HIPAA Compliance for Solo Practitioners: Requirements and Step-by-Step Checklist

Implement Administrative Safeguards

Administrative Safeguards set the governance foundation for HIPAA compliance. As a solo practitioner, you can streamline oversight by documenting decisions, keeping tight records, and committing to continuous improvement.

Privacy Officer Designation and Governance

Formally assign yourself as the Privacy Officer and Security Official. Record responsibilities, decision-making authority, and how you will oversee HIPAA tasks, even if you occasionally use contractors.

• Create a written Privacy Officer Designation and Security Official memo.
• Define your compliance calendar (monthly, quarterly, annually).
• Document how you escalate and resolve incidents.

Risk Assessment and Risk Management

Perform a Security Risk Assessment to identify threats to protected health information (PHI) across people, processes, and technology. Use findings to drive a prioritized risk management plan.

• Map PHI flows (intake, EHR, billing, email, backups, telehealth).
• Inventory assets (devices, apps, cloud services) and note vulnerabilities.
• Score likelihood and impact; select reasonable and appropriate controls.
• Write and track a Risk Assessment report and a living risk management plan.

Policies, Procedures, and Training

Put policies in plain language and train on them. Focus on access control, acceptable use, minimum necessary, incident response, sanctions, and contingency operations.

• Publish and review policies annually or upon major changes.
• Provide initial and periodic HIPAA training; keep attendance records and acknowledgments.
• Maintain a sanctions policy and document disciplinary steps when needed.

Business Associate Agreements (BAAs)

Sign BAAs with any vendor that creates, receives, maintains, or transmits PHI on your behalf. Confirm security features and responsibilities before using a service.

• Identify BAs (EHR, e-fax, secure email/portal, billing, IT support, cloud storage).
• Execute and store Business Associate Agreements; track renewal dates.
• Verify breach reporting timelines and security obligations in each BAA.

Contingency Planning

Prepare to continue operations during disruptions and recover data quickly. Test your plan, not just your backups.

• Create data backup, disaster recovery, and emergency mode operation plans.
• Encrypt backups and verify restorations on a schedule.
• Document test results and improvement actions.

Documentation and Recordkeeping

Good records prove good practice. Keep evidence current and organized to simplify audits and reviews.

• Retain policies, Risk Assessment results, training logs, and incident files for at least six years.
• Maintain a change log showing updates and reasons.

Establish Physical Safeguards

Physical Safeguards protect locations and devices that handle PHI. Small, inexpensive controls often make the biggest difference.

Facility and Office Controls

• Use locks, alarm systems, and visitor sign-in; restrict after-hours access.
• Separate patient areas from work areas; secure paper files in locked cabinets.
• For home offices, define a dedicated workspace with restricted entry.

Workstation and Device Security

• Position screens out of public view; use privacy filters in shared spaces.
• Enable automatic screen lock and enforce strong authentication.
• Physically secure laptops with cable locks when unattended.

Device and Media Controls

• Maintain an asset inventory (serial numbers, encryption status, user).
• Set procedures for receiving, moving, and disposing of devices and media.
• Use certified shredding for paper; wipe or destroy drives before disposal.

Apply Technical Safeguards

Technical Safeguards govern how systems control access, log activity, and secure PHI at rest and in transit. Choose “reasonable and appropriate” measures for your practice size and risk profile.

Access Controls

• Assign unique user IDs; prohibit account sharing.
• Enable multi-factor authentication (MFA) on email, EHR, and cloud tools.
• Set role-based access and automatic logoff on all devices.

Audit Controls and Activity Review

• Turn on audit logs in EHR, email, and file systems.
• Review logs on a schedule; investigate anomalies and document findings.

Integrity and Malware Protection

• Use reputable endpoint protection and keep systems patched.
• Verify backup integrity and protect against ransomware with versioned backups.

Transmission and Storage Security

• Use secure portals or encrypted email for PHI; require TLS for all email.
• Encrypt devices (full-disk encryption) and sensitive folders at rest.
• Use secure messaging for texting; avoid standard SMS for PHI.
• Require BAAs for cloud services; disable public links and apply least privilege.

Develop Breach Notification and Response Plan

A documented response plan helps you act quickly, contain harm, and meet Breach Notification duties. Practice the plan so steps are familiar when time matters.

