For One-Person Practices Across Specialties

HIPAA Compliance for Solo Practitioners

If you're a solo dentist, therapist, chiropractor, NP, or physician — you're a covered entity, and OCR audits you the same as a 50-person clinic. Built for the realities of running a one-person practice without an IT department.

No signup required for the quiz. See your compliance score in 2 minutes.

What OCR Audits in Solo Practitioners

Why solo practitioners face unique HIPAA risk

OCR doesn't size-discriminate

55% of HHS enforcement actions land on practices smaller than 50 employees. The agency views solo practices as more likely to have gaps, not less. Being small is not a defense — and the minimum-necessary fine for willful neglect is $50,000 under 45 CFR § 160.404.

You wear every compliance hat

In a solo practice you are the Privacy Officer (45 CFR § 164.530(a)(1)), the Security Officer (45 CFR § 164.308(a)(2)), and the workforce member doing the actual training. You also have to document each of those roles separately — TrackHIPAA generates the designation letters automatically.

Personal devices are a compliance trap

Most solo practitioners use one laptop for everything: clinical work, billing, personal email, kids' homework. That laptop holds ePHI and falls under the Security Rule. Encryption, access controls, and acceptable-use policy all apply.

Outsourced services compound the risk

Solo practices outsource everything: billing, EHR hosting, scheduling, transcription, virtual receptionist. Each one is a Business Associate. Most solo practitioners signed up for these services years ago without ever executing BAAs — and the audit risk accumulates with every signed-up vendor.

Built For You

What TrackHIPAA does for solo practitioners

Auto-generated Privacy + Security Officer designations

TrackHIPAA generates the formal written designation letters for both roles, signed by you — the foundation document any OCR auditor asks for first.

Single-user SRA wizard

Security Risk Assessment optimized for one-person practices — fewer questions, focused on the assets a solo practitioner actually has (one or two devices, a couple of cloud services).

Personal-device policy

Written policy for using personal devices in a solo practice — encryption, screen lock, separation of personal and clinical data, lost-device procedure.

Outsourced vendor inventory

Tracking sheet for every outsourced service (billing, EHR, scheduling, virtual receptionist) with BAA status, encryption verification, and renewal date.

Up to 5 users — for when you grow

Your $49 plan already includes 5 users, so when you hire a part-time MA or front desk staff, you don't need to upgrade.

Policies Included

Documents customized for solo practitioners

Each policy is generated from your practice profile (state, size, systems used) and signed off by you as Privacy Officer.

  • Notice of Privacy Practices
  • Privacy Officer Designation Letter
  • Security Officer Designation Letter
  • Security Risk Assessment (solo)
  • Personal Device & Workstation Policy
  • Outsourced Vendor Inventory & BAA Log
  • Self-Training Acknowledgment

Plus 25+ additional policies covering every HIPAA requirement — full list on the pricing page.

Frequently Asked

Solo Practitioner-specific questions

Am I actually subject to HIPAA as a solo practitioner?

Almost certainly yes. You're a covered entity under 45 CFR § 160.103 if you electronically transmit PHI in any standard transaction — claims submission, eligibility checks, prior authorization, payment posting, or referrals. The only solo practitioners exempt are those running entirely paper-based, cash-only practices with no electronic billing at all.

Who is my Privacy Officer if I'm the only person?

You are. 45 CFR § 164.530(a)(1) requires a designated Privacy Officer but doesn't require it be a separate person from the practitioner. TrackHIPAA generates a formal designation letter that you sign — it's the foundational compliance document.

I use one laptop for everything. Is that a HIPAA problem?

Yes, unless it's properly configured. The laptop holds ePHI and falls under the Security Rule. You need full-disk encryption (BitLocker on Windows, FileVault on Mac), screen lock after a short timeout, and a written acceptable-use policy. TrackHIPAA generates the policy and gives you a checklist for the technical setup.

See all 14 general FAQs →

Get audit-ready in 2 minutes

Take the free 15-question compliance quiz tailored to solo practitioners. See your score, identify gaps, no signup required.