Latest Insights/Back to Generator
PUBLISHED ON 2026-02-15

HIPAA Compliance Checklist for Small Businesses (2026)

AI

If your business touches Protected Health Information (PHI) in any way — whether you're a healthcare provider, a health app developer, a dental office, or a SaaS company processing medical data — you must comply with HIPAA. Violations can result in fines ranging from $100 to $50,000 per violation, with annual maximums of $1.5 million per category.

Here's a practical checklist to help small businesses achieve and maintain HIPAA compliance.

Part 1: Administrative Safeguards

  • Designate a Privacy Officer responsible for developing and implementing privacy policies
  • Designate a Security Officer responsible for developing and implementing security policies
  • Conduct a Risk Assessment — identify where PHI is stored, transmitted, and processed
  • Develop Written Policies and Procedures covering all aspects of PHI handling
  • Train All Employees on HIPAA requirements within 30 days of hiring, and annually thereafter
  • Implement Sanctions Policy for employees who violate HIPAA procedures
  • Create a Contingency Plan for data backup, disaster recovery, and emergency mode operations
  • Sign Business Associate Agreements (BAAs) with all vendors who access PHI

Part 2: Physical Safeguards

  • Control facility access — limit physical access to areas where PHI is stored
  • Secure workstations — position screens away from public view, use privacy filters
  • Device security — encrypt all portable devices (laptops, phones, USB drives)
  • Proper disposal — shred physical documents, securely wipe electronic media

Part 3: Technical Safeguards

  • Access controls — unique user IDs, role-based access, automatic logoff
  • Encryption — encrypt PHI at rest (AES-256) and in transit (TLS 1.2+)
  • Audit controls — log all access to systems containing PHI
  • Integrity controls — implement mechanisms to prevent unauthorized alteration of PHI
  • Transmission security — use encrypted email, secure file transfer protocols
  • Multi-factor authentication (MFA) — required for all systems accessing PHI

Part 4: Breach Notification Requirements

  • Individual notification — notify affected individuals within 60 days of discovering a breach
  • HHS notification — report breaches affecting 500+ individuals to HHS within 60 days
  • Media notification — notify prominent media outlets if 500+ residents of a state are affected
  • Breach log — maintain a log of all breaches, even those affecting fewer than 500 individuals

Part 5: Documentation

  • Notice of Privacy Practices (NPP) — provide patients with a clear notice explaining their rights
  • Written policies — retain all HIPAA policies for at least 6 years
  • Training records — document all employee training sessions
  • Risk assessment reports — update annually and after any significant change

Common HIPAA Mistakes Small Businesses Make

  1. Using personal email to send PHI (Gmail, Yahoo, etc. are not HIPAA-compliant by default)
  2. No BAAs with vendors — using cloud storage, billing software, or scheduling tools without a signed BAA
  3. Assuming "small" means "exempt" — HIPAA applies regardless of business size
  4. Skipping the risk assessment — this is the #1 most-cited violation in audits
  5. No employee training documentation — training happened but wasn't recorded

Generate Your HIPAA Notice

One of the most important HIPAA documents is the Notice of Privacy Practices. Our HIPAA Notice Generator creates a compliant notice covering all required sections under 45 CFR § 164.520. It's free and takes under 5 minutes.

Generate your HIPAA Notice now →