HIPAA Compliance for Small Business
If your small business handles any patient health information — as a medical practice, dental office, chiropractic clinic, mental health provider, pharmacy, or business associate — HIPAA compliance isn’t optional. Violations carry fines ranging from $100 to $50,000 per violation, with annual maximums up to $1.9 million per violation category. More importantly, a HIPAA breach can destroy patient trust and your business reputation overnight. This guide explains what HIPAA requires from small businesses and the practical steps to achieve compliance.
Who Must Comply With HIPAA?
Covered Entities
HIPAA directly applies to covered entities — organizations that create, receive, maintain, or transmit Protected Health Information (PHI) in the course of providing healthcare services:
- Healthcare providers — doctors, dentists, chiropractors, therapists, pharmacies, hospitals, clinics
- Health plans — insurance companies, HMOs, employer health plans
- Healthcare clearinghouses — entities that process health information
Business Associates
HIPAA also applies to business associates — companies that handle PHI on behalf of covered entities:
- Medical billing companies
- IT service providers and MSPs that have access to systems containing PHI
- Cloud storage and hosting providers storing PHI
- Transcription services
- Attorneys and accountants who access PHI
- Shredding companies
If you provide IT services to a medical practice, you may be a business associate subject to HIPAA — even if you’re not in healthcare yourself.
What Is Protected Health Information (PHI)?
PHI is any individually identifiable health information that relates to:
- A person’s past, present, or future physical or mental health condition
- Healthcare provided to a person
- Payment for healthcare
This includes: names, addresses, birth dates, Social Security numbers, medical record numbers, phone numbers, email addresses, photos — any information that could identify a specific patient combined with health information.
Electronic PHI (ePHI) refers to PHI stored, transmitted, or processed electronically — which is what the HIPAA Security Rule specifically protects.
The Four HIPAA Rules Small Businesses Must Follow
1. Privacy Rule
Sets national standards for protecting PHI. Key requirements:
- Patients have the right to access their own health records
- PHI can only be used or disclosed for treatment, payment, or healthcare operations — or with patient authorization
- Minimum necessary standard — only access and share the minimum PHI needed for the task
- Provide patients with a Notice of Privacy Practices
2. Security Rule
Requires covered entities and business associates to implement safeguards to protect ePHI. Three categories of safeguards required:
Administrative Safeguards:
- Designate a Security Officer responsible for HIPAA compliance
- Conduct regular risk assessments
- Implement workforce training on security policies
- Develop and enforce security policies and procedures
- Manage information access — limit who can access PHI
Physical Safeguards:
- Facility access controls — limit physical access to systems containing ePHI
- Workstation policies — position screens away from public view; lock computers when unattended
- Device and media controls — procedures for disposing of devices that contained ePHI
Technical Safeguards:
- Access controls — unique user IDs, automatic logoff, encryption
- Audit controls — hardware and software that records access to ePHI
- Integrity controls — ensure ePHI isn’t improperly altered or destroyed
- Transmission security — encrypt ePHI transmitted over networks
3. Breach Notification Rule
Requires notification when unsecured PHI is breached:
- Affected individuals must be notified within 60 days of discovery
- HHS must be notified — immediately for breaches affecting 500+ people; annually for smaller breaches
- Media notification required for breaches affecting 500+ people in a state
4. Omnibus Rule
Extends HIPAA requirements to business associates directly and strengthens enforcement. Business Associates must sign a Business Associate Agreement (BAA) with covered entities before accessing PHI.
Practical HIPAA Compliance Steps for Small Businesses
Step 1 — Conduct a Risk Assessment
HIPAA requires a formal risk assessment that identifies:
- All locations where ePHI is stored, received, maintained, or transmitted
- Potential threats and vulnerabilities to ePHI
- Current security measures in place
- The likelihood and impact of potential threats
- Risk levels and priorities for remediation
Document this assessment. The risk assessment is the foundation of HIPAA compliance and the first thing regulators ask for during an investigation.
Step 2 — Designate a HIPAA Security Officer
Even in a solo practice or very small business, someone must be designated as responsible for HIPAA compliance. In a small practice this is often the owner or office manager. The designation should be documented.
Step 3 — Implement Technical Controls
- Encryption: Encrypt all devices containing ePHI — laptops, desktops, servers, USB drives. BitLocker (Windows) and FileVault (Mac) are free and built-in. Encrypted devices are exempt from breach notification requirements if the encryption key isn’t compromised.
- Access controls: Unique user accounts for every employee — no shared logins. Role-based access ensuring staff only access the PHI needed for their job.
- Automatic screen lock: Computers containing ePHI should lock after 5–10 minutes of inactivity
- Audit logging: Enable logging of access to systems containing ePHI
- Email encryption: Encrypt emails containing PHI — or use a HIPAA-compliant email service
- Secure messaging: Text messaging is not HIPAA compliant for PHI — use a HIPAA-compliant messaging platform
Step 4 — Train Your Workforce
All employees who access PHI must receive HIPAA training. Training must cover:
- What PHI is and how to protect it
- Security policies and procedures
- How to recognize and report potential breaches
- Consequences of violations
Document all training with dates and employee signatures. Retrain annually and when policies change.
Step 5 — Execute Business Associate Agreements
Any vendor or service provider that accesses PHI must sign a BAA before they receive access. This includes:
- Cloud storage providers (Google, Microsoft, Dropbox — all have HIPAA BAA programs)
- IT service providers and MSPs
- Electronic health record (EHR) vendors
- Billing services
- Telehealth platforms
Using a vendor that won’t sign a BAA — or forgetting to get BAAs signed — is a common compliance gap that creates liability.
Step 6 — Develop Policies and Procedures
Document your HIPAA policies covering:
- Access control policy
- Password policy
- Device and media disposal procedure
- Breach response procedure
- Workforce training policy
- Business associate management procedure
HIPAA Fines — What’s at Stake
| Violation Category | Per Violation | Annual Maximum |
|---|---|---|
| Did not know (reasonable diligence) | $100–$50,000 | $25,000 |
| Reasonable cause (not willful neglect) | $1,000–$50,000 | $100,000 |
| Willful neglect — corrected | $10,000–$50,000 | $250,000 |
| Willful neglect — not corrected | $50,000 | $1,900,000 |
Free HIPAA Resources
- HHS HIPAA Security Rule Guidance: hhs.gov/hipaa/for-professionals/security
- HHS Risk Assessment Tool: healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool — free tool to conduct and document your risk assessment
- ONC Security Risk Assessment Tool: Available as a free download for small and medium practices
The Bottom Line
HIPAA compliance for small businesses comes down to four pillars: know where your PHI is, control who can access it, encrypt it, and train your staff. The risk assessment is where to start — it maps your PHI landscape and drives everything else. HIPAA compliance isn’t a one-time checkbox; it’s an ongoing program. But the basics are achievable for any small healthcare business with modest investment in the right tools and policies.