HIPAA Cybersecurity: What Every Small Healthcare Practice Actually Needs to Do

The HHS Office for Civil Rights (OCR) resolved more than 900 HIPAA cases in 2023 alone, collecting $135 million in settlements. Small practices are not exempt — in fact, OCR actively targets practices that failed to do the basics: risk analysis, access controls, and workforce training. The average settlement for a small practice is now $250,000. Understanding what you actually need to do is not optional.

The HIPAA Security Rule in Plain English

HIPAA's Privacy Rule covers who can see patient information. The Security Rule — which is what cybersecurity is about — covers how you protect electronic protected health information (ePHI). Any practice that creates, receives, maintains, or transmits ePHI must comply with the Security Rule.

The rule divides requirements into three categories: administrative safeguards, physical safeguards, and technical safeguards. Each has "required" and "addressable" specifications. "Addressable" does not mean optional — it means you must either implement it, document why it doesn't apply, or implement an equivalent alternative.

In 2024, HHS proposed updates to the Security Rule that would convert several addressable specifications to required — including multi-factor authentication and network segmentation. The direction of travel is clear: HIPAA is getting stricter, not looser.

Administrative Safeguards: The Foundation

Administrative safeguards are the policies, procedures, and processes that govern how your practice handles ePHI. They're the most commonly deficient area for small practices — and the first thing OCR asks for in an investigation.

• A designated Security Officer (can be an existing staff member in small practices)
• A risk analysis — documented in writing, updated at least annually
• A risk management plan based on the analysis findings
• Security awareness training for all staff (at hire and periodically thereafter)
• A sanction policy for employees who violate policies
• A contingency / disaster recovery plan for ePHI

The risk analysis is worth emphasising. It is the single most commonly cited deficiency in HIPAA enforcement actions — practices that have done everything else correctly but failed to document a risk analysis still face substantial penalties. The analysis does not have to be elaborate, but it must be written, systematic, and current.

Physical Safeguards: Controlling Access to Devices

Physical safeguards govern access to the physical locations where ePHI is stored and processed. For a small practice, this means:

• Workstations must have screen locks that activate after a period of inactivity
• Servers or workstations with ePHI must be in locked rooms or secured areas
• Portable devices (laptops, tablets) used with ePHI must have full-disk encryption
• Hardware disposal must include certified data destruction — not just recycling
• Visitor access to areas where ePHI is stored must be controlled and logged

Technical Safeguards: The Cyber Controls

Technical safeguards are the cybersecurity controls the Security Rule directly requires. These are the ones most relevant to a conversation with a managed security provider.

Business Associate Agreements (BAAs): Your Vendor Exposure

Any vendor that handles ePHI on your behalf is a "Business Associate" and must sign a BAA with your practice. This includes your EHR/practice management software provider, billing company, cloud backup provider, and any IT support firm that might access ePHI during their work.

Common practices use Dropbox, personal Gmail, or Google Drive for patient documents without a BAA in place — this is a direct HIPAA violation regardless of whether a breach occurs. Many cloud providers (Microsoft, Google) offer BAAs for their business tiers. Personal accounts do not qualify.

The Six Most Common Gaps in Small Practice HIPAA Compliance

Breach Notification: What Happens When Something Goes Wrong

If ePHI is breached — lost, stolen, improperly disclosed, or accessed without authorisation — HIPAA requires specific notification timelines:

• Affected individuals: within 60 days of discovery
• HHS OCR: within 60 days (breaches of 500+ records trigger media notification too)
• Breaches under 500 records: logged and reported to HHS annually

Ransomware attacks are presumed to be breaches under OCR guidance unless you can demonstrate the data was not accessed. A practice hit by ransomware that does not have a documented risk analysis, access controls, or backups will face both the operational crisis and a likely enforcement action.

Where to Start if You're Behind

If you're not confident about your current posture, start with these three actions:

1. Commission a written risk analysis — this is the foundational requirement and the first thing OCR asks for.
2. Enforce unique user accounts and MFA on your EHR, practice management system, and any cloud tools that touch patient data.
3. Audit your vendor BAAs — list every tool your practice uses that could touch ePHI and confirm a BAA is in place.

Related reading: The Complete Cybersecurity Checklist for Small Businesses in 2025, MFA Is Not Optional Anymore, What to Do in the First 24 Hours After a Breach.