The Real HIPAA Risks for Small Practices (And What Most Owners Miss)

Q: What's the difference between HIPAA and HITECH?

HIPAA established the original privacy and security rules for PHI. HITECH strengthened enforcement, raised penalty amounts, extended direct liability to business associates, and added the Breach Notification Rule.

In October 2024, OCR imposed a $70,000 civil monetary penalty on Gums Dental Care, a small dental practice, for failing to provide a patient timely access to their records. No breach. No lost laptop. No ransomware. Just a small practice that didn't meet the Right of Access timeline. Since launching its Right of Access Initiative, OCR has settled more than 45 cases like this, with penalties for small practices typically ranging from $3,500 to $70,000 and hospital-system cases reaching $240,000.

Small practices get cited. The profile of enforcement isn't what most independent owners assume. It isn't always a ransomware attack or a lost device. It's a missed 30-day access deadline, a risk assessment that was never updated, a billing vendor without a signed BAA. This is what OCR actually looks for, and what most small-practice owners miss.

What OCR actually scrutinizes in small-practice audits

HIPAA is not one thing. It's a stack of rules (Privacy, Security, Breach Notification, Enforcement) enforced through a set of recurring audit and investigation patterns. Small-practice owners who treat it as a monolith ("we're HIPAA compliant") are the ones who get surprised by what actually triggers a resolution agreement.

In current OCR enforcement activity, six domains carry nearly all the risk for small practices:

Risk assessment. Documented, current, acted on. Not a one-time exercise from three years ago.
Access controls. Who can see what PHI, with audit logs showing who actually did.
Physical and device security. Full-disk encryption on every laptop and phone. Workstations positioned away from public view.
Business Associate Agreements. Every vendor that touches PHI, signed, current, inventoried.
Breach notification readiness. A defined workflow for who does what if PHI leaks, within the Breach Notification Rule's timelines.
Workforce training. Documented, role-specific, refreshed on a regular cadence.

OCR's current 2026 enforcement posture is heavily weighted toward two of those six: risk assessment and Right of Access. The Risk Analysis Initiative, launched in fall 2024, has already produced more than a dozen enforcement actions. It targets organizations that cannot produce a thorough, current risk analysis when OCR comes looking. The Right of Access Initiative has been running longer and accounts for most of the small-practice settlements on the record.

One pattern runs through both: the small-practice owners we talk to often believe they're covered because their EHR vendor advertises HIPAA compliance. A HIPAA-compliant EHR is necessary. It isn't sufficient. The practice itself is the covered entity. The obligations land on the practice, not the software.

The risk assessment gap

The single most-cited finding in small-practice HIPAA enforcement is the absence of a thorough, current risk analysis. OCR uses the phrase accurate and thorough risk analysis in nearly every resolution agreement that touches the Security Rule. The test isn't whether you have a document with that title. It's whether the document reflects how PHI actually moves through your practice right now, and whether you've done something about the risks it identifies.

In practice, small practices fall into one of three patterns:

Never did one. The most common situation in solo and 2-5 provider practices. Owners assume the EHR vendor's compliance package covers it, or that the attestation they signed at incorporation was the risk assessment. It wasn't.

Did one years ago and haven't touched it. A 2019 risk assessment doesn't describe a 2026 practice. Telehealth expanded. Patient-facing portals launched. Staff phones started running messaging apps. AI note-taking tools appeared. Each of those is a new PHI flow, and the Security Rule requires the assessment to be reviewed and updated when operational or environmental changes occur.

"We have a HIPAA-compliant EHR" confusion. The most-cited misunderstanding. A HIPAA-compliant EHR addresses the vendor's side of the Security Rule. It doesn't address physical safeguards at your office, workforce access controls, BAAs with your other vendors, or how staff handle PHI outside the EHR.

A recent and live example: a care coordinator at an independent practice was caught using a free AI transcription tool to record patient calls. She'd downloaded it on her own, wasn't malicious, and the practice had a HIPAA-compliant EHR. That scenario doesn't show up in a 2019 risk assessment. It doesn't get covered by the EHR vendor's BAA. It's exactly the kind of new PHI flow a current risk assessment is supposed to surface, and exactly the kind of gap OCR cites.

