HIPAA Compliance Checklist for Small Practices: Steps, Policies, and Training

Use this HIPAA Compliance Checklist for Small Practices to build a clear, practical path to protecting Protected Health Information (PHI) and Electronic Protected Health Information (ePHI). It focuses on the exact steps, policies, and training small teams need to operate confidently and compliantly.

The guidance below integrates core concepts such as Risk Analysis, Business Associate Agreements (BAAs), the Breach Notification Rule, appointing a Security Official, and establishing a tested Incident Response Plan.

Designate a Compliance Officer

Assign a single point of accountability to drive privacy and security activities. In many small practices, one person may serve as the HIPAA Compliance Officer, Privacy Officer, and Security Official, as long as roles and decision rights are clearly defined.

• Document the appointment, responsibilities, and authority to access leadership, allocate resources, and enforce policies.
• Define oversight of PHI and ePHI across all systems, apps, devices, and third parties.
• Set a governance rhythm: recurring check-ins, issue tracking, and a standing agenda for risk, incidents, and training.
• Own the Incident Response Plan and alignment with the Breach Notification Rule.
• Maintain the inventory of BAAs and ensure vendors meet security and privacy obligations.

Conduct Risk Assessment

Perform an organization-wide Risk Analysis that covers where PHI and ePHI are created, received, maintained, or transmitted. Your assessment should identify threats, vulnerabilities, and the likelihood and impact of harm, then drive a prioritized mitigation plan.

• Map data flows (intake, EHR, imaging, billing, email, patient portal, backups, and mobile/BYOD).
• Inventory assets and third parties; include cloud services, telehealth tools, and any system touching ePHI.
• Evaluate physical, administrative, and technical risks; score them to focus on the highest exposures.
• Create a risk register with owners, remediation actions, and target dates; track to closure.
• Reassess after major changes such as new software, vendors, locations, or workflows.

Implement Administrative Safeguards

Administrative safeguards translate your Risk Analysis into daily controls, procedures, and oversight. They ensure people have appropriate access, know how to handle PHI, and respond effectively to incidents.

• Information access management: role-based access, minimum necessary, approval and termination workflows.
• Workforce security: background checks where appropriate, confidentiality agreements, and sanction policy.
• Security awareness and training: onboarding plus periodic refreshers and targeted reminders.
• Contingency planning: data backup, disaster recovery, and emergency operations procedures with drills.
• Incident Response Plan: defined triage, containment, evidence preservation, and post-incident review.
• Breach Notification Rule readiness: internal reporting paths and documented criteria for notifications.
• Vendor oversight: executed BAAs before sharing PHI, due diligence, and ongoing monitoring.
• Periodic evaluations: review safeguards and update based on new risks or technology changes.

Implement Physical Safeguards

Physical safeguards protect the environments where PHI and ePHI live. Focus on facility access, workstation security, and device/media controls to prevent loss, theft, or unauthorized viewing.

• Facility access controls: visitor sign-in, escort policies, locked areas for servers and records.
• Workstation use: privacy screens, automatic screen locks, clean-desk expectations, and secure locations.
• Device and media controls: inventory tagged devices, secure storage, approved removal, and chain-of-custody.
• Secure disposal: shredding paper records and sanitizing or destroying drives and media before reuse or disposal.
• Lost/stolen device procedures: immediate reporting, remote lock/wipe if enabled, and incident review.

Implement Technical Safeguards

Technical safeguards reduce the chance that ePHI is accessed or altered by the wrong person or system. Build layered defenses that verify identity, control access, monitor activity, and protect data in transit and at rest.

• Access controls: unique user IDs, strong authentication (preferably MFA), automatic logoff, and emergency access procedures.
• Audit controls: centralized logging for EHR and related systems, routine log reviews, and alerting for anomalies.
• Integrity protections: encryption, reliable backups, anti-malware, and checks to detect unauthorized changes.
• Transmission security: encrypted email or secure messaging for PHI, TLS for portals, and VPN for remote connections.
• Device security: patching, configuration baselines, mobile device management, and remote wipe for approved BYOD.
• Data minimization and segmentation: limit ePHI storage locations and enforce least-privilege access.

Develop Policies and Procedures

Written policies and procedures operationalize how your practice handles PHI and ePHI. Keep them concise, current, and accessible so staff can follow them consistently.

• Core topics: privacy practices, minimum necessary, patient rights, release of information, and record retention.
• Security topics: access control, passwords, encryption, remote work, texting, email, and removable media.
• Incident Response Plan and Breach Notification Rule procedures, including internal reporting and documentation.
• Vendor management: BAAs, onboarding due diligence, and subcontractor requirements.
• Governance: approval, version control, change management, and periodic review cadence.

Train Staff on HIPAA Compliance

Training converts policies into practice. Make it role-based, scenario-driven, and measurable so people know exactly what to do when handling PHI or responding to an incident.

• Provide training at onboarding and at regular intervals; include updates when policies, systems, or roles change.
• Cover day-to-day scenarios: front desk conversations, exam room etiquette, faxing, emailing, and patient portal use.
• Teach security awareness: phishing recognition, safe remote work, and prompt reporting of suspicious activity.
• Document attendance and comprehension; keep records as part of your compliance evidence.

Bringing it all together: a named Compliance Officer, a living Risk Analysis, layered safeguards, clear procedures, and consistent training form a resilient, right-sized program that protects Protected Health Information (PHI) and ePHI and supports quality care.

FAQs.

What are the key steps to achieve HIPAA compliance for small practices?

Start by appointing a Compliance Officer who also serves as or partners closely with the Security Official. Perform a thorough Risk Analysis, then implement administrative, physical, and technical safeguards tailored to your risks. Draft and maintain clear policies and procedures, execute BAAs with any vendors handling PHI or ePHI, establish an Incident Response Plan aligned with the Breach Notification Rule, and deliver role-based training with documented participation.

How often should staff receive HIPAA training?

Provide training at onboarding and refresh it at regular intervals, with additional sessions whenever policies, technologies, or job duties change. Short, recurring awareness activities (for example, phishing tips or quick refresher reminders) help sustain good habits between formal sessions.

What constitutes a reportable HIPAA breach?

Generally, a HIPAA breach is any unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises privacy or security. You assess likelihood of compromise by considering the sensitivity of the PHI, who accessed it, whether it was actually viewed or obtained, and the effectiveness of mitigation (such as immediate retrieval or confirmation of non-access).

What are the requirements for Business Associate Agreements?

BAAs are required before sharing PHI or ePHI with a vendor or contractor that creates, receives, maintains, or transmits it on your behalf. The agreement should define permitted uses and disclosures, require appropriate safeguards, mandate timely incident and breach reporting, flow obligations to subcontractors, and specify termination, return, or destruction of PHI when services end.