What is HIPAA? A Plain-English Guide for Small Healthcare Practices

HIPAA applies to two categories of entities: covered entities and business associates. Covered entities are healthcare providers (anyone who provides medical care), health plans (insurers), and healthcare clearinghouses (45 CFR § 160.103). A solo dentist who electronically submits insurance claims is a covered entity. A 200-person hospital is a covered entity. A cash-only therapist who never transmits anything electronically may not be — but the threshold is low enough that most small practices are covered.

Business associates are anyone who creates, receives, maintains, or transmits protected health information (PHI) on behalf of a covered entity. Your EHR vendor, your billing service, your dental lab, your telehealth platform — these are all business associates.

HIPAA is structured around three federal rules:

The Privacy Rule (45 CFR Part 164 Subpart E) governs the use and disclosure of PHI. It tells you when you can share patient information, when you need written authorization, and what rights patients have to access and amend their records.

The Security Rule (45 CFR Part 164 Subpart C) covers electronic PHI specifically. It requires administrative, physical, and technical safeguards — encryption, access controls, audit logs, training, risk assessments.

The Breach Notification Rule (45 CFR Part 164 Subpart D) sets out what you must do after a breach: notify affected patients within 60 days, notify HHS, and in breaches of 500+ records, notify the media.

A small practice's HIPAA compliance program comes down to documentation and a few operational practices:

Documentation: a written Notice of Privacy Practices (45 CFR § 164.520), a Security Risk Assessment (45 CFR § 164.308(a)(1)(ii)(A)), a Privacy Officer and Security Officer designation (45 CFR § 164.530(a)(1) and 164.308(a)(2)), Business Associate Agreements with every vendor who handles PHI (45 CFR § 164.308(b)(1)), training records for every workforce member (45 CFR § 164.308(a)(5)), and breach response procedures.

Operational practices: workforce training, access controls (unique logins, automatic logoff), encryption of PHI at rest and in transit, breach response, and regular policy reviews.

HIPAA penalties are tiered (45 CFR § 160.404). The lowest tier — violations the covered entity did not know about and could not reasonably have known about — starts at $137 per violation. The highest tier — willful neglect not corrected within 30 days — starts at $68,928 per violation and can reach $2.13 million in a calendar year for repeated violations.

OCR enforcement disproportionately targets small practices. According to HHS published settlement data, 55% of resolution agreements have involved practices smaller than 50 employees. The most common citation is the missing Security Risk Assessment.

If you're a small practice with no HIPAA program in place, the order of operations is: (1) complete a Security Risk Assessment, (2) generate written policies covering each Privacy Rule and Security Rule requirement, (3) execute Business Associate Agreements with every vendor that touches PHI, (4) train your workforce and document the training, (5) set up a breach response procedure. TrackHIPAA does all five for $49/month.