← Back to Blog

HIPAA Compliance Checklist for Small Medical Practices (2026)

JW
Jennifer Walsh Healthcare Compliance Officer
April 1, 2026 · 11 min read

HIPAA Compliance Checklist for Small Medical Practices (2026)

HIPAA compliance for small medical practices is often treated as a binary — either you have it or you don't. The reality is more granular: compliance is a set of documented, implemented, and maintained controls across the Security Rule, Privacy Rule, and Breach Notification Rule. No practice is perfectly compliant at all times, but the difference between a defensible program and a regulatory catastrophe is having documented evidence that you've implemented reasonable safeguards and are actively maintaining them.

This checklist is structured around what HHS OCR actually looks for in investigations and audits. It's not exhaustive of every HIPAA provision but covers the controls that small practices most commonly fail on — and that are most commonly cited in enforcement actions.

Part 1: Security Rule — Administrative Safeguards

The Administrative Safeguards under the HIPAA Security Rule are the policies, procedures, and oversight activities that govern how your practice manages ePHI (electronic protected health information). They're the foundation of your compliance program.

Security Management Process

  • [ ] Conduct a Security Risk Analysis (SRA)

Complete a thorough assessment of the risks and vulnerabilities to ePHI in your environment. This is the single most-cited failure in OCR investigations. The SRA must be documented, not just completed mentally. Required elements: identify ePHI assets, assess threats and vulnerabilities, evaluate current controls, determine likelihood and impact of threats, document findings.

  • [ ] Implement a Risk Management Plan

Based on your SRA findings, document how you'll reduce identified risks to a reasonable level. The plan should include specific remediation actions, responsible parties, and timelines.

  • [ ] Review and update the SRA regularly

Update your risk analysis whenever significant changes occur: new EHR system, new office location, remote work expansion, new clinical technology, staff changes in PHI-access roles. At minimum, review annually.

Workforce Policies

  • [ ] Designate a Privacy Officer and Security Officer

Name a specific person responsible for HIPAA privacy (Privacy Rule compliance) and a person responsible for security (Security Rule compliance). In small practices, this is often the same person — typically the practice manager or the physician-owner. Document the designation in writing.

  • [ ] Establish workforce clearance and access procedures

Document how you determine which staff members can access ePHI, what level of access they receive, and how access is granted and revoked.

  • [ ] Implement a sanction policy

Write a policy specifying consequences for workforce members who violate HIPAA policies. OCR expects to see this documented, even if it's never been invoked.

Training

  • [ ] Train all workforce members on HIPAA policies at hire

All staff with access to PHI or who work in a healthcare environment must receive HIPAA training before accessing systems containing patient information. Document the training date and content.

  • [ ] Conduct annual HIPAA training

Annual refresher training is a best practice that most healthcare compliance advisors treat as required. Document completion dates and keep records for six years.

  • [ ] Train staff on security awareness

Beyond HIPAA-specific training, staff should receive training on phishing, password hygiene, device security, and social engineering — the actual threat vectors that cause most healthcare breaches.

Contingency Planning

  • [ ] Establish a data backup plan

Document how ePHI is backed up, how frequently, and how backups are tested.

  • [ ] Create a disaster recovery plan

Document procedures for restoring access to ePHI after a system failure or disaster.

  • [ ] Test your contingency plans

Testing is part of the requirement. Document when tests were conducted and the results.

Part 2: Security Rule — Physical Safeguards

Physical safeguards control physical access to ePHI and the systems that store it.

Facility Access Controls

  • [ ] Control physical access to areas where ePHI is stored or accessed

Document how access to areas containing ePHI (server rooms, workstations, paper record storage) is controlled. This can be as simple as locked doors and key card access.

  • [ ] Implement a workstation use policy

Document policies for the appropriate use of workstations that access ePHI: screen locking when unattended, positioning to prevent unauthorized viewing, workstation-specific access controls.

  • [ ] Workstation physical security

Ensure workstations are positioned so patient information can't be viewed by unauthorized persons. Consider screen privacy filters in reception and exam areas.

Device and Media Controls

  • [ ] Document how devices containing ePHI are managed

Track which devices (workstations, laptops, tablets, mobile phones) access or store ePHI. Maintain an inventory.

  • [ ] Establish procedures for device disposal

Document how devices are wiped or destroyed when retired. Hard drive destruction or certified wiping is the standard. Keep destruction records.

  • [ ] Control media movement

Document policies for portable media (USB drives, external hard drives) containing ePHI — or prohibit their use entirely.

Part 3: Security Rule — Technical Safeguards

Technical safeguards are the controls built into your systems to protect ePHI.

Access Controls

  • [ ] Assign unique user IDs to all staff accessing ePHI

No shared logins. Every person accessing your EHR or systems containing ePHI must have an individual, uniquely identified account. This is critical for audit logging to be meaningful.

  • [ ] Implement automatic logoff

Configure systems to log out inactive sessions after a defined period. Typically 15 minutes for clinical workstations.

  • [ ] Use role-based access controls

Staff should only be able to access the ePHI their role requires. A front-desk scheduler doesn't need access to clinical notes. Document your access control structure.

Audit Controls

  • [ ] Implement audit logs

Your EHR and systems containing ePHI should generate activity logs — who accessed what records, when. Verify your EHR has this capability enabled.

  • [ ] Review audit logs periodically

Log generation isn't enough. Document a process for reviewing logs to detect inappropriate access. Frequency can be risk-based (monthly review of high-risk accounts, quarterly review of general access).

Integrity Controls

  • [ ] Implement mechanisms to ensure ePHI hasn't been altered or destroyed

This can be handled through checksums, version controls, and access logs. Your EHR likely handles this natively — confirm and document.

