Do small clinics need HIPAA compliance?

Yes. All healthcare providers that handle Protected Health Information (PHI) must comply with HIPAA, regardless of size. This includes solo practitioners, small clinics, and large hospitals.

What are the 9 required HIPAA policies?

The 9 required HIPAA policies are: (1) Privacy Policy, (2) Security Policy, (3) Incident Response Plan, (4) Breach Notification Policy, (5) Risk Assessment Report, (6) Business Associate Agreement template, (7) Workforce Security Policy, (8) Contingency Plan, and (9) Audit Logs Policy.

How often do I need to do a risk assessment?

HIPAA requires risk assessments to be conducted at least annually, or whenever there are significant changes to your practice, systems, or operations. Many practices conduct them quarterly for better protection.

What happens if I'm not HIPAA compliant?

Non-compliance can result in OCR audits, corrective action plans, fines ranging from $100 to $50,000 per violation (up to $1.5 million per year), and in severe cases, criminal penalties. You may also face reputational damage and loss of patient trust.

Complete HIPAA Compliance Guide for Medical Practices (2026)

HIPAA is complex. But the requirements are always the same.

This comprehensive guide covers everything you need to know about HIPAA compliance—from the basics to advanced implementation strategies.

What is HIPAA?
The Three Main HIPAA Rules
9 Required HIPAA Policies
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Risk Assessment Process
Documentation Requirements
Audit Preparation
Compliance Checklist

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law passed in 1996 that requires healthcare providers to protect patient health information.

Who must comply:

Healthcare providers (doctors, dentists, therapists, etc.)
Health plans
Healthcare clearinghouses
Business associates (vendors who handle PHI)

What is Protected Health Information (PHI)? PHI is any information that can identify a patient, including:

Names, addresses, phone numbers
Social Security numbers
Medical record numbers
Health conditions and diagnoses
Treatment information
Payment information

The Three Main HIPAA Rules

HIPAA consists of three main rules that healthcare providers must follow:

1. Privacy Rule

The Privacy Rule establishes standards for protecting patients' privacy rights and controlling the use and disclosure of PHI.

Key requirements:

Patients have the right to access their PHI
Patients have the right to request amendments
Patients have the right to request restrictions on use/disclosure
Providers must provide Notice of Privacy Practices
Providers must obtain authorization for certain disclosures

2. Security Rule

The Security Rule requires providers to implement safeguards to protect electronic PHI (ePHI).

Three categories of safeguards:

Administrative Safeguards: Policies, procedures, and workforce management
Physical Safeguards: Facility access, workstation security, device controls
Technical Safeguards: Access control, encryption, audit controls

3. Breach Notification Rule

The Breach Notification Rule requires providers to notify patients, HHS, and in some cases, the media, when a breach of unsecured PHI occurs.

Key requirements:

Notify affected patients within 60 days
Notify HHS for breaches affecting 500+ individuals
Notify media for breaches affecting 500+ individuals in a state/jurisdiction

9 Required HIPAA Policies

Every healthcare practice must have these 9 policies documented:

1. Privacy Policy

Defines how PHI is used and disclosed, patient rights, and provider obligations.

2. Security Policy

Establishes security measures to protect ePHI, including administrative, physical, and technical safeguards.

3. Incident Response Plan

Outlines procedures for responding to security incidents and breaches.

4. Breach Notification Policy

Defines when and how to notify patients, HHS, and media of breaches.

5. Risk Assessment Report

Documents the Security Risk Analysis process and findings.

6. Business Associate Agreement (BAA) Template

Standard agreement for vendors who handle PHI.

7. Workforce Security Policy

Defines hiring, termination, and access management procedures.

8. Contingency Plan

Outlines procedures for responding to emergencies and system failures.

9. Audit Logs Policy

Defines what activities are logged and how logs are maintained.

Administrative Safeguards

Administrative safeguards are policies and procedures designed to manage workforce conduct and protect ePHI.

Key requirements:

Designated Privacy Officer
Designated Security Officer
Workforce security procedures
Information access management
Security awareness training
Contingency planning
Business Associate Agreements

Physical Safeguards

Physical safeguards are measures to protect physical facilities and equipment that contain ePHI.

Key requirements:

Facility access controls
Workstation use restrictions
Workstation security
Device and media controls
Facility security plan

Technical Safeguards

Technical safeguards are technology-based measures to protect ePHI.

Key requirements:

Access control (unique user IDs, automatic logoff)
Audit controls (logging and monitoring)
Integrity controls (preventing unauthorized alteration)
Transmission security (encryption in transit)
Encryption at rest

Risk Assessment Process

A Security Risk Analysis (SRA) is required to identify vulnerabilities and implement appropriate safeguards.

Steps:

Identify all ePHI locations
Identify potential threats and vulnerabilities
Assess current security measures
Determine likelihood and impact of risks
Document findings
Implement remediation plans
Review and update annually

Documentation Requirements

HIPAA requires extensive documentation to prove compliance.

What to document:

All policies and procedures
Risk assessment findings
Training records
Incident logs
Breach notifications
Business Associate Agreements
Audit logs
Evidence of compliance activities

Organization is key: You must be able to find any document within 5 minutes during an audit.

Audit Preparation

When an OCR auditor arrives, they'll check:

Documentation completeness - Do you have all required policies?
Evidence organization - Can you find documents quickly?
Training records - Are all staff trained?
Risk assessment - Is it current and documented?
BAAs - Are all vendors covered?
Breach response - Do you have a plan?

The secret to passing: Organization. If you can show everything in 5 minutes, you pass.

Compliance Checklist

Use this checklist to assess your compliance:

All 9 required policies documented
Privacy Officer designated and documented
Security Officer designated and documented
Risk assessment completed and documented
All staff trained (with certificates)
Training records maintained
BAAs on file for all vendors
Breach response plan documented
Evidence organized and accessible
Policies reviewed and updated annually

Next Steps

Assess your current compliance - Use the checklist above
Identify gaps - See where you're missing documentation
Get organized - Centralize all compliance documentation
Use HIPAA Hub - Automate compliance and never worry about audits

This guide is based on current HIPAA regulations as of 2026. For personalized compliance guidance, consider using HIPAA Hub.

Related Resources:

Complete HIPAA Compliance Guide for Medical Practices (2026)

Complete HIPAA Compliance Guide for Medical Practices (2026)

Table of Contents

What is HIPAA?

The Three Main HIPAA Rules

1. Privacy Rule

2. Security Rule

3. Breach Notification Rule

9 Required HIPAA Policies

1. Privacy Policy

2. Security Policy

3. Incident Response Plan

4. Breach Notification Policy

5. Risk Assessment Report

6. Business Associate Agreement (BAA) Template

7. Workforce Security Policy

8. Contingency Plan

9. Audit Logs Policy

Administrative Safeguards

Physical Safeguards

Technical Safeguards

Risk Assessment Process

Documentation Requirements

Audit Preparation

Compliance Checklist

Next Steps