HIPAA compliance intimidates most small business owners. The regulation is dense, the jargon is technical, and the consequences of non-compliance are severe. But the core requirements are more manageable than they appear — if you approach them systematically. This guide strips away the complexity and tells you exactly what you need to have in place.
Who Actually Needs to Comply with HIPAA
Covered Entities: healthcare providers, health plans, and healthcare clearinghouses that transmit protected health information (PHI) electronically. Business Associates: any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity. This is broader than most small businesses realize and includes medical transcription services, cloud hosting providers storing medical records, IT support companies with access to systems containing PHI, and marketing companies working with patient data. If your business is a business associate, you are directly subject to HIPAA requirements.
The Administrative Safeguards You Must Have
Designate a Security Officer responsible for developing and implementing security policies. Conduct and document a formal Risk Analysis identifying all ePHI in your environment, threats to that ePHI, and your existing safeguards. Create a Risk Management Plan to implement security measures reducing identified risks. All workforce members must receive Security Awareness Training — document who was trained, when, and on what topics. Create a Sanction Policy defining consequences for employees who violate HIPAA policies. Maintain formal procedures for granting and revoking access to ePHI.
The Technical Safeguards You Must Have
Access Controls: technical mechanisms allowing only authorized users to access ePHI systems, including unique user IDs and automatic logoff. Audit Controls: systems that record and examine activity in systems containing ePHI — you must be able to determine who accessed what data, when. Integrity Controls: measures to ensure ePHI is not improperly altered or destroyed. Transmission Security: encryption of ePHI transmitted over electronic networks — TLS 1.2+ for data in transit, AES-256 for data at rest.
Business Associate Agreements (BAAs)
Every vendor, contractor, or service provider with access to ePHI must sign a Business Associate Agreement with you. This includes your cloud hosting provider, email provider, backup service, and any software vendor whose product stores ePHI. Google, Microsoft, AWS, and Dropbox Business all offer signed BAAs for healthcare customers. Do not use any service for ePHI storage or processing without a signed BAA in place.
HIPAA Documentation Checklist
Security Officer designated and documented. Risk Analysis completed and documented. Risk Management Plan in place. Privacy and Security Policies written and distributed. Security Awareness Training conducted and documented for all employees. Sanction Policy documented. BAAs signed with all business associates. Incident Response Plan in place. Technical access controls, audit logging, and encryption in place.
Not sure where your HIPAA compliance gaps are? A Compliance Gap Analysis provides a 12-category HIPAA readiness scorecard with priority action items — delivered in 48 hours for $27.