HIPAA Security for Solo Practitioners: Compliance Checklist

As a solo practitioner, you are a covered entity and fully responsible for HIPAA Administrative Requirements and ePHI protection. This practical compliance checklist walks you through the core actions—policy decisions, safeguards, and documentation—to achieve Covered Entity Compliance without unnecessary complexity.

Designate Privacy and Security Officers

You must formally name a Privacy Officer and a Security Officer. In a solo practice, you can serve in both roles, but you still need written designations that outline authority and responsibilities.

What to do

• Issue a short policy naming the Privacy Officer and Security Officer, including contact details and an acting backup if you are unavailable.
• Define responsibilities: policy creation and maintenance, workforce oversight (including contractors), oversight of Risk Analysis Procedures, Security Incident Response, Business Associate management, and complaint handling.
• Clarify that vendors may support security tasks but do not replace your Security Officer responsibilities.

Documentation to keep

• Signed designation memo(s) and role descriptions.
• Annual role review and evidence of authority to make policy decisions.

Conduct Annual Risk Assessments

HIPAA requires ongoing risk analysis; performing it at least annually—and whenever technology, vendors, or workflows change—keeps you ahead of threats. Your goal is to identify where ePHI lives, how it moves, and what could compromise it, then reduce risks to a reasonable and appropriate level.

Risk Analysis Procedures

• Map ePHI: chart intake, EHR, billing, imaging, email, texting, backups, and telehealth platforms.
• Inventory assets: devices, apps, cloud services, removable media, and paper records.
• Identify threats and vulnerabilities: loss/theft, misconfiguration, phishing, weak passwords, improper disposal, and insider error.
• Rate likelihood and impact to prioritize treatment.
• Document a risk management plan with specific controls, owners, and deadlines.

Evidence to maintain

• Risk analysis report, risk register, and risk management plan.
• Progress logs showing mitigation completion and re-evaluation dates.

Establish Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate. You must execute a BAA before sharing PHI and ensure subcontractors are bound by the same protections.

Business Associate Agreement Requirements

• Permitted uses/disclosures and a prohibition on other uses.
• Safeguards appropriate to protect ePHI and prompt breach reporting.
• Subcontractor flow-down obligations with equivalent protections.
• Individual rights support (access, amendments, accounting of disclosures).
• HHS access to records, termination for cause, and return or destruction of PHI at contract end.

Operational tips

• Maintain a vendor inventory, including purpose, data elements, and BAA dates.
• Perform due diligence: ask about encryption, access controls, auditing, and incident response.
• Update BAAs when services or data flows change.

Implement Administrative Safeguards

Administrative Safeguards turn your risk findings into day-to-day controls and are central to HIPAA Administrative Requirements. Keep them lean but effective for a solo practice.

Core elements

• Policies and procedures: access, authentication, device use, remote work, secure messaging, and sanctions for violations.
• Workforce security: vet contractors, define minimum necessary access, and promptly terminate access when engagements end.
• Security awareness and training: passwords, phishing, secure texting/email, and handling of portable media.
• Security Incident Response: define triage, containment, forensics, decision-making, documentation, and escalation paths.
• Contingency planning: data backup, disaster recovery steps, emergency-mode operations, and regular restoration tests.
• Periodic evaluation: test policies against real workflows and update after changes or incidents.

Apply Physical Safeguards

Physical controls protect facilities, devices, and media. Tailor them to your office, home office, and travel routines to strengthen Physical and Technical Safeguards as a whole.

Facility and workstation controls

• Restrict access with keys/badges; maintain a simple visitor log for non-patients entering restricted areas.
• Position screens away from public view; use privacy filters; enforce automatic screen lock.
• Adopt a clean desk rule; secure charts and portable media in locked storage when unattended.

Device and media protection

• Maintain an inventory of laptops, tablets, phones, scanners, and removable media.
• Encrypt portable devices; require startup passwords and remote wipe on loss/theft.
• Control movement of devices; document transfer, reuse, and disposal.
• Dispose of paper via cross-cut shredding and wipe or destroy drives before decommissioning.

