expanded HIPAA enforcement to business associates and increased penalty tiers. Breach notification requirements became mandatory. State attorneys general gained authority to enforce HIPAA directly. All of this is now fully operational.
Recent settlements targeting small practices:
- Vision Upright MRI — $5,000 settlement + 2-year corrective action plan
- Northeast Radiology — $350,000 for PACS server exposure, no risk analysis
- Top of the World Ranch Treatment Center — $103,000 for HIPAA Security Rule violation
- Texas healthcare provider — $120,000 for missing BAA with billing vendor (no breach required)
The pattern is clear: OCR is systematically working through the backlog of small-practice cases. The practices that haven't been audited yet aren't compliant — they're next.
The 3 HIPAA Security Rule Pillars, Plainly Explained
The HIPAA Security Rule requires you to protect electronic Protected Health Information (ePHI) across three categories. Think of them as three lines of defense:
1. Administrative Safeguards — Your Policies and People
These are the policies, procedures, and management decisions that govern how your practice handles ePHI. This is the largest category — it covers about half of all Security Rule standards.
What it means in practice for a small practice:
- Appoint a HIPAA Security Officer and Privacy Officer (same person is fine for practices under 20 staff — just document it)
- Conduct a written risk analysis covering all systems that touch ePHI
- Maintain written policies for access management, incident response, and contingency planning
- Manage your workforce — everyone who touches PHI needs documented HIPAA training
- Execute and manage Business Associate Agreements with every vendor that accesses PHI
Example: Your office manager doubles as Security Officer. She runs the annual risk analysis using the free HHS Security Risk Assessment Tool, documents findings in a one-page remediation plan, and schedules the next review for 12 months out.
Source: 45 CFR § 164.308; HHS Security Rule Summary
2. Physical Safeguards — Your Building and Devices
These cover the physical environment where ePHI lives — facilities, workstations, and portable devices.
What it means in practice for a small practice:
- Control physical access to your building and server room
- Implement workstation use policies (no sharing workstations without logging out first)
- Have a written process for disposing of ePHI on paper and electronic media
- Document what happens to devices when staff leave
Example: Your server room has a keypad lock. Front desk workstations auto-lock after 5 minutes of inactivity. When Dr. Smith's old laptop is retired, you wipe it using NIST 800-88 guidelines and document the destruction.
Source: 45 CFR § 164.310; NIST SP 800-66 Rev 2
3. Technical Safeguards — Your Technology Controls
These are the technology-based protections for ePHI — who can access it, how it's transmitted, and what audit controls exist.
What it means in practice for a small practice:
- Unique user IDs for every staff member (no shared logins)
- Multi-factor authentication on any system accessing ePHI
- Encryption of ePHI at rest and in transit
- Automatic session timeout on all workstations
- Audit logging of all ePHI access
Example: Your cloud EHR requires a unique login for every staff member. You enforce MFA on the EHR admin account. The EHR vendor uses AES-256 encryption. Workstations lock after 10 minutes of inactivity.
Source: 45 CFR § 164.312; HIPAA Journal Technical Safeguards
All three safeguard categories must be documented and maintained. The Security Rule uses "addressable" for some implementation specifications — but OCR treats unaddressed "addressable" items as gaps in enforcement contexts. Document your decisions either way.
Quick Test
Could your team pass a phishing simulation?
Most SMB teams don't know how bad their phishing exposure is until an attack succeeds. Take 3 minutes to get a real-world baseline of your team's detection ability.
Take the 60-Second Phishing IQ Quiz →The 12-Point HIPAA Compliance Checklist for Practices Under 50 Staff
Use this as your annual compliance checklist. Check each item, document your status, and update annually.
□ 1. Conduct a comprehensive risk analysis
Document every system, device, and application that stores, transmits, or accesses ePHI — your EHR, email, billing system, scheduling software, cloud storage, workstations, and any portable devices. Identify threats to each. Evaluate your existing safeguards. Rate risk levels. Document everything. OCR's most common enforcement finding across 2024–2025 cases was a missing or inadequate risk analysis — it shows up in over 70% of settlements.
