HIPAA compliance sounds expensive and complicated. For a small dental office or family medicine clinic in Idaho, the requirements feel designed for hospital systems with full IT departments. They are not. Here is what small practices actually need to know.
The Security Rule in Plain English
The HIPAA Security Rule requires covered entities to protect electronic Protected Health Information (ePHI). It does not specify exactly how. It gives you flexibility to implement safeguards that are appropriate for your size and risk level. A three-person dental practice does not need the same controls as a 500-bed hospital.
What the rule does require is that you have done a risk assessment, documented what you found, and put reasonable controls in place. "Reasonable" is the operative word. HHS judges you on whether you made a genuine effort proportionate to your situation.
The Risk Assessment: Non-Negotiable
The single most common HIPAA violation for small practices is skipping the risk assessment entirely. OCR (the HHS enforcement office) has settled cases for six figures with practices that could not produce a written risk assessment.
A risk assessment for a small practice does not need to be a 200-page document. It needs to identify where your ePHI lives, what threats exist, what controls you have, and what gaps remain. That is it.
Blackhount's security assessment covers the technical side of this. We scan your public-facing systems, test your controls, and give you a written report you can keep on file. From $299.
The Controls Small Practices Actually Need
Based on HHS guidance for small and medium covered entities, these are the controls most practices should have in place:
Access controls. Every staff member should have their own login. Shared passwords are a common finding that creates both security and compliance problems. Terminate access immediately when an employee leaves.
Encryption. Laptops and workstations that contain or access ePHI should have drive encryption enabled. On Windows, this is BitLocker. On Mac, this is FileVault. Both are free and built in.
Audit logs. Your EHR system should have audit logging enabled. You should know who accessed what records and when. Most modern EHR systems have this built in.
Backup and recovery. You need a tested backup of your ePHI. Tested means you have actually tried to restore from it. An untested backup is not a backup.
Business Associate Agreements. Every vendor that handles ePHI on your behalf needs a signed BAA. This includes your EHR vendor, billing company, and any cloud storage you use for patient records.
What Auditors Look For
HHS OCR audits are rare for small practices but breach investigations are not. If you experience a breach, OCR will ask for your risk assessment, your policies, your BAAs, and your training records. If you cannot produce these, the fine calculation starts much higher.
The most common findings in small practice investigations are missing risk assessments, shared credentials, unencrypted laptops, and missing BAAs with cloud vendors.
What This Actually Costs
For a small practice, getting to a defensible HIPAA security posture should cost less than most people expect. Encryption is free. Access controls cost staff time, not money. A written risk assessment from Blackhount is $299. A basic policy set can be drafted in a day.
The expensive version is the one where you find out about your gaps during an OCR investigation after a breach.
Start Here
Get a free automated security assessment of your public-facing systems. We scan your website and any externally accessible systems and return a plain-English report within 24 hours. It is a good starting point for understanding your external exposure.
Get Your Free AssessmentFor a full HIPAA-focused security assessment, contact us. We scope each engagement based on your practice size and risk profile.