If your business handles Protected Health Information (PHI) — patient names, diagnoses, treatment records, billing info — you’re subject to HIPAA. Non-compliance isn’t just a legal risk; it’s an existential one. Fines range from $100 to $50,000 per violation, with annual caps of $1.9 million per violation category. And that’s before accounting for breach notification costs, reputational damage, and potential criminal charges.
The good news: HIPAA compliance is achievable for small businesses without a dedicated compliance team. Here’s everything you need to know.
Who Must Comply with HIPAA?
Covered Entities
Any organization that creates, receives, maintains, or transmits PHI as part of providing healthcare services. This includes: doctors, dentists, hospitals, pharmacies, health insurance companies, and healthcare clearinghouses.
Business Associates
Any third-party company that handles PHI on behalf of a covered entity. This is where many small businesses get caught by surprise. If you’re an IT company supporting a medical clinic, a billing service, a cloud storage provider, a law firm handling patient records, or a medical transcription service — you’re a Business Associate and fully subject to HIPAA.
The Three HIPAA Rules You Must Know
1. The Privacy Rule
Governs how PHI can be used and disclosed. Key requirements: patients have the right to access their own health records, PHI can only be disclosed for treatment, payment, or operations without explicit patient authorization, and you must have a Notice of Privacy Practices (NPP) document that patients receive and acknowledge.
2. The Security Rule
Governs how electronic PHI (ePHI) must be protected. Requires three types of safeguards:
- Administrative Safeguards: Risk analysis, workforce training, access management policies, incident response procedures
- Physical Safeguards: Facility access controls, workstation security, device and media controls (including secure disposal)
- Technical Safeguards: Access controls, audit logs, integrity controls, transmission security (encryption)
3. The Breach Notification Rule
If ePHI is breached, you must notify affected individuals within 60 days of discovering the breach, notify the HHS (Department of Health and Human Services), and if 500+ individuals in a state are affected, notify prominent media outlets in that state. Breaches affecting 500+ individuals appear on HHS’s public “Wall of Shame.”
The HIPAA Risk Analysis: Your Starting Point
The single most commonly cited HIPAA violation in audits and enforcement actions is failure to conduct a thorough, accurate, and timely risk analysis. This is where you start. A risk analysis means:
- Identifying where all ePHI exists in your organization (systems, devices, applications, cloud services)
- Identifying threats and vulnerabilities to that ePHI
- Assessing the likelihood and impact of each threat/vulnerability
- Documenting risk levels and the controls implemented to mitigate them
- Repeating this process regularly and when significant changes occur
HHS provides a free Security Risk Assessment (SRA) Tool at healthit.gov — a practical starting point for small practices.
HIPAA Compliance Checklist for Small Businesses
Administrative
- ☐ Designate a HIPAA Privacy Officer and Security Officer (can be the same person in small organizations)
- ☐ Complete and document a Security Risk Analysis
- ☐ Develop and implement written HIPAA policies and procedures
- ☐ Train ALL workforce members on HIPAA — document training with signed acknowledgments
- ☐ Sign Business Associate Agreements (BAAs) with ALL vendors who touch PHI (your EHR vendor, cloud provider, IT company, billing service)
- ☐ Develop an incident response plan for potential breaches
Technical
- ☐ Encrypt ePHI at rest and in transit (AES-256 encryption, TLS 1.2+)
- ☐ Implement unique user IDs — no shared accounts
- ☐ Enable automatic log-off on workstations accessing ePHI
- ☐ Enable audit logging on all systems that access ePHI
- ☐ Implement MFA for all remote access to systems containing ePHI
- ☐ Regular, tested data backups stored separately from primary systems
- ☐ Antivirus/EDR on all workstations and servers
- ☐ Firewall between your network and the internet
- ☐ Patch management — keep all software updated
Physical
- ☐ Restrict physical access to areas where ePHI is stored or accessed
- ☐ Position workstations to prevent unauthorized viewing (screen privacy filters)
- ☐ Secure disposal of hardware containing ePHI (DoD-standard wipe or physical destruction)
- ☐ Visitor sign-in procedures and escort policies
- ☐ Lock screens when leaving workstations unattended
Real HIPAA Enforcement Cases
Cottage Health — $3 Million Settlement (2018)
A server misconfiguration made ePHI for 62,500 patients publicly accessible via internet search engines. The records were exposed twice — in 2013 and again in 2015 — because the organization failed to fix the root cause the first time. HHS found they’d failed to conduct an adequate risk analysis.
Fresenius Medical Care — $3.5 Million Settlement (2018)
Five separate breach incidents affected 521 patients total. HHS found the organization failed to conduct accurate, organization-wide risk analyses and had inadequate policies for accessing ePHI on mobile devices. Multiple small breaches added up to a massive fine because the systemic failures were the same across all incidents.
Dental Practice — $10,000 Fine (2019)
A dentist responded to a patient’s negative online review and included the patient’s PHI in the response — violating the Privacy Rule. This illustrates that HIPAA violations don’t require a cyberattack. Careless disclosures count too.
Free Resources for HIPAA Compliance
- HHS Security Risk Assessment Tool — healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
- HHS HIPAA guidance documents — hhs.gov/hipaa/for-professionals
- HHS cyber awareness newsletter — hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html
Summary
HIPAA compliance starts with a risk analysis, continues with documented policies and staff training, and requires ongoing maintenance. The most expensive HIPAA violations come from systemic failures — not having done the risk analysis, not training staff, not signing BAAs. Start there, document everything, and treat compliance as a continuous process, not a one-time checkbox.