NIST's SP 800-66 Revision 2 lays out the expected structure of a HIPAA Security Rule risk analysis: inventory your ePHI, identify threats and vulnerabilities, assess likelihood and impact, document safeguards, track the gaps. For a small practice, this is a workbook exercise, not a $15,000 consulting engagement. What matters is that it exists, reflects reality, and shows what you did about the risks you found.

The second-most-common small-practice gap is the vendor layer. Every outside party that creates, receives, maintains, or transmits PHI on your behalf needs a signed Business Associate Agreement before any PHI changes hands. When OCR finds a breach that involved a vendor, the first thing they ask for is the BAA. When there isn't one, the penalty exposure widens.

The vendors small practices typically miss:

Billing companies. Usually the one practice owners remember. Most have this BAA. Some have a BAA signed five years ago under a different company name.
Credentialing vendors. Often forgotten. Credentialing packets frequently include clinical and patient context that qualifies as PHI under the Privacy Rule.
Cloud storage and backup services. Dropbox, Google Drive, OneDrive with PHI. Free-tier accounts generally can't be used compliantly (free tiers don't sign BAAs).
Fax services. Digital fax providers handling patient referrals, insurance verifications, and records requests.
Email platforms and marketing tools. Anything that sends patient-identifiable content (appointment reminders, recall campaigns, surveys).
AI assistants and transcription services. Consumer AI products almost never sign BAAs. Practice-grade versions sometimes do. This is a 2026 gap that didn't exist in most risk assessments two years ago.
Consultants, coaches, and fractional executives. Anyone who reviews patient-related operational data in a way that could touch PHI.
IT contractors. The person who maintains the workstations often has PHI access by default.

A second pattern: BAAs that were signed correctly years ago but have quietly expired, or the vendor renamed itself, or the service moved to a new parent company. The signed PDF in the filing cabinet doesn't match the entity currently processing PHI. A quarterly BAA inventory sweep (even a 30-minute one) surfaces these drifts before OCR does.

The minimum viable BAA inventory: a spreadsheet listing every vendor touching PHI, the current legal entity name, the date the BAA was signed, the renewal status, and the person responsible for confirming it. Small-practice owners don't need a compliance platform for this. They need the spreadsheet, and they need to look at it twice a year.

Practical steps under $500

Most small-practice HIPAA gaps can be closed with time and discipline, not budget. A realistic under-$500 closure plan:

Document a current risk assessment. Use NIST SP 800-66 Rev 2 as the framework. A spreadsheet or Word doc is fine. Inventory ePHI locations, name the threats, assess likelihood, document existing safeguards, list gaps with owners and target dates. Cost: staff time.
Run a BAA inventory sweep. List every vendor with PHI access. Check BAA status. Chase down missing ones. Replace expired ones. Cost: staff time, possibly one legal-template subscription ($0-$200).
Turn on full-disk encryption. BitLocker (Windows Pro) and FileVault (macOS) are free, built into the OS, and close the "lost device" penalty exposure. Verify encryption is actually on for every device with ePHI access. Cost: $0.
Enable EHR audit logs. Most EHRs ship with audit logging available but not configured. Turn it on, define who reviews it, document the cadence. Cost: $0 (included with the EHR).
Run a quarterly HIPAA refresher. Fifteen to twenty minutes, role-specific, documented with sign-in sheet or LMS record. Cost: $0-$300/year if you use a low-cost training platform.
Build a breach notification playbook. One page. Who gets notified first (privacy officer), who investigates, who communicates with affected individuals, who contacts OCR if the breach involves 500+ individuals. Cost: $0.

These six steps close the majority of what OCR actually cites against small practices. They don't require a compliance consultant, a SaaS platform, or a certification. They require documentation, a calendar reminder, and someone whose job it is to keep looking at the inventory.

The six HIPAA domains are where audits and breach investigations actually dig in. The Quick-Check walks each one in two minutes and flags where you're exposed, before OCR or a breach does.

Try the HIPAA Readiness Quick-Check

Six domains, two minutes, no email required.

What NOT to spend money on

Small-practice owners get pitched a lot of compliance products that don't match their actual risk profile. A short list of common overspends:

"HIPAA certifications." There is no official HIPAA certification. OCR does not certify covered entities. A vendor selling you a "HIPAA Certified" seal for your website is selling you a logo, not a regulatory status. Small-practice owners we track have paid $500 to $2,000 per year for this kind of branding without any reduction in enforcement risk.

