The Complete Guide to HIPAA Compliance, Risk & Legal for Medical Practices

Every covered entity — including solo practitioners — must: conduct and document an annual security risk analysis, implement administrative/physical/technical safeguards, train workforce members on HIPAA policies, execute BAAs with every vendor touching PHI, and notify affected individuals within 60 days of a breach. The proposed Security Rule update expected to finalize in May 2026 adds mandatory encryption, multi-factor authentication, and biannual vulnerability scanning — with a 240-day compliance window after finalization.

HIPAA uses a four-tier penalty structure. For violations assessed on or after August 8, 2024: Tier 1 (reasonable efforts) $141–$71,162 per violation; Tier 2 (lack of oversight) $1,424–$71,162; Tier 3 (willful neglect, corrected) $14,232–$71,162; Tier 4 (willful neglect, uncorrected) $71,162–$2,134,831 per violation. Real 2024–2025 settlements range from $10,000 (small cooperative operators) to $4.75M (Montefiore). The annual cap for identical violations is $2,134,831.

Yes — there's no minimum size threshold. Solo practices need signed BAAs with their EHR vendor, billing company, cloud storage provider, IT support firm, shredding company, and any other vendor that creates, receives, maintains, or transmits PHI. Providence Medical Institute's $240,000 settlement in 2024 was based specifically on a missing BAA. BAAs are typically templates the vendor provides; make sure you have signed copies on file for every active vendor relationship.

Current rules require a risk analysis initially and whenever there's a significant operational, environmental, or technological change. OCR strongly recommends (and the proposed Security Rule would mandate) an annual risk analysis tied to a current technology asset inventory and network map. The single most common cited violation in 2024–2025 enforcement actions was failure to conduct an adequate risk analysis — appearing in over 70% of civil monetary penalties.

Occurrence policies cover any incident that happened while the policy was active, regardless of when the claim is filed — even years later. Claims-made policies only cover claims filed while the policy is active. If you let a claims-made policy lapse (e.g., when leaving a practice or retiring), you need tail coverage to protect against claims filed after the policy ends. Tail can cost 150%–250% of a year's premium and is often forgotten until a claim surfaces. Occurrence costs more upfront but eliminates tail liability.

Five situations: (1) entity formation and operating agreements when opening a practice; (2) ownership transitions — sales, partnerships, buy-ins; (3) employment agreements for providers, especially non-competes; (4) any government investigation (OCR, state medical board, Medicare audits); (5) payer contract disputes that can't be resolved in normal negotiation. Most day-to-day legal questions (vendor contracts, routine HR) can be handled by a general business attorney. Healthcare-specific counsel is worth the premium when regulatory or provider-specific issues are involved.

HHS's enforcement discretion for telehealth ended May 11, 2023. Many practices using free Zoom, FaceTime, or unsecured messaging apps during COVID haven't transitioned to HIPAA-compliant alternatives — and those are now active violations. The proposed 2025 Security Rule NPRM (expected to finalize in May 2026) will also add encryption, MFA, penetration testing, and vulnerability scanning requirements. If you haven't audited your telehealth stack since 2023, that's your highest-priority compliance gap.