Question 1

What is HIPAA?

Accepted Answer

HIPAA is the Health Insurance Portability and Accountability Act of 1996, a US federal law that sets national standards for protecting individually identifiable health information. The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) governs how protected health information (PHI) can be used and disclosed. The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires covered entities and business associates to implement administrative, physical, and technical safeguards for electronic PHI. The HIPAA Breach Notification Rule (45 CFR 164.400-414) requires notification to affected individuals, HHS, and sometimes media after a breach of unsecured PHI. HIPAA is enforced by the HHS Office for Civil Rights (OCR).

Question 2

Who is a HIPAA covered entity?

Accepted Answer

Under 45 CFR 160.103, a covered entity is one of three things: a health plan (insurance, HMO, Medicare, Medicaid), a health care clearinghouse (entities that process health information from one format to another), or a health care provider who transmits any health information electronically in connection with a transaction for which HHS has adopted a standard (such as claims, eligibility verification, or referrals). Most physician practices, dental offices, mental health providers, chiropractors, and hospitals qualify as covered entities the moment they bill electronically. Cash-only providers who never transmit electronic transactions may technically fall outside HIPAA, but state laws often impose similar duties.

Question 3

Do small practices need a HIPAA Risk Analysis?

Accepted Answer

Yes. The HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A) requires every covered entity and business associate, regardless of size, to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI. Solo practitioners and small practices are not exempt. OCR resolution agreements repeatedly cite the absence of a current, written Risk Analysis as a root-cause finding. The analysis should be documented, updated when circumstances change, and tied to a Risk Management plan under 45 CFR 164.308(a)(1)(ii)(B). North Privacy Advisors performs Risk Analysis engagements scoped for solo and small practices.

Question 4

What does OCR enforce most often?

Accepted Answer

According to OCR enforcement summaries, the most frequently cited issues in HIPAA resolution agreements include: failure to conduct an accurate and thorough Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A); failure to implement Risk Management measures; impermissible uses and disclosures of PHI under the Privacy Rule; lack of an executed Business Associate Agreement before sharing PHI with a vendor; failure to provide timely access to medical records under the Right of Access (45 CFR 164.524); and inadequate workforce training. The Right of Access Initiative alone has produced more than 45 enforcement actions since 2019.

Question 5

What is a Business Associate Agreement?

Accepted Answer

A Business Associate Agreement (BAA) is a written contract required under 45 CFR 164.502(e) and 45 CFR 164.504(e) before a covered entity shares PHI with a vendor that creates, receives, maintains, or transmits PHI on its behalf. The BAA must contain specific provisions: permitted uses and disclosures, safeguard requirements, breach notification obligations, subcontractor flow-down requirements, and termination rights. Without an executed BAA, the disclosure of PHI to the vendor is itself a HIPAA violation, separate from any breach the vendor might cause. Common business associates include cloud hosting, email providers, billing companies, IT support, and transcription services.

Question 6

How much do HIPAA fines cost?

Accepted Answer

HIPAA civil monetary penalties are tiered by culpability under 45 CFR 160.404 and adjusted annually for inflation. As of the most recent HHS adjustment, the four tiers range from roughly $137 per violation at the lowest tier (no knowledge) up to roughly $68,928 per violation at the highest tier (willful neglect, not corrected), with an annual cap per identical violation in the low millions. OCR can also impose corrective action plans lasting several years. Smaller resolution agreements with solo and small practices frequently land in the $25,000 to $250,000 range, plus the cost of the corrective action plan. Check the current HHS penalty schedule for exact figures.

HIPAA Compliance Guidance for Small Healthcare Practices

All articles in this topic

Top 5 Reasons OCR Fines Small Healthcare Practices in 2026

Drata vs Fractional Privacy Officer: Which Does Your Healthcare Practice Need?

Cyber Insurance Renewal: The HIPAA Attestation Trap for Texas Practices

First 72 Hours After an OCR Investigation Letter: What Healthcare Practices Should Do

Why a HIPAA Compliance Seal Will Not Save You in an OCR Investigation

Compliancy Group Review: What the ADA Endorsement Does and Does Not Cover

The HIPAA Risk Analysis OCR Actually Wants to See

Accountable HQ Says No Consultants Needed. Here Is Where That Breaks Down.

HIPAA Compliance for Solo Practitioners in Texas

Why Your IT Provider's BAA Does Not Make Your Practice HIPAA Compliant

Medcurity vs Patient Protect vs a Real HIPAA Risk Analysis: Honest Comparison

What Your HIPAA Software Cannot Do: 7 Gaps Every Practice Owner Should Audit

Compliancy Group vs Human HIPAA Consultant: Decision Guide

What the SECURE Data Act Means for Small Healthcare Practices