HIPAA security compliance has a reputation for being complicated and expensive. In reality, for most solo and small practices, the core requirements can be implemented at little to no cost. However, this process still takes time to properly learn, understand, develop, and implement.

The goal is not just to implement safeguards, but to create a clear and defensible record of how you identified, evaluated, and addressed risks in your practice.

This guide, along with our HIPAA Security Starter Kit (no-cost) can act as a good starting point in helping you align to the HIPAA Security rule. Another good resource to follow in parallel with this guide is the HCIP Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations.

Step 1: Use the Security Risk Assessment Tool

Start with the official Security Risk Assessment Tool from the U.S. Department of Health and Human Services. This questionnaire-based tool helps identify potential risks to patient data (ePHI) and highlight gaps in your setup. 

While it is a good starting point, it is far from a complete solution. You are still responsible for:

• Capture risks specific to your environment and devices (including technical risks)

• Organize and evaluate those risks clearly

• Determine and implement appropriate safeguards

• Document your decisions

At this point, you should also designate a Security Officer (for solo practices, this is typically yourself) responsible for overseeing security and maintaining documentation. 

Step 2: Create a Simple Asset Inventory

Document all devices and software that handle patient information in a spreadsheet. 

Typical examples:

• Laptop

• Phone

• EHR system

• Email account

• Any apps used for communication

For each item, note:

• What it is 

• How it’s used

• What it does with ePHI (create, manage, transmit, receive, delete)

• Whether a Business Associate Agreement (BAA) exists

Step 3: Map How Patient Data Moves

Create a network map diagram that provides a clear, high-level view of where ePHI exists, how it moves, and which systems are involved. 

This map should show:

• All devices and systems in your practice

• Information flows (How ePHI moves between systems)

• External services (EHR, email, phone providers, cloud storage)

And represent information flows such as :

• Provider enters information → EHR

• Provider access 

• Provider/Client communication over email, phone, and EHR

You can document this with: a simple diagram and a short written description with the goal of providing clarity. 

Step 4: Perform a Risk Analysis

HIPAA requires identifying and evaluating reasonably foreseeable risks (technical and non-technical) to the confidentiality, integrity, and availability of ePHI. A risk analysis is not just a list of issues. It is a structured evaluation of how likely a threat is and how much impact it would have on your practice. 

Using a consistent method ensures your analysis is clear, repeatable, and defensible if ever reviewed. You should refer to official guidance from the U.S. Department of Health and Human Services and methodology concepts from National Institute of Standards and Technology (NIST SP 800-30).

For each reasonably foreseeable risk to ePHI in your practice, document at minimum:

• Asset Involved

• Threat (e.g., theft, phishing, unauthorized access)

• Vulnerability (e.g., no encryption, weak password)

• Likelihood (Low / Medium / High)

• Impact (Low / Medium / High)

• Overall Risk Level (Low / Medium / High)

• Safeguard (what you will do about it)

Example

• Asset: Laptop

• Threat: Theft

• Vulnerability: Unencrypted

• Likelihood: Medium

• Impact: High

• Risk: High

• Safeguard: Enable full disk encryption

Step 5: Define Access and Roles 

Access to systems containing ePHI should be limited to only what is necessary for your practice. 

• Each user should have their own account (no shared logins)

• Access should be limited based on role (for solo practices, this is typically just the provider)

• Access should be removed when no longer needed

• Avoid giving unnecessary access to systems that contain ePHI

The goal is to ensure that only the right people have access to the right information, reducing the risk of unauthorized access or exposure.

For a solo practice, a simple statement that you are the only individual with access is typically sufficient, provided it accurately reflects your setup.

Step 6: Write Basic Policies

HIPAA requires written policies and procedures, but they do not need to be complex. For a small practice, they should be short, practical, and reflect what you actually do.

Start with:

• Security Procedure: A high-level document that outlines how your practice approaches HIPAA security overall. 

  • Security Awareness Training: Basic ongoing awareness training to ensure you understand common security risks. For a solo practice, this can include self-training.

  • Sanction Policy: Workforce members who fail to follow security policies may be subject to appropriate corrective action. For a solo practice this can simply be correction and training upon discovery of a compliance failure. 

• IT Usage Policy: How you use devices, workstations, and systems securely (passwords, MFA, encryption, updates, approved tools)

• Incident Response Plan: What you do if something goes wrong (identify, secure, document, escalate if needed)

• Contingency Plan: How you prevent data loss and restore access (backups in place, basic recovery approach)

Each policy should be clear, concise, and aligned with your actual setup.

Step 7: Implement Core Safeguards

You should implement technical and non-technical safeguards. Many essential safeguards are already available at little or no cost.

Administrative safeguards define your policies and processes (established in the previous step), technical safeguards protect your systems and access (e.g., MFA, encryption), and physical safeguards protect your devices and environment from unauthorized access or damage.

There is a common misconception about the "required" and "addressable" safeguards listed in the HIPAA Security Rule. When a safeguard is "addressable", it does not mean that it is optional. Rather, it allows you to determine an appropriate implementation for your practice.

As a solo provider, a few effective safeguards against common threats are:

• Phishing awareness training: To recognize deceptive emails attempting to steal passwords or other sensitive information.

• Device encryption (Windows BitLocker, Mac FileVault): To secure PHI data on devices in the event devices are lost or stolen. 

• Multi-Factor Authentication: To prevent system access through weak or stolen credentials. 

• Limiting PHI over Email/Phone/Text: To reduce the sensitivity of PHI over insecure communication channels. 

• Keeping device software up to date: To patch known cybersecurity vulnerabilities.

See the HCIP Technical Volume 1: Cybersecurity Practices for Small Healthcare Organizations for more recommended safeguards.

Step 8: Keep Simple Records

HIPAA Security requires written documentation of all procedures, policies, activities, and actions as evidence of compliance.

As a part of this documentation, you should maintain basic spreadsheet logs of:

• Security events

• Maintenance activities 

• Policy reviews

• Review of System Audit and Log-in events

• Training (even self-training)

All documentation is required to be retained for 6 years.

Step 9: Review and Evaluate Periodically

At least once per year, and after significant changes:

• Update your asset inventory

• Revisit your risk analysis

• Evaluate whether your safeguards are active and effective

• Review access and login activity (ideally monthly)

• Test incident response and contingency plans. 

This keeps your compliance current as your practice evolves.

Challenges

This approach works, and many small practices successfully follow it. However, it requires a meaningful time investment and can leave uncertainty about whether your final decisions are sufficient.

In practice, the difficulty is not usually in implementing safeguards. It is in structuring the process, evaluating risks, and making confident, defensible decisions specific to your practice. If this becomes unclear or time-consuming, that is where we can provide practical assistance through our service.

Conclusion

HIPAA security does not require perfection or complex systems. It requires that you:

• Understand your environment

• Evaluate risks in a structured way

• Apply reasonable safeguards

• Document your decisions and actions

When done correctly, this creates a clear and defensible security foundation for your practice. Whether you complete this yourself or with assistance, the goal is the same: to ensure your practice is operating with reasonable security practices that support compliance, secure operation, and patient trust.