SmallBizHandbookSmallBizHandbook.com

HIPAA Compliance for Small Business: Requirements & Checklist (2026)

Last updated: 2026-03-28

Summary:HIPAA (Health Insurance Portability and Accountability Act) applies to any business that handles protected health information (PHI) — including healthcare providers, health plans, and their business associates. Compliance requires implementing administrative, physical, and technical safeguards; conducting risk assessments; training employees; and executing Business Associate Agreements with all vendors who access PHI. Penalties range from $100 to $50,000 per violation, with a maximum of $1.5 million per violation category per year. There is no official HIPAA certification — compliance is demonstrated through documented policies, risk assessments, and evidence of ongoing program management.

Who must comply with HIPAA?

HIPAA applies to two categories of organizations:

Covered Entities

  • Healthcare providers— doctors, dentists, chiropractors, therapists, pharmacies, clinics, hospitals, nursing homes, and any provider who transmits health information electronically
  • Health plans— health insurance companies, HMOs, employer-sponsored health plans, government programs (Medicare, Medicaid)
  • Healthcare clearinghouses— entities that process nonstandard health information into standard electronic formats

Business Associates

  • IT companies hosting or managing medical records or systems
  • Cloud storage providers storing ePHI
  • Medical billing and coding companies
  • Accounting firms with access to patient billing data
  • EHR (Electronic Health Record) software vendors
  • Answering services, shredding companies, and any vendor that accesses PHI

The three key HIPAA rules

1. Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164)

Establishes national standards for the protection of individually identifiable health information. It defines what constitutes PHI, who can access it, how it can be used and disclosed, and the rights of individuals regarding their health information (including the right to access, amend, and receive an accounting of disclosures).

Key requirements: Minimum necessary standard (only access/disclose the minimum PHI needed), Notice of Privacy Practices, individual authorization for non-routine disclosures, and designated Privacy Officer.

2. Security Rule (45 CFR Part 160 and Subparts A and C of Part 164)

Establishes standards for protecting electronic PHI (ePHI). Requires covered entities and business associates to implement three types of safeguards:

  • Administrative safeguards: risk assessment, workforce training, security management process, information access management, contingency planning, and evaluation
  • Physical safeguards: facility access controls, workstation security, device and media controls
  • Technical safeguards: access controls, audit controls, integrity controls, transmission security (encryption)

3. Breach Notification Rule (45 CFR Part 164, Subpart D)

Requires covered entities and business associates to notify affected individuals, the HHS Secretary, and (for breaches affecting 500+ people) the media following a breach of unsecured PHI. Notification must occur within 60 days of discovering the breach. A breach is defined as unauthorized acquisition, access, use, or disclosure of PHI that compromises its security or privacy.

HIPAA violation penalties

TierCulpability LevelPenalty per ViolationAnnual Maximum
1Unknowing — entity did not know and could not reasonably have known$100-$50,000$25,000
2Reasonable cause — entity knew or should have known but did not act with willful neglect$1,000-$50,000$100,000
3Willful neglect — corrected within 30 days$10,000-$50,000$250,000
4Willful neglect — not corrected within 30 days$50,000 (minimum)$1,500,000

Criminal penalties: Individuals who knowingly obtain or disclose PHI face criminal penalties: up to $50,000 fine and 1 year in prison for knowing violations; up to $100,000 and 5 years for violations under false pretenses; up to $250,000 and 10 years for violations with intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

HIPAA compliance checklist for small businesses

1.
Conduct a risk assessment. This is the single most important HIPAA requirement. Use the HHS Security Risk Assessment (SRA) Tool (free) to identify vulnerabilities and threats to ePHI. Document all risks, their likelihood, and their potential impact. Develop a remediation plan with timelines.
2.
Develop written policies and procedures. Create policies covering: privacy practices, data access, acceptable use, incident response, breach notification, workforce sanctions, business associate management, data backup and disaster recovery, device and media controls, and workstation security. Policies must be documented, dated, and retained for at least 6 years.
3.
Designate a Privacy Officer and Security Officer. Formally assign responsibility for HIPAA privacy and security. In a small business, one person can serve both roles. Document the designation.
4.
Train all employees. Every workforce member who handles PHI must receive HIPAA training upon hiring and at least annually thereafter. Training should cover: what PHI is, permitted uses and disclosures, security safeguards, how to recognize and report breaches, and sanctions for violations. Document all training with dates and attendees.
5.
Execute Business Associate Agreements (BAAs). Identify every vendor, contractor, or service provider that accesses PHI. Execute a BAA with each one before sharing any PHI. This includes cloud providers (AWS, Azure, Google Cloud), EHR vendors, billing services, IT support, email providers, and shredding companies.
6.
Implement technical safeguards. At minimum: encrypt ePHI at rest and in transit, enforce unique user IDs and strong passwords, implement multi-factor authentication, set up audit logging for all systems containing ePHI, enable automatic session timeouts, and configure role-based access controls (minimum necessary principle).
7.
Implement physical safeguards. Secure physical access to areas where ePHI is stored or accessed. This includes locked server rooms, screen privacy filters, workstation positioning to prevent unauthorized viewing, and policies for portable devices (laptops, phones, USB drives).
8.
Create an incident response and breach notification plan. Document procedures for detecting, containing, investigating, and reporting breaches. Include contact information for the HHS OCR, templates for breach notifications, and a breach log. Test the plan at least annually.