Monthly-retainer compliance services for basic gaps. Some compliance-as-a-service vendors charge $500 to $2,000 per month for what amounts to a quarterly check-in, a templated risk assessment, and a login to a learning management system. For a solo or small group practice, this is usually 5 to 10 times the cost of doing the same work internally with a $29/month training platform and a spreadsheet.

Expensive consulting for a self-assessment's worth of findings. A $15,000 HIPAA consulting engagement for a three-provider practice will usually surface the same six or seven findings a careful internal self-assessment would. If you haven't run the self-assessment first, you're paying the consultant to do the easy part.

The discipline that prevents overspending is the same one that prevents OCR penalties: know what your actual gaps are before you buy anything to close them.

Closing the gaps before OCR finds them

Small-practice HIPAA enforcement in 2026 is concentrated, predictable, and closable. The Risk Analysis Initiative and Right of Access Initiative account for most of the small-practice settlements on OCR's record. The six domains where audits actually dig in are the same six a self-assessment can walk. And the under-$500 closure plan addresses the majority of what gets cited.

The owners who stay ahead of enforcement are the ones who treat HIPAA as an ongoing discipline (documented risk assessment, current BAA inventory, audit-log review cadence) rather than a one-time status. A six-domain self-check, run quarterly, is usually enough to surface gaps while they're still cheap to fix.

FAQ

Do I need a HIPAA compliance officer if I'm a solo practice?

Yes. The Privacy Rule requires every covered entity to designate a privacy official responsible for the development and implementation of privacy policies. The Security Rule requires a security official. In a solo practice, these are usually the same person, and that person is usually the owner. You don't need a separate hire. You do need to name someone and document it.

What's the penalty range for a HIPAA violation at a small practice?

Under the HITECH tier structure, penalties run from a minimum of about $100 per violation for unknowing violations, up to the tens of thousands per violation for willful neglect not corrected, with annual caps that have been adjusted upward for inflation. Small-practice settlements on OCR's record typically land in the $3,500 to $70,000 range, with the specific amount reflecting the type of finding, the practice's cooperation, and whether the issue recurred after being flagged.

How often do I need to do a HIPAA risk assessment?

There's no fixed frequency in the regulation. The Security Rule requires the risk analysis to be reviewed and updated "periodically and when environmental or operational changes occur." In practice, annually is the working minimum for a stable practice, and within 30 to 60 days of any material change (new EHR, new telehealth platform, new building, new staff role with PHI access).

Does using a "HIPAA-compliant" EHR make my practice compliant?

No. Your EHR vendor's compliance addresses their side of the Security Rule. It doesn't cover physical safeguards at your office, BAAs with your other vendors, workforce access controls, training, breach notification readiness, or the PHI flows outside the EHR (faxes, emails, phone calls, paper). The covered entity obligations are yours, not the vendor's.

Do I need BAAs with all my vendors?

You need a BAA with every vendor that creates, receives, maintains, or transmits PHI on your behalf. That includes billing, credentialing, cloud storage, fax services, email platforms handling patient content, AI transcription or note-taking tools, IT contractors with device access, and consultants with PHI-adjacent visibility. Vendors with no PHI access (like a janitorial service or a marketing agency running non-patient campaigns) don't need one.

What's the difference between HIPAA and HITECH?

HIPAA (1996) established the original privacy and security rules for PHI. HITECH (2009) strengthened enforcement, raised penalty amounts, extended direct liability to business associates, and added the Breach Notification Rule. The two work together: HIPAA defines the obligations, HITECH sharpens the consequences.

Can I use text messages or email with patients?

Both are permissible under the Privacy Rule if the patient has been informed of the risks and agrees. Document the patient's preference. Don't send PHI to email addresses or phone numbers the patient hasn't authorized. For anything sensitive (test results, diagnoses, treatment details) a secure portal is lower-risk than SMS or standard email. Document the workflow in your policies.

External references: HHS OCR Resolution Agreements, HHS Small Provider HIPAA Guidance, NIST SP 800-66 Rev 2 (HIPAA Security Rule Implementation Guide), HHS Breach Notification Rule, HHS Enforcement Rule. Related GetPracticeHelp resources: HIPAA compliance checklist, HIPAA telehealth compliance, HIPAA self-assessment workbook, compliance and risk guide.