□ 2. Designate a HIPAA Security Officer and Privacy Officer
Put it in writing. For a small practice, one person can hold both roles. The name and contact information of this person is one of the first things OCR asks for in an investigation.
□ 3. Implement and enforce access controls
Every staff member needs a unique user ID. No sharing. No generic "admin" accounts. If you're still on shared logins in your EHR, fix this before your next staff turnover. Multi-factor authentication is no longer optional under the proposed 2026 Security Rule.
□ 4. Encrypt all ePHI — at rest and in transit
If a device with ePHI is lost or stolen and the data isn't encrypted, you have a presumptive breach requiring notification. Full-disk encryption on every device. TLS on all email and EHR connections.
□ 5. Execute and actively manage Business Associate Agreements (BAAs)
Every vendor that creates, receives, maintains, or transmits PHI on your behalf needs a signed BAA before they touch any patient data. This includes your EHR vendor, billing clearinghouse, IT support, cloud storage, telehealth platform, and after-hours answering service. Maintain a central log with effective dates and expiration dates. Review annually.
□ 6. Conduct workforce training — and document it
Every workforce member who could access PHI needs training at hire (before PHI access), annually, and whenever you make material changes to your policies or systems. Training must be role-appropriate. You must retain records of completion — who was trained, when, on what content — for 6 years.
□ 7. Maintain audit logs and review them
Your EHR and any other system containing ePHI should log all access. You don't need to review every entry daily, but you should have a documented process for reviewing logs periodically and investigating anomalies.
□ 8. Create and test a contingency plan
Your contingency plan covers what happens when your systems fail — data backup procedures, recovery time objectives, and what your practice does in the first 24 hours of an incident. Test your backups at least annually. Document the test results.
□ 9. Document your breach notification procedures in writing
Know who you notify, when, and in what order. Individual notification within 60 days of discovery. HHS OCR notification within 60 days for breaches affecting 500+. Media notification within 60 days if 500+ residents of a state are affected. Business associates must notify you within 60 days of their own discovery.
□ 10. Implement automatic workstation timeout
Maximum 15 minutes of inactivity before a workstation locks. This is both a Security Rule requirement and basic ransomware hygiene — many attacks start from an unattended, unlocked workstation.
□ 11. Conduct a physical security review
Server room locked. Visitor access logged. No patient records left in plain sight in reception areas. Workstations positioned so screens aren't visible to patients. Old devices sanitized before disposal.
□ 12. Maintain all compliance documentation for 6 years
Risk analyses, policies, training records, BAA copies, incident reports, audit logs — all of it. Retain for 6 years from the date of creation or the date it was last in effect, whichever is later. If you can't produce it, OCR treats it as if it doesn't exist.
Before You Check That Last Box: Download the Full IR Playbook
This checklist covers the annual maintenance. But when a breach actually happens — and healthcare is the most attacked sector for ransomware — you need a documented playbook your whole team can follow in the first 60 minutes.
Our Incident Response Playbook for small medical practices covers exactly that: the first-hour decisions that determine whether a breach costs you $10K or $250K. It includes the breach notification timeline, team roles, law enforcement contacts, and communication templates.
Download the free IR Playbook — it's the one document you hope never to need.
Download the Incident Response Playbook →
Business Associate Agreements — The Vendor Gap Most Small Practices Miss
You have more BAAs than you think. And the missing ones are your biggest compliance liability.
When do you need a BAA?
