HIPAA Compliance Checklist for Small Medical Practices (2026)
A complete HIPAA compliance checklist for small clinics and medical practices. Covers administrative, physical, and technical safeguards with actionable steps you can implement today.
HIPAA compliance is not optional — and for small medical practices, it can feel overwhelming. Most compliance resources are written for hospital systems with full-time compliance staff. This checklist is built for the practice manager, office administrator, or physician who is responsible for compliance on top of everything else.
Part 1: Administrative Safeguards
Administrative safeguards are the policies, procedures, and processes your practice must have to manage the selection, development, and implementation of security measures. They are the most heavily weighted category in an OCR audit.
- Designated Security Officer assigned in writing
- Designated Privacy Officer assigned in writing (can be the same person)
- Written Security Risk Analysis (SRA) completed within the last 12 months
- Risk Management Plan developed based on SRA findings
- Workforce clearance procedures documented
- HIPAA training completed by all workforce members annually — with sign-off records
- Sanction policy for workforce members who violate HIPAA — documented and enforced
- Information access management policy — who can access what PHI and why
- Business Associate Agreements (BAAs) signed with all vendors who access PHI
- Incident response and breach notification procedures documented
- Contingency plan for PHI access during emergencies
- Evaluation process to review HIPAA policies periodically
Part 2: Physical Safeguards
Physical safeguards protect the physical locations, equipment, and workstations where PHI is created, received, maintained, or transmitted. Many small clinics overlook these in favor of focusing on digital security.
- Facility access controls documented — who can enter areas where PHI is stored
- Visitor access log maintained for restricted areas
- Workstations positioned so PHI cannot be viewed by unauthorized individuals
- Workstation use policy documented and distributed
- Automatic screen lock enabled on all workstations accessing PHI (15 minutes or less)
- Device and media controls — procedures for disposing of hardware containing PHI
- Media sanitization policy — how hard drives and USB drives are wiped before disposal
- Inventory of all devices that store or access PHI maintained and current
Part 3: Technical Safeguards
Technical safeguards are the technology controls your practice uses to protect electronic PHI (ePHI). This includes your EHR, billing systems, email, and any cloud storage where patient data lives.
- Unique user IDs for every workforce member — no shared logins
- Multi-factor authentication (MFA) enabled on all systems accessing ePHI
- Automatic logoff enabled on all systems accessing ePHI
- Encryption enabled for ePHI at rest and in transit
- Audit logs enabled and reviewed regularly
- Email encryption in place for any PHI sent via email
- Firewall and antivirus protection on all clinical systems
- Patch management process — systems updated within 30 days of critical patches
- Remote access to ePHI uses VPN or equivalent encrypted connection
- Data backup tested quarterly and stored securely off-site or in encrypted cloud
The Most Common HIPAA Gaps in Small Practices
- No completed Security Risk Analysis — The SRA is required annually. Many small practices have never completed one.
- Missing or expired BAAs — Every vendor who touches PHI needs a signed BAA — including your EHR vendor, billing company, IT provider, and answering service.
- No documented HIPAA training records — Training must be documented with dates, attendees, and content covered.
- Shared login credentials — Unique user IDs are a required implementation specification.
- No sanctions policy — You must have a written policy explaining consequences for HIPAA violations.
Important: This checklist is a starting point, not a substitute for a formal Security Risk Analysis or legal counsel. HIPAA compliance is ongoing — not a one-time project.
Stay audit-ready without the headache.
AuditVault automates HIPAA documentation, OIG exclusion screening, and compliance risk tracking for small and mid-size medical practices. Launching January 2028.