25% off all training courses Offer ends July 30, 2026
View HIPAA Courses
25% off all training courses
View HIPAA Courses
Offer ends July 30, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Building a HIPAA Compliance Program as a Practice Administrator in a Small Practice

Article Contents

If you are the Practice Administrator handling HIPAA compliance, here is what to focus on:

Who Owns HIPAA Compliance in a Small Practice

Small practices carry the same federal compliance obligations as large health systems, but rarely employ dedicated compliance staff to manage them. Most often, this responsibility falls on the Practice Administrator, layered on top of scheduling, billing oversight, vendor management, and day-to-day staff supervision.

The thing is though, that ownership needs to be explicit. According to HIPAA, the responsibility is not assumed, but rather a designation. Now, HIPAA does allow the responsibility to be split: one person handling privacy and another handling security – but in most small practices, it tends to fall on one person for all of it. Whatever the arrangement, it needs to be in writing.

Owning that responsibility may seem intimidating. However, a compliance program, at its core, is really just an answer to a multi-facet question. Can the practice prove that it:

  • Knows where patient data lives
  • Has written rules for protecting that data
  • Has trained staff to follow those rules
  • Has agreements with every vendor who touches that data

A structured program is like showing your work in math class. The correct answer does not count for much if you cannot show how you got there.

Where the Program Starts

A HIPAA compliance program starts with an honest look at where the practice stands today. Compliance regulations, like HIPAA, set a standard and meeting that standard depends on knowing the actual starting point first. HIPAA exists largely to protect patient health information, so finding that starting point means asking several questions. For example: where does patient information actually live, in physical files and in digital systems? Who can access it, and under what circumstances? Answers to questions like these help to surface the practice’s actual risk. Once you identify risk, you can then address it.

HIPAA has a name for this process of self-Q&A: a HIPAA Security Risk Analysis (SRA). It is a record that details the practice’s own systems, staff, processes, and vendors, covering everything from the electronic health/medical record (EHR/EMR) system to email, mobile devices, paper files, etc.

The logic behind this requirement is simple: risk that is not known cannot be reduced. Investigations into HIPAA breaches often find the source was a blind spot that a proper risk analysis likely would have caught. Therefore, doing the analysis first lets a practice find and close its own gaps, instead of an incident forcing an investigation from the government. The SRA is also a living document, one the practice should expect to revisit on an ongoing basis. Add a new technology or vendor? The risk picture has likely changed and the analysis should be revisited. If keeping up with those changes seems impossible, at least make sure to review the SRA annually.

Turning the Analysis into Policies

It is impossible to eliminate risk and run a successful business. There is always the risk of HIPAA breaches just in everyday operations. This is why having a well engineered process is important. These processes define the “do’s and don’ts” of how to handle common situations as well as uncommon but high risk scenarios. This requires someone to decide, in writing, what staff will do or be expected to do to handle those situations.

There are many names for these types of documents, but HIPAA refers to that written decision as a “policy.” A policy is also a living document that needs a version history, a date, and proof staff reviewed and understood it. An investigator looking into a complaint or a breach cares about what the practice can produce. Mistakes can happen, but without a formal policy a mistake looks more like the actual standard – and there is nothing to prove otherwise.

Two things to keep in mind with policy development.

  • It has to match what actually happens in the practice. A policy that contradicts daily operations is a liability during an investigation. So avoid copying templates to your program. Either adjust operations to what they outline, or adapt them to match the practice’s operations.
  • Keep a paper trail of revisions or a log of each time a policy is reviewed or updated and show evidence all staff got those updates.

Training Staff Properly

Policies and procedures are only as effective as the training that reinforces them. Almost every role in a small practice has some exposure to patient information, so it’s generally best practice to give everyone the same depth of training.

HIPAA asks for two distinct things here. The HIPAA Privacy Rule side is straightforward: staff need to know the practice’s policies well enough to follow them, and the practice needs proof. How this is achieved is left up to the practice to determine the best approach for them. What is more defined is that whatever you do, it happens whenever a policy is written or updated.

The HIPAA Security Rule side is different: an ongoing security awareness program covering everyday risks like phishing, password habits, and device security. This needs a recurring schedule, the commonly adhered to minimum of which is annually.

HIPAA expects that your designated compliance officer is “qualified.” Now, this doesn’t require a specialized certified compliance professional since a small practice’s compliance complexities are generally not the equivalent to a regional health system. Instead, some record of relevant training or experience to help prove qualification may be sufficient. Common approaches include practices that build that record themselves, and others that rely on a compliance software which provides training as part of the program.

Vendor and Business Associate Oversight

Very few small practices handle every function touching patient data in-house. Billing services, scheduling platforms, cloud storage, answering services, IT support contractors. Each of these vendors introduces a new risk. Vendors typically hold data for many practices at once, so when something goes wrong on their end, it tends to be why a small practice’s breach traces back to a vendor rather than its own systems. What is critical to remember is that it is the Covered Entity who is ultimately responsible for its PHI. That means it is the practice’s responsibility to ensure vendors are vetted and following the same HIPAA obligations as the practice itself.

That may seem like a lot for a small practice to attempt to manage, so HIPAA’s answer is the HIPAA Business Associate Agreement (BAA). The BAA is a signed agreement with any vendor that creates, receives, maintains, or transmits patient data on the practice’s behalf, and is required before the relationship begins. Skip it, and the practice is carrying legal exposure the agreement is meant to place on the vendor instead. A missing or outdated agreement is a documentation gap regardless of if a breach ever occurs.

Start with a full inventory of every vendor or tool that touches patient data. Think beyond just EMR or practice management software, answering services, shedding services, and text messaging platforms are a few examples practices tend to miss in an informal review. Not all vendors will meet the criteria requiring a BAA, but those that do and refuse to provide or sign one should be a major red flag.

Keeping the Program Current

Risk is never fully eliminated. Federal regulations change, state laws get published, staff turns over, vendors change, new systems get adopted. A compliance program very quickly becomes outdated and if not maintained, becomes a major lift each time someone remembers to update it.

Keeping it current means three things in practice.

  • Check for federal rule updates or new state legislation that impacts healthcare or privacy concerns.
  • Review the risk analysis, policies, and training records.
  • Build a routine schedule as a reminder to conduct that review.

Keeping up with regulation changes and scheduled reviews and updates can be a lot for a Practice Administrator on top of other responsibilities. For that reason, many small practices turn to software built specifically for HIPAA compliance management to help carry part of this load automatically, updating policies and regulatory requirements as they change and flagging when the Practice Administrator needs to act.

Responding to an Investigation or Breach

When the Office for Civil Rights investigates a complaint or a breach, the review centers on what the practice can produce. A Practice Administrator who can produce a current Security Risk Analysis, signed policies, training records, and a documented breach assessment demonstrates a functioning program to the investigator. A practice without that documentation faces a harder investigation, regardless of how sound its daily operations actually were.

This is the payoff of everything above. The risk analysis, the policies, the training records, the agreements. Each one exists so that on the day it matters most, the practice has something to show.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist