HIPAA Policies for Solo Practitioners: The Essential Compliance Checklist

HIPAA Compliance Requirement for Solo Practitioners

As a solo practitioner, you are a covered entity and must meet the same HIPAA standards as larger practices. Your goal is to safeguard Protected Health Information (PHI) while enabling efficient care. Compliance spans the Privacy Rule, the Security Rule for electronic PHI, and the Breach Notification Rule.

Use this checklist to structure your HIPAA policies for solo practitioners and demonstrate due diligence across your operations.

• Identify where PHI is created, received, maintained, or transmitted (EHR, email, e‑fax, patient portal, backups, paper).
• Implement administrative, physical, and technical safeguards proportional to your risks.
• Document policies, decisions, and evidence of implementation to prove compliance.
• Review and update your program at least annually and whenever your environment changes.

Designate a Privacy and Security Officer

You must name a Privacy Officer and a Security Officer to oversee your HIPAA program. In a solo practice, you may serve as both, or you can engage a consultant for support while retaining accountability.

• Maintain and update policies and procedures; ensure they reflect daily workflows.
• Lead the Security Risk Assessment and manage risk remediation activities.
• Oversee workforce training, sanctions, and patient privacy complaints.
• Manage the Business Associate Agreement (BAA) lifecycle and vendor oversight.
• Coordinate incident response and breach analysis.

• Issue a brief appointment memo with role descriptions and effective dates.
• List officer contact details in your Notice of Privacy Practices.
• Set quarterly reviews for access audits, incident logs, and open corrective actions.

Conduct Annual Security Risk Assessments

A Security Risk Assessment identifies threats, vulnerabilities, and the likelihood and impact of harm to ePHI, then directs remediation. Treat it as a living process, not a one‑time form.

• Inventory assets that handle ePHI (EHR, laptops, smartphones, Wi‑Fi, cloud apps, backups) and map data flows.
• Evaluate current safeguards across administrative, physical, and technical controls.
• Analyze risks by likelihood and impact; rate High/Medium/Low and prioritize actions.
• Publish a remediation plan with owners, target dates, and success criteria.
• Update the assessment annually and after major changes (new EHR, telehealth, office move, or staffing changes).

• Retain the dated SRA report, risk register, and corrective action plan.
• Keep screenshots or settings exports showing key configurations.
• Capture vendor attestations about relevant security practices when appropriate.

Develop Written HIPAA Policies and Procedures

Your written policies translate HIPAA into practical steps for your practice. Keep them concise, role‑based, and tailored to your workflows.

• Privacy practices: uses/disclosures, minimum necessary, patient rights, authorizations, and your Notice of Privacy Practices.
• Security program: acceptable use, device and media controls, workstation security, remote work/BYOD, passwords, patching, backups, and disposal.
• Access management: role‑based access, onboarding/offboarding, authentication, audit review, and sanctions.
• Incident response procedures aligned to the Breach Notification Rule.
• Business Associate Agreement (BAA) intake, vetting, and termination steps.
• Contingency planning: data backup, disaster recovery, and emergency operations.
• Complaint handling and mitigation of violations.

Date every policy, record approvals, and maintain version history so you can show what was in effect at any time.

Provide Annual Staff HIPAA Training

Training is required for anyone who handles PHI—including you. Provide onboarding training before access is granted, then refresh at least annually, updating content when risks or systems change.

• Privacy basics, PHI handling, and the minimum necessary standard.
• Security hygiene: phishing awareness, safe email and texting, workstation security.
• Access Control Mechanisms, strong passwords, and Multi-factor Authentication.
• How to identify and report incidents and follow the Breach Notification Rule.
• Practice‑specific procedures and realistic scenarios.

Document dates, topics, materials used, and acknowledgments; retain sign‑in sheets or digital attestations.

Secure Business Associate Agreements

A business associate is any vendor that creates, receives, maintains, or transmits PHI for you. Have a signed BAA in place before sharing PHI and maintain it throughout the relationship.

• Common associates: EHR/portal providers, e‑fax and email encryption services, cloud storage and backup tools, billing and clearinghouses, transcription, and IT support.
• Ensure BAAs define permitted uses, safeguard obligations, breach reporting timelines, subcontractor flow‑down, audit cooperation, and return/destruction of PHI at termination.
• Keep a BAA inventory with effective dates, contacts, and renewal reminders; reassess vendor security annually.