Recognize and Contain Incidents

• Define “security incident” and “breach” in your policy; train on examples.
• Immediately isolate affected systems, preserve logs, and change credentials.

Four-Factor Breach Risk Assessment

• Nature and extent of PHI involved (identifiers, sensitivity).
• Unauthorized person who used or received the PHI.
• Whether PHI was actually acquired or viewed.
• Extent to which risks have been mitigated (e.g., retrieval, encryption).

Notification Requirements and Timelines

• Notify affected individuals without unreasonable delay and no later than 60 days from discovery.
• Notify HHS as required; for 500+ affected in a state/jurisdiction, also notify prominent media.
• If a Business Associate is involved, follow BAA notification timelines and coordinate messaging.
• Retain breach documentation, decisions, and corrective actions.

Uphold Client Rights and Communication

HIPAA grants clients specific rights. Clear, respectful communication reduces confusion and builds trust while keeping you compliant.

Notice of Privacy Practices (NPP)

• Provide the NPP at first service and on request; post it prominently in your office and digitally if you use a website or portal.
• Document acknowledgments and any refusal to sign.

Right of Access and Amendments

• Fulfill access requests within 30 days (one 30-day extension with written explanation).
• Offer electronic copies in the requested format if readily producible; charge only cost-based fees.
• Establish a process for amendments and keep an audit trail of changes.

Minimum Necessary, Restrictions, and Confidential Communications

• Disclose only the minimum necessary for payment and operations.
• Honor reasonable requests for confidential communications (e.g., alternate address).
• Record granted restrictions and apply them consistently.

Digital and Telehealth Etiquette

• Verify identity before discussing PHI by phone or video.
• Use secure platforms with BAAs; disable recording unless necessary and documented.
• Provide clients with secure options for messaging and file exchange.

Use Compliance Tools and Resources

Simple, well-chosen tools can raise your security with minimal effort. Prioritize solutions that support BAAs and provide strong, configurable defaults.

• Password manager and MFA app to strengthen authentication.
• EHR or practice management with audit logs, role-based access, and encryption.
• Secure email/portal and e-fax with documented encryption and BAAs.
• Mobile device management (MDM) for remote wipe and policy enforcement on phones and tablets.
• Templates for Risk Assessment, incident response, BAAs, NPP, and training logs.

Conduct Regular Compliance Reviews

Compliance is an ongoing program, not a one-time project. Use a cadence that fits your practice and risk profile.

• Annually: full Security Risk Assessment and policy review; update the risk management plan.
• Quarterly: audit log reviews, vendor/BAA checks, backup restore tests, and patch status.
• Monthly: phishing awareness touchpoints, device inventory check, and access review.
• Event-driven: reassess risks after new systems, relocations, or incidents.
• Record everything; retain documentation for at least six years.

Conclusion

By formalizing Administrative, Physical, and Technical Safeguards; preparing Breach Notification steps; honoring client rights; and reviewing regularly, you create a practical HIPAA compliance program tailored to a solo practice. Keep it simple, documented, and repeatable.

FAQs.

What are the key HIPAA requirements for solo practitioners?

You must implement Administrative, Physical, and Technical Safeguards; complete and maintain a documented Risk Assessment; use policies, training, and sanctions; execute Business Associate Agreements with vendors; provide a Notice of Privacy Practices; honor client rights (access, amendments, restrictions); and maintain an incident response plan with Breach Notification procedures.

How often should risk assessments be conducted?

Conduct a comprehensive Risk Assessment at least annually and whenever you introduce new systems, relocate, change workflows, or experience a significant incident. Treat risk management as continuous—track remediation tasks and revisit high-risk items until closed.

What steps should be taken after a data breach?

Contain the incident, preserve evidence, and change credentials. Perform a four-factor Breach Risk Assessment, document findings, and implement mitigation. Notify affected individuals without unreasonable delay and no later than 60 days from discovery, notify HHS as required, and coordinate with any Business Associates per your BAA. Record corrective actions and lessons learned.

How can solo practitioners ensure staff HIPAA training compliance?

Provide role-based training at onboarding and at least annually, including phishing and incident reporting. Track attendance, comprehension (e.g., short quizzes), and signed acknowledgments. Reinforce policies during regular reviews, document sanctions for violations, and keep all training records for at least six years.