HIPAA Compliance Checklist for Small Medical Practices

The SRA is the single most-cited deficiency in OCR enforcement actions. Use the HHS SRA Tool (free) to identify, document, and risk-rate every threat to ePHI in your practice. Document your remediation plan — even accepted risks must be justified in writing.

Both roles are required by regulation. In a small practice, one person may fill both. Document the appointment in writing, specify responsibilities, and update it when staff changes. The designation itself must be part of your HIPAA policy set.

EHR vendors, billing companies, IT support firms, cloud storage providers, transcription services, answering services, and shredding companies are all Business Associates if they handle PHI. A signed BAA must be in place before they receive any patient data. Verbal agreements do not count.

Every workforce member who accesses your EHR or any system containing ePHI needs a unique username and password. Shared logins eliminate your audit trail. Access must be role-based — front-desk staff should not have the same permissions as clinicians.

If a breach of unsecured PHI occurs, HIPAA requires notification to affected individuals within 60 days, to HHS, and (for breaches over 500 individuals) to prominent media. Your procedure must cover how to assess incidents, who to notify, and how to document the decision. Failing to report a qualifying breach compounds the original violation.

Laptops, tablets, smartphones, USB drives, and portable hard drives used for work must be encrypted with AES-128 or stronger. Encryption is the safe harbor under the Breach Notification Rule — an encrypted device that is lost does not trigger breach reporting obligations.

Training is required for every person who has access to PHI — including part-time staff, contractors, and volunteers. Document training dates, topics covered, and acknowledgment signatures. Untrained staff who commit violations can still expose the practice to sanctions.

The NPP must be posted at the practice, provided to new patients at first service, and available on your website if you have one. Obtain written acknowledgment from patients and document good-faith efforts when acknowledgment is refused. Review the NPP annually for accuracy.

Position screens so patients in waiting areas cannot view clinical data. Lock or log off workstations when unattended. Restrict physical access to areas with ePHI (server rooms, filing areas). Physical safeguards are often overlooked but are frequently cited in complaints.

Systems should automatically log off or lock after a period of inactivity (typically 5–15 minutes). This prevents unauthorized access when a workstation is left unattended — a common scenario in busy clinical settings.

Document specific sanctions for HIPAA violations by workforce members — from verbal warnings for minor incidents to termination for willful violations. Apply sanctions consistently and document each case. Having a policy demonstrates good faith; failing to apply it undermines your entire compliance posture.

Back up ePHI daily to an encrypted, offsite or HIPAA-compliant cloud location. Document your Recovery Time Objective (RTO) and Recovery Point Objective (RPO). Test restoration at least annually. A ransomware attack that encrypts patient records without an accessible backup is both a compliance failure and a business continuity crisis.

Workforce members should access only the PHI needed to perform their specific job function. Role-based EHR permissions, need-to-know policies for paper records, and limiting PHI shared with insurance companies to what the claim requires are all minimum necessary implementations.

Your EHR must log access to patient records — who viewed, modified, or exported data and when. Designate someone to review logs periodically (quarterly is the common standard). Investigate anomalies such as high after-hours access or access to records outside a clinician's patient panel.

Hard drives from decommissioned computers must be wiped to NIST 800-88 standards or physically destroyed. Paper records must be cross-cut shredded. Document every disposal, including the date, method, and the person responsible. A practice that gives away a computer without wiping the hard drive faces both a breach and an audit liability.

Install and update antivirus/anti-malware software on every device that accesses ePHI. Apply operating system and application patches on a defined schedule (30-day patch cycle is common). Unpatched software is the primary vector for ransomware attacks on medical practices.

Patients may request access to their records (30-day response time; one 30-day extension allowed), request amendments, and obtain an accounting of disclosures. Document every request, the response, and the outcome. Denying access without a valid regulatory reason is a standalone HIPAA violation.

Track every device that stores or accesses ePHI — workstations, laptops, tablets, smartphones, fax machines, copiers, and portable media. Record device owner, location, encryption status, and disposal date. An unknown device on your network that contains ePHI is an untracked liability.

Beyond annual training, send quarterly security reminders on topics like phishing, password hygiene, and proper disposal. Document distribution. Security awareness is a named addressable implementation specification — 'addressable' does not mean optional; it means implement if reasonable.

Policies, procedures, risk assessments, training records, BAAs, and breach documentation must all be retained for six years from creation or last effective date — whichever is later. Designate a storage location (physical or cloud) and document the retention schedule.