Implement Access Controls and Encryption

Technical safeguards should prevent unauthorized access and limit exposure if a device or account is compromised. Configure systems to enforce least privilege and strong authentication.

• Unique user IDs, role‑based access, rapid de‑provisioning at offboarding, and monthly access reviews.
• Multi-factor Authentication for EHR, email, remote access, and any cloud app containing ePHI.
• Strong password policies, automatic screen lock, and session timeouts.
• Encryption in transit (TLS) and at rest on laptops, smartphones, removable media, and cloud storage.
• Device management: remote locate/lock/wipe; disable local PHI storage where feasible.
• Audit controls: review logs and alerts; reconcile anomalies and document findings.
• Use patient portals or encrypted messaging for PHI; avoid standard SMS and unencrypted email.

Document your Access Control Mechanisms and encryption settings; retain configurations as evidence of compliance.

Establish Incident Response and Breach Notification Plans

Define how you detect, triage, contain, and learn from incidents. Not every incident is a breach, but each must be evaluated promptly and consistently.

• Preparation: maintain a playbook, contact list, and evidence collection guidance.
• Identification: encourage rapid reporting; centralize intake and timestamp every report.
• Containment and eradication: isolate affected systems, rotate credentials, and patch vulnerabilities.
• Assessment: evaluate the nature/extent of PHI involved, who viewed it, whether it was acquired, and the risk of harm.
• Notification: if a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days; follow HHS and, when required, media notice rules; log smaller breaches for year‑end reporting.
• Post‑incident review: update policies, close corrective actions, and retrain as needed.

Maintain an incident log, investigation notes, and copies of notices to demonstrate compliance with the Breach Notification Rule.

Maintain Documentation Retention

Adopt a Documentation Retention Policy defining what you keep, how long, and where. Retain HIPAA documentation for at least six years from the date of creation or when it last was in effect—whichever is later.

• Policies and procedures with approvals and version history.
• Security Risk Assessments, risk registers, and remediation plans.
• Training rosters, curricula, and acknowledgments.
• Business Associate Agreements and vendor due diligence records.
• Access reviews, audit log summaries, and sanction decisions.
• Incident and breach logs, risk assessments, and notifications.
• Patient privacy complaints, responses, and NPP acknowledgments.

Centralize records in a secure repository with reliable backups and periodic integrity checks. Align medical record retention with your state’s requirements, which may exceed HIPAA’s timeline.

By assigning clear roles, performing an annual Security Risk Assessment, maintaining tailored policies, training routinely, securing BAAs, enforcing strong access controls, testing incident response, and following a disciplined retention schedule, you create a defensible, scalable HIPAA program for your solo practice.

FAQs.

What are the HIPAA compliance requirements for solo practitioners?

You must protect PHI under the Privacy, Security, and Breach Notification Rules. That means designating a Privacy and Security Officer, completing a Security Risk Assessment, implementing administrative/physical/technical safeguards, maintaining written policies and procedures, providing annual training, executing Business Associate Agreements, enforcing access controls and encryption, and retaining documentation to prove compliance.

How often should risk assessments be conducted?

Complete a full Security Risk Assessment at least annually and whenever major changes occur—such as adopting a new EHR, enabling telehealth, changing offices, or adding systems that handle ePHI. Track remediation year‑round so risk management is continuous, not a once‑a‑year task.

Who can serve as the Privacy and Security Officer in a solo practice?

You may serve as both officers in a solo practice. You can also engage a consultant for day‑to‑day support, but you remain responsible for decisions, documentation, and oversight. Keep a brief appointment memo and include contact details in your Notice of Privacy Practices.

What documentation must be retained for HIPAA compliance?

Retain, at minimum: policies and procedures with version history; Security Risk Assessments and remediation plans; training rosters and acknowledgments; Business Associate Agreements and vendor due diligence; access reviews and sanction records; incident and breach logs with notifications; and patient privacy complaints and NPP acknowledgments. Your Documentation Retention Policy should keep these records for at least six years.