Does a solo medical practice have to comply with HIPAA?

Yes. Solo physicians, nurse practitioners, and other individual health care providers who transmit PHI electronically (for insurance billing, referrals, etc.) are covered entities under HIPAA. There are no small-practice exemptions. The requirements are the same as for large health systems, though scalable to practice size.

What is the minimum HIPAA documentation a small practice needs?

At minimum, a small medical practice needs: (1) a Notice of Privacy Practices distributed to patients, (2) BAAs with all vendors who access PHI, (3) a written Security Risk Analysis, (4) a Risk Management Plan, (5) written Privacy and Security policies, (6) a Sanctions Policy, (7) workforce training records, and (8) a Breach Notification log. The full list of 12 required HIPAA documents is in our guide.

Does a cash-only medical practice need to follow HIPAA?

Possibly not — but only if the practice truly never transmits PHI electronically for standard transactions (no insurance billing, no electronic referrals). Most cash-only practices still use electronic scheduling, EHRs, or laboratory services that trigger HIPAA. Evaluate carefully. If you engage any electronic transactions with insurers, you are a covered entity.

How often does a small medical practice need a Security Risk Assessment?

The HIPAA Security Rule requires a risk analysis whenever there are environmental or operational changes. Best practice is annual. OCR has cited the absence of an ongoing risk analysis as one of the most common HIPAA violations in small practices. The HHS SRA Tool (free) is designed specifically for small practices.

Can a small practice use Gmail or Google Workspace for patient emails?

Only if you have a signed BAA with Google (available for Google Workspace accounts at no extra charge, not available for personal Gmail). Standard consumer Gmail does not have a BAA option and cannot be used to send, receive, or store PHI. With a Google Workspace BAA in place, Gmail and Drive can be used for PHI communications.

Industry Guide

HIPAA for Small Medical Practices: Solo and Group Compliance Guide (2026)

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Small medical practices — solo physicians, family medicine groups, urgent care clinics, and independent specialists — face the same HIPAA obligations as large health systems, with fewer resources to meet them. This guide breaks down exactly what a small or solo practice needs to do, what it costs, and how to prioritize when you're doing it without a dedicated compliance team.

Are You a Covered Entity?

If your practice bills insurance electronically, submits electronic prescriptions, or exchanges electronic records with labs or other providers, you are a covered entity under HIPAA. This applies to solo physicians, nurse practitioners, physician assistants, and any practice with even one employee. The relevant legal test (under 45 CFR § 160.103) is whether you transmit PHI electronically in connection with any standard transaction.

The only potential exception is a practice that operates entirely on a cash basis and never transmits PHI electronically in connection with standard transactions. Even then, most "cash-only" practices use electronic scheduling software, EHRs, or lab ordering — each of which can trigger covered entity status. When in doubt, assume you are a covered entity.

The 5 Most Important Things a Small Practice Must Have

If you're starting from scratch or doing a compliance audit, focus on these five areas first:

1. Notice of Privacy Practices

The NPP is often the first HIPAA document patients encounter. You must provide it to every patient at their first visit, post it in your waiting area, and publish it on your website. Your NPP must describe how you use and disclose PHI, patient rights, and how to file a HIPAA complaint. Keep acknowledgment signatures on file.

2. Business Associate Agreements

Every vendor that touches your patients' PHI must sign a BAA before you share any data with them. For a typical small practice, this includes your EHR vendor, billing service, clearinghouse, lab, referral platform, patient portal provider, and IT support company. Generate a BAA for each vendor relationship and keep executed copies in a compliance folder.

3. Security Risk Analysis

The Security Rule (45 CFR § 164.308(a)(1)) requires you to conduct a thorough assessment of the risks to the confidentiality, integrity, and availability of all ePHI your practice creates, receives, maintains, or transmits. This analysis must be in writing, updated when there are significant changes, and retained for six years. The HHS SRA Tool is free and specifically designed for small practices.

4. Written Policies and Procedures

You need written policies covering: minimum necessary PHI access, workforce training, device and media controls, access controls, audit logging, incident response, and breach notification. Policies don't have to be elaborate — a small practice can often cover all areas in a compact policy manual. They do need to exist in writing and be followed in practice.

5. Workforce Training

Every member of your workforce — including non-clinical staff — who may access PHI must receive HIPAA training upon hire and periodically thereafter. Training records (dates, topics covered, who attended) must be documented and retained for six years. This includes your receptionist, billing coordinator, and any part-time or contract staff.

Common Business Associate Relationships for Small Practices

Small medical practices often underestimate how many vendors qualify as business associates. Any person or organization that creates, receives, maintains, or transmits PHI on your behalf — other than members of your workforce — is a BA requiring a signed BAA. Common examples:

EHR vendor (Epic, athenahealth, eClinicalWorks, Kareo, DrChrono, Jane App)
Clearinghouse or billing service (Change Healthcare, Availity, outsourced billing companies)
Laboratory (Quest, LabCorp, local labs that receive requisitions with patient identifiers)
Transcription service (medical transcriptionists who access clinical notes)
IT managed service provider (any IT company with remote access to practice systems)
Cloud backup service (if the backup contains PHI)
Patient portal / scheduling platform (Zocdoc, Healthie, Practice Fusion)
Answering service (if they take messages with PHI)
Shredding / records destruction (companies that destroy paper or media with PHI)

Walk through your vendor list and ask: does this company ever see, store, or transmit information that could identify one of my patients? If yes, you need a BAA.

