HIPAA Compliance Checklist for Small Medical Practices

Why This Checklist Exists

There are roughly 800,000 medical practices in the United States. 47.4% of physicians work in practices of 10 or fewer. These practices are subject to the same HIPAA requirements as hospital systems with dedicated compliance departments.

Most small practices don’t ignore compliance. They just don’t have a clear picture of what “compliance” actually requires. The regulations are dense, the guidance is vague, and the consulting industry profits from making it seem more complicated than it is.

This checklist covers the practical requirements. No jargon, no fear-mongering, just the steps your practice needs to take and maintain.

Step 1: Designate a Privacy and Security Officer

HIPAA requires a designated Privacy Officer (responsible for PHI privacy policies) and a Security Officer (responsible for ePHI security measures). In a 5-person practice, one person typically fills both roles.

This is a documented designation. Put it in writing, date it, and file it. If the person leaves, document the new designee. Auditors check for this.

Step 2: Conduct a Risk Assessment

The risk assessment sits at the base of your HIPAA compliance program. It’s also the most common deficiency found in enforcement actions.

A risk assessment identifies every place your practice creates, receives, stores, or transmits protected health information. Then it evaluates the threats and vulnerabilities associated with each one. Then it documents what you’re doing to mitigate those risks.

For a small practice, this covers: your EHR system, paper records, email, fax machines, phones, task management tools, cloud storage, messaging apps, and any vendor who touches patient data.

You don’t need a consultant to do this. You need a structured format (software like PHIGuard, a template from HHS.gov, or even a detailed spreadsheet) and 4-8 hours to work through it honestly.

Step 3: Write and Implement Policies

Your practice needs written policies. Not a binder you bought from a consultant that sits on a shelf. Actual policies that reflect how your practice operates.

At minimum: a privacy policy (who accesses PHI and under what circumstances), a security policy (passwords, encryption, device management), a breach notification policy (what to do when something goes wrong), and a minimum necessary policy (staff only access the PHI they need for their specific task).

Template policies are fine as a starting point. Customize them to match your practice’s actual workflows.

Step 4: Train All Staff

Every person in your practice who handles PHI needs HIPAA training. This includes the physicians, nurses, medical assistants, receptionists, billing staff, cleaning crew (if they can access areas with PHI), and any contractors or volunteers.

Training must happen at hire and annually thereafter. Document who attended, what was covered, and when it occurred. A sign-in sheet with the training date and topics covered is the minimum documentation.

Step 5: Set Up Compliant Tools

Audit every tool your practice uses. If it touches PHI, you need a BAA from that vendor. Common tools that require BAAs: EHR systems, task management software, email providers, cloud storage, fax services, messaging platforms, appointment scheduling tools, and billing systems.

If a vendor won’t sign a BAA, you can’t use that tool with PHI. That includes popular consumer tools like standard Gmail, Slack (without Enterprise), Trello (without Enterprise), and most free collaboration tools.

Step 6: Document Everything

The documentation requirement is where most small practices fall short. You might be doing everything right (training staff, conducting risk assessments, maintaining policies) but if you can’t produce the records during an audit, it doesn’t count.

Keep records of every risk assessment (current and historical), every policy version and update date, every training session and attendee list, every BAA, and every incident or near-miss. HIPAA requires retaining these records for six years.

This is where compliance software pays for itself. PHIGuard’s compliance dashboard tracks all of these requirements in one place, so when an auditor asks for your risk assessment history or training records, you pull them up in seconds instead of digging through filing cabinets.

Like what you're reading?

Try PHIGuard free — no credit card required.

Business Associate Agreement (BAA): A legally required contract between a HIPAA-covered entity and any vendor that handles protected health information on its behalf. Without a signed BAA, using a third-party tool for PHI-related tasks creates a compliance violation.

Protected Health Information (PHI): Any individually identifiable health information created, received, maintained, or transmitted by a covered entity — including patient names, diagnoses, appointment details, and billing data.

Risk Analysis: A required HIPAA Security Rule activity in which a covered entity identifies potential threats and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI (ePHI).

Q&A

What is the HIPAA compliance checklist for a small medical practice?

A small practice HIPAA checklist covers: (1) designate a HIPAA Privacy Officer and Security Officer, (2) conduct and document an annual risk analysis, (3) implement written privacy and security policies, (4) train all staff, (5) sign BAAs with all vendors handling PHI, (6) establish breach notification procedures, and (7) audit PHI access logs regularly.

Q&A

How often does a small practice need to update its HIPAA compliance program?

HIPAA requires an annual risk analysis review. Policies must be updated whenever there are operational, regulatory, or technology changes. Staff training should be conducted at onboarding and at least annually thereafter.

Q&A

Do task management tools need a BAA for HIPAA compliance?

Yes, if the tool stores, transmits, or touches PHI. Using Asana, Trello, or Monday.com for tasks involving patient information without a BAA is a HIPAA violation. PHIGuard includes a BAA at every pricing tier.

Want to learn more?

Learn More

How long does it take to become HIPAA compliant?

For a small practice starting from scratch, expect 2-4 weeks to complete the core requirements: risk assessment, written policies, staff training, BAA audits, and documentation. Ongoing maintenance (annual risk assessments, regular training, policy updates) takes a few hours per quarter.

Does my small practice really need a formal risk assessment?

Yes. A risk assessment is the most commonly cited deficiency in HIPAA enforcement actions. The Office for Civil Rights (OCR) has fined practices with as few as 1-2 providers for lacking a documented risk assessment. It's the first thing auditors look for.

Can I do HIPAA compliance myself or do I need a consultant?

Small practices can manage HIPAA compliance without a consultant by using compliance software or structured checklists. A consultant (like Compliancy Group at $300+/month) is helpful for initial setup if you have no compliance experience. For ongoing management, software is more cost-effective.

What are the penalties for HIPAA violations?

Penalties range from $100 to $50,000 per violation, with annual maximums of $25,000 to $1.5 million per violation category. Willful neglect with no correction starts at $50,000 per violation. Small practices are not exempt from enforcement — the OCR investigates practices of all sizes.

How often do I need to update my HIPAA compliance?

Risk assessments should be updated annually or whenever significant changes occur (new EHR system, office relocation, staff changes). Staff training is required annually. Policies should be reviewed annually and updated as needed. BAAs should be reviewed when vendor contracts renew.

Keep reading

What Is a Business Associate Agreement (BAA)? HIPAA Explained

A Business Associate Agreement (BAA) is a HIPAA-required contract between your medical practice and any vendor handling patient data. Without one, you're exposed.

Best HIPAA Compliance Software for Small Medical Practices (2026)

We compared the top HIPAA compliance tools for small practices. These are the ones that deliver real value — and the ones that are overpriced for what small clinics actually need.

Is Asana HIPAA Compliant? What Medical Practices Need to Know

Asana is HIPAA compliant only on Enterprise+ ($45/user/mo). Here's what changes in HIPAA mode, what features you lose, and what alternatives exist for small clinics.

HIPAA Technical Safeguards: What Small Practices Actually Need

HIPAA's technical safeguards require access controls, audit controls, integrity protections, and transmission security for ePHI. Here's what each one means for a small clinic.