Any time a vendor creates, receives, maintains, or transmits Protected Health Information on your behalf. This is broad. It covers:
- Your EHR vendor — yes, you need a BAA with them (most modern EHRs include this, but verify)
- Cloud storage (Google Drive, Dropbox, Box) — almost never HIPAA compliant by default; you need a specific business-tier account with a signed BAA
- Standard email (Gmail, Outlook.com) — not HIPAA compliant for ePHI transmission; you need a healthcare-specific encrypted email service
- Scheduling software — patient names + appointment data = PHI; needs a BAA
- Billing clearinghouses — usually handled automatically by your EHR, but verify
- Telehealth platforms — consumer-grade Zoom/FaceTime are not HIPAA compliant; use a platform with a signed BAA
- AI scribe or clinical note tools — increasingly common, almost never signed without you asking
- After-hours answering service — they hear patient information; needs BAA
- IT support/MSP — if they can access your EHR or systems with PHI, needs a BAA
Common vendor gaps
The expired BAA: You signed one in 2019. The vendor has been acquired, updated their terms, or the agreement expired. You kept sharing PHI. You have a gap.
The one-size-fits-all BAA: A vendor sends you their standard template. It covers basic HIPAA language but says "promptly" instead of specifying a breach notification timeframe, says nothing about subcontractor obligations, and doesn't include audit rights. It's not a real BAA — it's a liability.
The implied BAA: A vendor says "we don't think you need a BAA." If they're handling PHI, you do. The law doesn't care what a vendor's sales rep thinks.
The AI vendor: You signed up for a clinical AI tool. It processes patient notes. You never asked for a BAA. You may be in violation right now.
Red flags in vendor BAAs
- Vague breach notification language — "without unreasonable delay" or "as soon as practicable" instead of a specific hour or day limit (OCR expects 24–72 hours; "promptly" is not a timeline)
- No subcontractor BAA requirement — the vendor's subcontractors also handle PHI; they need BAAs too
- No audit rights — your BAA should let you request evidence of the vendor's security controls
- Missing data destruction at termination — when the contract ends, what happens to your PHI?
- No security control specificity — a BAA that only says "vendor maintains reasonable security" without specifying encryption, access controls, or incident response is not adequate
What a real BAA includes
Required elements under 45 CFR § 164.504(e):
- Permitted uses and disclosures of PHI
- Prohibited further disclosure
- Appropriate safeguards for PHI protection
- Reporting obligations for breaches and security incidents
- Contractor/subcontractor BAA requirements
- Return or destruction of PHI at termination
- Access to records for HHS audit
- Minimum necessary standard compliance
Get the HHS sample BAA provisions: hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions
Workforce Training Requirements — What OCR Actually Wants to See
HIPAA requires workforce training. But "training happened" isn't what OCR auditors want to see — they want evidence that every single workforce member completed it, when, on what content, with documentation of comprehension.
Training frequency
- At hire: Within 30 days before first PHI access. Texas practices have a 90-day statutory deadline under HB 300. Don't wait.
- Annually: The OCR baseline expectation. Security awareness training plus Privacy Rule content covering patient access rights, minimum necessary standard, and your specific policies.
- After material changes: New EHR? New access control policy? New telehealth tool? Retrain affected staff before the change goes live.
- After security incidents: Targeted retraining for the specific workforce members involved. OCR commonly requires this as part of corrective action plans.
Role-based content
One training curriculum for your entire office doesn't cut it. Content must be "necessary and appropriate" for each workforce member's job functions.
- Clinical staff — PHI handling procedures, patient access rights, minimum necessary standard, how to respond to patient record requests
- Front desk and admin — registration, scheduling data handling, physical security of paper records, patient disclosure documentation
- Billing staff — claims handling, account information, disclosure authorization requirements, data retention
- IT and management — access control configuration, audit log review procedures, incident response plan, vulnerability management
Documentation OCR expects
For each training event, retain:
- Employee name and job role
- Date and timestamp of completion
- Topics covered (and which policy version was current at that time)
- Form of comprehension verification (quiz score, signed acknowledgment)
- Name of trainer or training platform used
Retention period: 6 years minimum.
What OCR actually checks
Auditors pull your training records and look for:
- Does every current workforce member have a completion record on file?