EHR Selection and HIPAA Compliance

Most modern EHR platforms marketed to small practices (athenahealth, Kareo, SimplePractice, Jane App, Luminare Health) include a BAA as part of their service agreement. Check your subscription terms and confirm you have an executed BAA — not just acceptance of terms of service. Some platforms require you to opt in to their HIPAA BAA separately.

When evaluating a new EHR, ask:

Do you provide a signed BAA?
Is data encrypted at rest and in transit?
Do you conduct annual penetration testing?
What is your breach notification process if you experience an incident?
Where is data hosted (U.S. or international)?
What access controls and audit logging does the platform provide?

Email, Texting, and Fax: PHI Communication Rules

Small practices frequently communicate with patients and referring providers via email, text, and fax. Here's the HIPAA reality for each:

Email

Sending PHI via unencrypted email is permissible only if the patient has been informed of the risk and requests communication by email anyway (and you document their preference). For routine clinical communications (lab results, referrals, care coordination), you need encrypted email or a secure messaging platform with a BAA. Google Workspace and Microsoft 365 both offer BAAs; standard consumer Gmail does not.

Text Messaging

Standard SMS is not encrypted and is not HIPAA-compliant for PHI. Patient appointment reminders (without clinical details) may be acceptable. For clinical communications by text, use a HIPAA-compliant messaging platform (TigerConnect, Klara, Spruce Health) that encrypts messages and offers a BAA.

Fax

Traditional fax is generally considered acceptable for PHI transmission because it is a point-to-point transmission not stored on internet servers. However, internet fax services (eFax, RingCentral Fax) do store your faxes in the cloud — check that these providers offer a BAA and that storage is encrypted.

The Security Risk Analysis: What It Is and How to Do It

The Security Risk Analysis (SRA) is the foundation of Security Rule compliance. It is also the most common deficiency OCR finds in small practice investigations. Here's what it requires:

Define scope: All electronic systems that create, receive, maintain, or transmit ePHI — workstations, servers, mobile devices, cloud services, medical equipment with network connectivity.
Identify threats and vulnerabilities: For each system, identify potential threats (ransomware, lost laptop, unauthorized access, natural disaster) and existing vulnerabilities (no encryption, weak passwords, outdated software).
Assess current controls: Document what security controls are in place and how effective they are.
Determine risk level: Assign a risk rating (high/medium/low) to each threat/vulnerability combination based on likelihood and impact.
Document findings: The SRA must be in writing. There is no prescribed format, but it must demonstrate that you analyzed your specific environment.
Create a risk management plan: Implement security measures to reduce identified risks to a reasonable and appropriate level.

The HHS SRA Tool (available at healthit.gov) is a free guided tool designed for small and medium practices. It walks through each component and generates a report. Complete it annually and retain the reports for six years.

Small Practice Compliance on a Budget

HIPAA compliance doesn't have to be expensive. Here's how small practices can cover the major requirements cost-effectively:

NPP: Generate a customized NPP at nppgenerator.com for $49 rather than paying an attorney $500–$1,500.
BAAs: Generate BAAs for each vendor at baagenerator.com for $49 each — most practices need 5–10 BAAs, and many large vendors will sign your BAA rather than only theirs.
Security Risk Analysis: Use the free HHS SRA Tool. Invest one to two afternoons completing it thoroughly.
Training: HHS offers free HIPAA training materials at hhs.gov. Supplement with a brief annual staff training session using real examples from your practice.
Policy templates: Download our free HIPAA Compliance Starter Kit for a policy template checklist and worksheet.

HIPAA Violations in Small Practices: What OCR Looks For

OCR investigates small practices for the same violations that trigger enforcement actions at large organizations. The most common findings in small-practice investigations:

No Security Risk Analysis or an outdated one
Missing or expired BAAs with vendors
Failure to provide or post an NPP
Unencrypted laptop or mobile device containing ePHI
Impermissible disclosure (posting patient information on social media, leaving records visible)
Failure to train workforce on HIPAA
Failure to respond to patient access requests within 30 days

OCR's Resolution Agreement program has assessed penalties against solo practitioners and practices with two or three providers. Size is not a shield. Demonstrating a good-faith compliance program — documented SRA, current BAAs, trained staff — significantly reduces risk and potential penalties.

What to do next

→ Create your practice NPP at nppgenerator.com ($49)
→ Generate BAAs for your vendors at baagenerator.com ($49 each)
→ Walk through the 6-step Security Risk Analysis
→ See the full list of 12 required HIPAA documents
→ Use the small practice compliance checklist