Official Resources

Frequently Asked Questions

Does HIPAA apply to my small business?

HIPAA applies if your business is a covered entity (healthcare provider who transmits health information electronically, health plan, or healthcare clearinghouse) or a business associate (a company that handles protected health information on behalf of a covered entity). Common examples of business associates include IT companies that host medical records, billing services, cloud storage providers used by healthcare organizations, accounting firms that access patient data, and answering services for medical offices. If you handle PHI in any capacity, HIPAA likely applies to you.

What is Protected Health Information (PHI)?

PHI is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity or business associate. This includes names, dates of birth, Social Security numbers, medical record numbers, diagnoses, treatment information, billing records, and any other data that could identify a patient and relates to their health condition, healthcare services, or payment for healthcare. When PHI is in electronic form, it is called ePHI (electronic Protected Health Information).

What are the penalties for HIPAA violations?

HIPAA penalties are tiered based on the level of negligence. Tier 1 (unknowing): $100-$50,000 per violation. Tier 2 (reasonable cause): $1,000-$50,000 per violation. Tier 3 (willful neglect, corrected): $10,000-$50,000 per violation. Tier 4 (willful neglect, not corrected): $50,000 per violation. The maximum penalty is $1.5 million per violation category per year. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years for knowingly obtaining or disclosing PHI. State attorneys general can also pursue additional penalties.

Do I need a HIPAA compliance officer?

Yes. HIPAA requires covered entities and business associates to designate a Privacy Officer (responsible for developing and implementing privacy policies) and a Security Officer (responsible for the security management process). In small businesses, these can be the same person, and it can be the business owner. The key requirement is that someone is formally designated and accountable for HIPAA compliance.

What is a Business Associate Agreement (BAA)?

A BAA is a legally required contract between a covered entity and a business associate (or between two business associates). It establishes the permitted uses and disclosures of PHI, requires the business associate to implement appropriate safeguards, mandates breach notification, and ensures PHI is returned or destroyed when the relationship ends. You must have a BAA in place before sharing any PHI with a third party. Using a cloud service (like AWS, Google Cloud, or Microsoft Azure) to store ePHI requires a BAA with that provider.

How often do I need to do a HIPAA risk assessment?

HIPAA requires an initial risk assessment and periodic reviews. While the regulation does not specify an exact frequency, the HHS Office for Civil Rights (OCR) recommends conducting a risk assessment at least annually. You should also conduct a new assessment whenever there are significant changes to your systems, processes, or environment — such as adopting new technology, moving to a new facility, or experiencing a security incident. The risk assessment must be documented and retained for at least 6 years.

Is there a HIPAA certification?

No. There is no official HIPAA certification. The HHS does not endorse or recognize any private HIPAA certification programs. Some vendors and training organizations offer 'HIPAA certification' programs, but these are not government-recognized. Compliance is demonstrated through documented policies, completed risk assessments, training records, Business Associate Agreements, and the ability to demonstrate compliance during an OCR audit or investigation. Some organizations pursue HITRUST CSF certification, which incorporates HIPAA requirements, as a way to demonstrate a comprehensive compliance program.

What should I do if there is a HIPAA breach?

The HIPAA Breach Notification Rule requires specific actions. If a breach affects 500 or more individuals, you must notify the HHS OCR within 60 days of discovery, notify affected individuals within 60 days, and notify prominent local media. If a breach affects fewer than 500 individuals, you must notify affected individuals within 60 days and report to HHS annually (by March 1 of the following year via the OCR breach portal). All breaches must be documented in a breach log regardless of size. You should also activate your incident response plan, contain the breach, conduct a root cause analysis, and implement corrective actions.

Related Resources on This Site

This is general information, not legal or compliance advice. HIPAA requirements are complex and enforcement is evolving. Always consult a qualified HIPAA compliance professional or healthcare attorney for advice specific to your situation. Sources: HHS.gov, HealthIT.gov, 45 CFR Parts 160 and 164.