- Is there a remediation workflow for employees who missed training or failed assessments?
- Does the content match the policy version current at the time of training?
- Are volunteers, temporary staff, and contractors included?
- Is there evidence of comprehension verification (not just attendance)?
One-and-done training at hire with no annual refresher has been cited as a deficiency in multiple OCR resolution agreements. If you can't show annual refreshers, OCR will treat that as a gap.
Breach Notification — The 60-Day Rule and Your Notification Checklist
When a breach happens, the clock starts immediately. Here's exactly what HIPAA requires and in what order.
What counts as a breach
Any unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the information. It applies when:
- PHI is accessed by an unauthorized person
- PHI is stolen, lost, or improperly disposed of
- PHI is disclosed without authorization (even accidental)
- A ransomware attack encrypts PHI (even if no data is confirmed exfiltrated)
Important: Unsecured PHI means unencrypted. If ePHI is stored on an encrypted device and that device is stolen, breach notification may not be required. This is why encryption matters so much.
Discovery rule: A breach is discovered on the date you knew about it, OR the date you should have known with reasonable diligence. For workforce members and agents, the covered entity is deemed to have discovered the breach when they discovered it.
Who to notify and when
Affected individuals — notify by first-class mail or email. Must be sent without unreasonable delay and no later than 60 calendar days after discovery. The notification must include:
- Description of what happened and types of information involved
- Steps individuals should take to protect themselves
- What the practice is doing to investigate and mitigate
- Contact information for questions
HHS OCR:
- 500 or more individuals affected: Report within 60 days of discovery (simultaneously with individual notification)
- Fewer than 500: Report by March 1 of the following calendar year
Media (for large breaches): If a breach affects 500 or more residents of a state or jurisdiction, issue a press release to prominent media outlets serving that area within 60 days of discovery.
Business associates: Must notify the covered entity within 60 days of their own discovery of a breach.
Sample notification timeline
| Day | Action |
|---|---|
| Day 0 | Breach discovered. Log the exact time. Start investigation. |
| Days 0–3 | Contain the incident. Preserve evidence. Identify scope. Notify IT/security response team. |
| Days 3–30 | Complete breach risk assessment. Determine if notification is required. Prepare individual notification letters. |
| Days 30–60 | Mail notifications to all affected individuals. Submit OCR breach report if 500+ affected. Issue media notice if applicable. |
| March 1 (if <500) | Submit annual small breach report to OCR for prior calendar year. |
What this costs if you miss it: Presence Health paid $475,000 in a Civil Monetary Penalty for failing to notify HHS within the required timeframe — it filed its breach report a month late. OCR doesn't accept "we were still investigating" as an excuse past the 60-day mark.
Source: HHS Breach Notification Rule; 45 CFR § 164.404
A Realistic $0–$5K Annual Compliance Budget for a 10-Provider Practice
Here's what a compliance program actually costs at different investment levels.
DIY Tier — $0 to $500/year
What's included:
- Free HHS Security Risk Assessment Tool
- Free HHS sample BAA templates and policy templates
- Free annual training using publicly available resources
What you're missing: Ongoing monitoring, automated training tracking, vendor compliance verification. This tier is where practices get caught off-guard — the documents exist, but no one updates them or tracks expirations.
OCR readiness: Low. Acceptable only if you have a dedicated compliance officer who actively manages the program year-round.
Core Compliance Stack — $2,000 to $3,500/year
| Item | Cost |
|---|---|
| HIPAA compliance platform (includes SRA, training tracking, policy library) | $499/year |
| HIPAA-compliant encrypted email ($15/user/month × 10 providers × 12 months) | $1,800/year |
| BAA management software | $299/year |
| Annual third-party risk assessment (one-time setup, then DIY) | $500 setup |
| Total | ~$3,100/year |
At this tier, you have a managed compliance program, encrypted communications, and a process for tracking BAAs and training deadlines.
