HIPAA Compliance for a New Private Practice: Required Policies, BAAs, and Risk Assessment
HIPAA violations can result in fines from $100 to $50,000 per violation, with annual caps of $1.5 million per violation category — and the Office for Civil Rights (OCR) is actively auditing small practices. Yet most new physician practices open without a complete HIPAA compliance program because they assume their EHR vendor 'handles it.' Your EHR handles part of it. The policies, training, risk assessment, and Business Associate Agreements (BAAs) are your responsibility regardless of which technology you use. This guide gives you a concrete implementation checklist.
READY TO TAKE ACTION?
Use the free LaunchAdvisor checklist to track every step in this guide.
The Quick Answer
HIPAA compliance for a new practice requires three things before you see your first patient: (1) A signed Business Associate Agreement with every vendor who touches patient data — EHR, billing service, answering service, IT support, cloud storage, and telehealth platform. (2) A written HIPAA Security Risk Assessment documenting how your practice protects electronic PHI. (3) Written HIPAA Privacy and Security policies and a designated Privacy Officer (in a solo practice, that's you). These are not optional — OCR Phase 2 audits have specifically targeted small practices (under 10 employees), and a missing BAA or undone risk assessment is an immediate finding.
Business Associate Agreements: Who You Need Them With
A Business Associate Agreement (BAA) is a required HIPAA contract with any vendor that creates, receives, maintains, or transmits PHI on your behalf. Vendors requiring a BAA: your EHR vendor (all reputable EHRs provide this automatically), your medical billing service or clearinghouse, your telehealth platform (Doxy.me, Zoom for Healthcare — NOT standard Zoom), your answering service or virtual receptionist, your cloud backup provider (Google Workspace for Healthcare includes a BAA; standard Gmail does not), your IT managed services provider, your transcription service, and any patient portal or communication platform. Vendors that do NOT require a BAA: your bank, your landlord, your insurance company (they're a covered entity themselves), and vendors who receive only de-identified data. Collect and file all BAAs before going live — store them in a designated HIPAA compliance folder. If a vendor refuses to sign a BAA, you cannot use them with patient data.
The HIPAA Security Risk Assessment
The HIPAA Security Rule (45 CFR §164.308(a)(1)) requires a formal, documented risk assessment — not a generic checklist, but an analysis of your specific practice's vulnerabilities. The risk assessment must identify: (1) all electronic PHI your practice creates, receives, maintains, or transmits; (2) potential threats and vulnerabilities to that ePHI; (3) existing safeguards and whether they are sufficient; and (4) actions to address identified risks. HHS provides a free Security Risk Assessment Tool at healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool — it walks you through the assessment process and generates a compliant report. Complete this before seeing your first patient and repeat annually or when your technology changes significantly. Keep the completed assessment on file — it's the first document OCR requests in an audit.
Required HIPAA Policies for a Solo Practice
At minimum, a new practice must have written policies for: (1) Privacy Policy — how you use and disclose patient PHI, including the Notice of Privacy Practices that every new patient receives. (2) Security Policy — how you protect ePHI, including password requirements, encryption standards, and device management. (3) Breach Notification Policy — what steps you take if a breach occurs, including the timeline for notifying patients (within 60 days) and HHS. (4) Access Control Policy — who can access PHI and how that access is granted and revoked. (5) Workforce Training Policy — how and when staff receive HIPAA training. Purchasing a pre-written physician practice HIPAA policy bundle ($100–$400 from vendors like Compliancy Group or HIPAA Vault) is faster and more complete than writing policies from scratch. Customize them to your practice and have staff sign acknowledgment forms annually.
Employee HIPAA Training Requirements
HIPAA requires that all workforce members with access to PHI receive HIPAA training 'as necessary and appropriate for the members of the workforce to carry out their function.' For a new practice: train all staff before they access any patient data, document the training (date, content covered, and employee signature), and repeat training annually or when regulations change significantly. Training content must cover: what PHI is and how to protect it; your practice's privacy policies and procedures; employee rights and responsibilities under HIPAA; the consequences of violations (termination and OCR fines); and how to report potential breaches. Multiple HIPAA training vendors offer compliant online training: Compliancy Group, HealthStream, and MedBridge all offer physician practice-specific modules at $10–$30/employee. Keep all training records for 6 years — the HIPAA document retention requirement.
Top HHS Audit Triggers and How to Avoid Them
OCR Phase 2 audits specifically target missing safeguards that smaller practices are most likely to lack. Top audit triggers and findings: (1) Missing or incomplete risk assessment — the #1 finding in small practice audits. (2) Missing BAAs with vendors — review all vendor relationships annually. (3) Unencrypted laptops and mobile devices — any device that stores or accesses ePHI must be encrypted; FileVault (Mac) and BitLocker (Windows) are free OS-level encryption tools. (4) No breach notification procedures — OCR expects a documented plan even if you've never had a breach. (5) No Notice of Privacy Practices on file — every patient must receive and sign acknowledgment of your NPP at first visit. (6) Using personal email (Gmail, Yahoo) for patient communication without a BAA and encryption. (7) Workforce without documented training. Each of these is correctable in a day — complete them before your first patient encounter.
RECOMMENDED TOOLS
Compliancy Group
HIPAA compliance software and managed compliance service for small healthcare practices. Includes risk assessment tools, policy templates, employee training, and BAA management in one platform.
HIPAA Vault
HIPAA-compliant cloud hosting and compliance tools for physician practices. Provides Google Workspace for Healthcare with BAA, encrypted email, and compliance documentation.
Spruce Health
HIPAA-compliant patient communication platform with a signed BAA. Replaces unsecured text, email, and phone with a single secure communication channel for patient messaging and telehealth.
Some links above are affiliate links. We may earn a commission if you sign up — at no extra cost to you.
FREQUENTLY ASKED QUESTIONS
Does my EHR vendor's HIPAA compliance cover my whole practice?
No. Your EHR vendor's HIPAA compliance covers their system and infrastructure. Your responsibility includes: how your staff uses the system, all other vendors touching PHI (billing, answering service, IT, etc.), physical security of your office and devices, your policies and training program, and breach notification procedures. The EHR BAA is one piece of your overall HIPAA compliance program — it does not substitute for the rest.
What is the penalty for a HIPAA violation in a small physician practice?
HIPAA civil penalties range from $100 to $50,000 per violation depending on culpability, with an annual cap of $1.5 million per violation category. 'Willful neglect uncorrected' is the most severe tier — $10,000–$50,000 per violation. A small practice that never completed a risk assessment and stored unencrypted patient data on a stolen laptop could face fines of $50,000–$150,000. The $100/violation tier applies when the covered entity had no knowledge of the violation — demonstrating a good-faith compliance program significantly reduces penalty risk.
Do I need a HIPAA compliance officer if I'm a solo physician with no staff?
Yes — HIPAA requires every covered entity to designate a Privacy Officer and a Security Officer (these can be the same person in a small practice). As a solo physician, you are your own Privacy Officer. Document this designation in writing, include it in your HIPAA policies, and list your contact information as the Privacy Officer on your Notice of Privacy Practices. The designation is a documentation requirement, not a full-time role — for a solo practice, it adds perhaps 2–4 hours per year of compliance maintenance time.