Utilize Technical Safeguards

Technical Safeguards reduce the likelihood of unauthorized access, alteration, or disclosure. Choose controls that balance usability with strong ePHI protection.

Access control

• Unique user IDs for every account; avoid shared logins.
• Enable multifactor authentication on EHR, email, cloud storage, telehealth, and remote access.
• Limit privileges to the minimum necessary; review access quarterly.
• Auto-logoff on workstations and mobile devices.

Encryption and transmission security

• Encrypt data at rest on laptops and mobile devices; use device management for enforcement.
• Use TLS for email and portals; for patient-requested unencrypted email, document the request and risk acknowledgment.
• Prefer secure messaging/portals for routine exchanges containing PHI.

Audit and integrity controls

• Enable audit logs on EHR and key systems; review for anomalies and retain per your policy.
• Use anti-malware, host firewalls, and timely OS/app patching.
• Back up critical systems; verify backup integrity with periodic restore tests.

Develop Breach Notification Procedures

Your procedures should connect Security Incident Response with legal notification steps. A “breach” generally means an impermissible use or disclosure of unsecured PHI that compromises privacy or security.

Action steps when an incident occurs

• Contain and investigate: secure accounts/devices, preserve evidence, and determine whether PHI was involved.
• Perform a risk assessment: analyze the nature of PHI, who received it, whether it was actually viewed, and the extent of mitigation (e.g., recovery or deletion).
• If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For incidents involving 500+ residents of a state/jurisdiction, notify prominent media and follow immediate HHS reporting; for fewer than 500, log and report to HHS annually.
• Document decisions, timelines, and content of notices; retain records for at least six years.

Content of individual notices

• What happened and the date of the breach and discovery.
• Types of PHI involved (e.g., diagnosis, SSN, billing).
• Steps you are taking and what individuals can do.
• Your contact information for questions.

Maintain Documentation and Training

HIPAA expects you to “show your work.” Good records prove diligence and speed investigations and audits.

Keep these records

• Policies/procedures, designation memos, training curricula and attendance, sanctions, incident logs, and breach assessments.
• Risk analyses, risk management plans, evaluation results, and contingency plan tests.
• Vendor inventory and executed BAAs with renewal dates.

Training cadence

• Provide onboarding training, then refresh at least annually or when policies/technology change.
• Track completion; test comprehension with short scenarios or quizzes.

Review and Update Policies Regularly

Set a simple, recurring cycle to keep policies accurate and actionable. Update whenever you change EHRs, add telehealth tools, move offices, adopt new devices, or modify workflows.

Practical review rhythm

• Quarterly mini-reviews: spot-check access controls, audit logs, backups, and device inventory.
• Annual comprehensive review: align policies with your latest Risk Analysis Procedures and test your contingency plan.
• After-action updates: revise policies and training following any incident or near miss.

Bottom line: document your role assignments, complete a risk analysis each year, lock down vendors with solid BAAs, apply Physical and Technical Safeguards, and be ready to execute Security Incident Response and breach notifications. This streamlined approach keeps your ePHI protection strong and your Covered Entity Compliance defensible.

FAQs.

What are the key HIPAA security requirements for solo practitioners?

You must designate Privacy and Security Officers, perform and document periodic risk analysis and risk management, execute Business Associate Agreements, implement Administrative, Physical, and Technical Safeguards, maintain training and documentation, and establish Security Incident Response and breach notification procedures.

How often must solo practitioners conduct a risk assessment?

Conduct a comprehensive risk analysis at least annually and whenever there are material changes—such as new systems, vendors, locations, or workflows—that affect how you create, receive, maintain, or transmit ePHI.

What is required in a Business Associate Agreement?

A BAA must define permitted uses/disclosures, require reasonable safeguards for ePHI, mandate prompt breach reporting, bind subcontractors to equivalent protections, support individual rights, allow HHS access, and address termination with return or destruction of PHI.

How should solo practitioners handle a HIPAA breach notification?

Immediately contain the incident, assess risk to determine if a breach occurred, and if so, notify affected individuals without unreasonable delay and no later than 60 days after discovery. For large breaches, also notify HHS and, when applicable, the media. Document every step and retain records for at least six years.