Full Compliance Stack — $4,000 to $5,800/year
| Item | Cost |
|---|---|
| HIPAA compliance platform (tracking, training, SRA) | $499/year |
| HIPAA-compliant encrypted email | $1,800/year |
| Annual penetration test (outsourced) | $1,200/year |
| BAA management software | $299/year |
| Incident response retainer (verify whether cyber insurance covers this first) | $1,000–$2,000/year |
| Total | ~$4,800–$5,800/year |
Pro tip: Before paying for a separate incident response retainer, check your cyber insurance policy. Many policies include incident response coordination at no additional cost. You may be paying for something you already have.
Start with a Free HIPAA Readiness Score
You don't need to spend $5K to know where you stand. Our free HIPAA Readiness Scorecard takes 10 minutes and tells you exactly which gaps to fix first — ranked by OCR enforcement priority.
Take the HIPAA Readiness Scorecard →
When you're ready to go deeper — live training, incident response planning, or policy development — book a session with our team.
For medical practices specifically, see our HIPAA compliance page for healthcare providers →
Frequently Asked Questions
How often must we train our staff on HIPAA?
At minimum: once when hired (before accessing PHI), then annually. You also need to retrain affected staff whenever you make material changes to your policies, systems, or technology. OCR enforcement actions frequently cite practices that did initial training only and never refreshed — a single session at hire doesn't satisfy the ongoing requirement.
What's a BAA and why do we need one?
A Business Associate Agreement is a legally required contract between your practice and any vendor that creates, receives, maintains, or transmits Protected Health Information on your behalf. Under HIPAA (45 CFR § 164.504(e)), operating without a signed BAA is a violation — even if no breach occurs. The BAA makes the vendor legally responsible for protecting PHI in the same way HIPAA holds you responsible. Without it, both you and the vendor are exposed.
Are small practices exempt from HIPAA under the 50-employee threshold?
No. The "small employer" exemption in HIPAA refers to the application of certain provisions of the Privacy Rule — it does not exempt you from the Security Rule. All covered entities, regardless of size, must comply with the Security Rule's administrative, physical, and technical safeguard requirements. A 3-provider family practice has the same obligations as a 300-bed hospital under the Security Rule.
What typically triggers an OCR audit?
OCR investigations are triggered by: (1) patient complaints about Privacy Rule violations — patient access rights and untimely response to records requests are the most common trigger; (2) breach reports — when you file a breach notification with OCR, that investigation often expands; (3) complaint-driven investigations by state attorneys general; (4) proactive audit program selection — random, not based on size; and (5) referrals from other agencies, including law enforcement following ransomware incidents.
What does a breach actually cost a small medical practice?
Direct costs include breach notification (mailing, call center setup, credit monitoring offers), legal counsel, OCR fines (from $100 to $50,000 per violation, up to $1.9M per violation category per year), and remediation of the compromised systems. Indirect costs include HIPAA corrective action plans requiring annual risk assessments and OCR monitoring for 1–3 years, lost revenue during downtime (ransomware average downtime is 21 days), and reputational damage — patients whose data was exposed may switch providers. Small practice settlements from OCR in 2024–2025 ranged from $5,000 to $350,000. The average breach for a small healthcare organization costs $2.4 million total according to IBM's 2024 Cost of a Data Breach report. Cyber insurance helps with direct costs, but only if you notified them before paying a ransom — most policies require advance notification.
Free Assessment
Where's your practice on the HIPAA compliance curve?
Our free HIPAA Readiness Scorecard takes 10 minutes and tells you exactly which gaps to fix first — ranked by OCR enforcement priority.
Take the HIPAA Readiness Scorecard →
Get your free pocket guide
Enter your work email and we'll send the SMB Phishing Defense Pocket Guide — 6 red flags + 5-step incident response playbook.
Check your inbox!
Your pocket guide is on its way.
No spam. Unsubscribe anytime. Unsubscribe