Transmission Security

  • [ ] Encrypt ePHI in transit

Any ePHI transmitted over open networks (email, fax over VoIP, patient portal, telemedicine) must be encrypted. Verify your email system and patient communication tools use encryption.

  • [ ] Encrypt ePHI at rest on portable devices

Laptops, tablets, and mobile phones used to access ePHI should have full-disk encryption enabled.

Part 4: Privacy Rule

The Privacy Rule governs appropriate uses and disclosures of all PHI (not just electronic).

  • [ ] Develop a Notice of Privacy Practices (NPP)

Write an NPP that explains to patients how you use and disclose their health information, their rights, and your legal obligations. This must be provided to patients at first service delivery and posted at your physical location and on your website.

  • [ ] Document patient rights procedures

Patients have HIPAA rights to access their records, request amendments, request an accounting of disclosures, and restrict some uses of their information. Document how your practice handles each type of request.

  • [ ] Implement minimum necessary standards

Staff should only access and use the minimum PHI necessary to perform their job function. Document this as a policy.

  • [ ] Handle authorizations for non-standard disclosures

When disclosing PHI for purposes beyond treatment, payment, and healthcare operations (such as marketing or research), you need written patient authorization. Document the process.

Part 5: Business Associate Agreements (BAAs)

A Business Associate is any vendor or contractor that creates, receives, maintains, or transmits PHI on your behalf. You must have a signed BAA with every BA before they can access PHI.

  • [ ] Identify all Business Associates

Common BAs for medical practices: EHR vendor, billing/RCM company, medical transcription service, IT support provider with access to clinical systems, cloud storage vendors, fax services, answering services that receive patient messages, collection agencies.

  • [ ] Execute BAAs with all Business Associates

A BAA is a specific contractual agreement (not just any vendor contract) that establishes the BA's HIPAA obligations. Obtain BAA templates from your attorney or HIPAA compliance platform.

  • [ ] Maintain a BAA inventory

Keep a log of all BAs with whom you have agreements, the date signed, and the date of last review. Review BAAs when vendor relationships change significantly.

Part 6: Breach Notification

  • [ ] Establish a breach detection and response procedure

Document how staff should report suspected breaches, who receives the report, and who makes breach determination decisions.

  • [ ] Know the breach notification timeline

Breaches affecting fewer than 500 patients in a state: notify affected individuals within 60 days of discovery, notify HHS annually. Breaches affecting 500+ patients in a state: notify affected individuals within 60 days AND notify HHS and local media within 60 days. Notify affected Business Associates of breaches that involve their PHI.

  • [ ] Log all incidents and breach determinations

Maintain a breach/incident log even for events that didn't rise to the level of reportable breach. The four-factor risk assessment used to determine if an event is a reportable breach must be documented.

Part 7: Documentation and Retention

  • [ ] Document all policies and procedures in writing

HIPAA requires written policies for each of the required administrative, physical, and technical safeguard areas. Template libraries from compliance platforms provide a starting point.

  • [ ] Retain HIPAA documentation for 6 years

HIPAA compliance documentation (policies, risk analyses, training records, BAAs, breach logs) must be retained for a minimum of six years from creation or last effective date, whichever is later.

  • [ ] Review and update policies regularly

Policies must be updated to reflect changes in your operations, technology, workforce, or applicable regulations. Document review dates.

How to Use This Checklist Effectively

A printed checklist is useful for identifying gaps, but it won't maintain your compliance program over time. For ongoing compliance:

Use software for automation. A platform like HIPAAGuard tracks training completions, generates audit documentation, manages BAA inventory, and sends reminders when risk assessments are due. The annual compliance review becomes a structured process rather than a scramble.

Assign ownership. Every item on this checklist should have a named person responsible for it. For most small practices, that's one or two people. Designate explicitly — ambiguous ownership means things don't get done.

Start with the SRA. If you haven't done a Security Risk Analysis, that's the highest-priority item. OCR investigations almost universally find SRA failures in non-compliant practices. A completed, documented SRA demonstrates to OCR that you took compliance seriously. An absent SRA demonstrates the opposite.

Create a compliance calendar. Schedule annual training reminders, annual risk assessment reviews, and quarterly policy reviews. Put them in a calendar now before the pattern of deferral begins.

Frequently Asked Questions

What happens during an OCR audit?

OCR's audit program uses desk audits and on-site audits. Desk audits request documentation of specific compliance areas — typically your risk assessment, policies, training records, and BAA inventory. On-site audits involve OCR staff visiting your location and conducting interviews with staff. Most small practices only encounter OCR through complaint-driven investigations rather than random audits, but the documentation standard is the same in both cases.

My EHR vendor says they handle HIPAA compliance for me. Is that accurate?

No. Your EHR vendor handles HIPAA compliance for the software they've built. They don't handle your workforce training, your risk assessment, your physical safeguards, your breach notification procedures, or your Privacy Rule compliance. The EHR vendor is a Business Associate — their compliance is their responsibility. Your compliance is yours.

We're a very small practice with only two providers. Do we really need all of this?

HIPAA applies to all covered entities regardless of size. OCR has fined solo physician practices. The compliance program you implement should be proportionate to your size — a two-provider practice doesn't need the same infrastructure as a 50-provider group — but the required elements are the same. The Security Risk Analysis, workforce training, and basic technical safeguards are required regardless of practice size.

How do I prioritize if I can't do everything at once?

Start with: (1) Security Risk Analysis — document what you have and what needs improvement. (2) Workforce training — get everyone through basic HIPAA training. (3) BAAs — identify and execute agreements with all vendors touching PHI. These three areas are the most common sources of OCR findings and the most defensible starting point for a new compliance program.