HIPAA12 min read

HIPAA Compliance Checklist for Small Businesses (2026)

Think HIPAA only applies to hospitals? Think again. If your small business touches patient data in any way — even through a SaaS tool, a billing app, or an HR platform — you may be required to comply. Here's everything you need to know.

By ComplyZen Team·March 10, 2026·Updated March 15, 2026

If you run a small business that handles health-related data in any capacity, HIPAA compliance isn't optional — it's the law. And in 2026, enforcement is at an all-time high.

The HHS Office for Civil Rights (OCR) broke records in 2025 with 19 enforcement actions totaling over $8 million in fines. Small businesses and their vendors — known as Business Associates — are increasingly in the crosshairs.

19
OCR enforcement actions in 2025
$8M+
Total fines issued
42M
Individuals affected by breaches

Who Needs to Comply With HIPAA?

HIPAA applies to two categories of organizations:

Covered Entities — healthcare providers who transmit health information electronically. This includes doctors, clinics, hospitals, pharmacies, health plans, dental offices, and psychologists.

Business Associates — any company that handles Protected Health Information (PHI) on behalf of a covered entity. This is where most small businesses get caught off guard. Business associates include:

  • Cloud hosting providers storing healthcare data
  • Billing and claims processing companies
  • IT service providers with access to healthcare systems
  • Email marketing platforms used by healthcare companies
  • Accounting firms handling healthcare clients
  • SaaS tools that process patient data

If your software, service, or product touches patient data at any point, you're almost certainly a Business Associate. You need a signed Business Associate Agreement (BAA) and must comply with HIPAA's Security Rule and Breach Notification Rule.

Step 1: Appoint a Privacy and Security Officer

HIPAA requires you to designate someone responsible for your compliance program. In a small business, one person can fill both the Privacy Officer and Security Officer roles. This person doesn't need a special certification — they need authority to implement policies and the time to manage the program.

Their responsibilities include:

  • Developing and enforcing HIPAA policies
  • Conducting risk assessments
  • Managing employee training
  • Responding to data breaches
  • Serving as the point of contact for the HHS Office for Civil Rights

Step 2: Conduct a Risk Assessment

This is the single most important step in HIPAA compliance — and the one that most small businesses skip. A risk assessment identifies:

  • Where PHI lives in your organization
  • Who has access to it
  • What threats exist
  • What safeguards are in place

Not having a documented risk assessment is the #1 reason businesses receive HIPAA fines. If OCR investigates, this is the first thing they ask for.

The Security Rule explicitly requires a "thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic PHI." This isn't a one-time task — you need to conduct risk assessments regularly, especially when systems change.

Not sure where to start with your risk assessment? ComplyZen's AI walks you through it — identifying your specific risks and generating a prioritized action plan in minutes.

Run a Free Risk Assessment →

Step 3: Implement Administrative Safeguards

Administrative safeguards are the policies and procedures that govern how your team handles PHI:

Workforce training — every employee who may encounter PHI must receive HIPAA training upon hire and annually thereafter. Document the training with signed acknowledgments.

Access management — implement the Minimum Necessary Standard. Only give employees access to the PHI they need for their specific job function. Review access permissions regularly.

Incident response procedures — create a written plan for responding to potential data breaches. Define who is notified, how the breach is contained, and how affected individuals are informed.

Sanction policy — document consequences for employees who violate HIPAA policies.

Contingency plan — create backup and disaster recovery procedures for systems containing PHI.

Step 4: Implement Physical Safeguards

Physical safeguards control who can physically access areas where PHI is stored or processed:

  • Lock offices and server rooms
  • Implement visitor sign-in procedures
  • Secure workstations (screen locks, automatic logoff)
  • Properly dispose of devices that contained PHI
  • Control physical access to areas where PHI is discussed

If employees work remotely, your physical safeguards must extend to home offices. Define rules about where employees can access PHI and how they must secure their home workspace.

Step 5: Implement Technical Safeguards

Technical safeguards are the hardware and software protections for electronic PHI (ePHI). The Security Rule requires:

Access controls — unique user IDs for every person who accesses ePHI, automatic session timeouts, and emergency access procedures.

Audit controls — systems that record and examine activity in systems containing ePHI. You need to know who accessed what data and when.

Integrity controls — mechanisms to ensure ePHI hasn't been improperly altered or destroyed.

Transmission security — encrypt ePHI when transmitting over networks. Use TLS for email, HTTPS for web applications, and encrypted VPNs for remote access.

Encryption at rest — while HIPAA describes encryption as "addressable" rather than "required," choosing not to encrypt is extremely risky. If unencrypted ePHI is breached, you must report it. If encrypted ePHI is breached, you may be exempt from breach notification.

Step 6: Execute Business Associate Agreements

Before sharing PHI with any vendor, you must have a signed Business Associate Agreement (BAA). This contract:

  • Defines what the vendor can do with PHI
  • Requires them to implement safeguards
  • Obligates them to report breaches
  • Allows you to terminate the relationship for violations

Common vendors that need BAAs include cloud storage providers (AWS, Google Cloud, Azure), email services, EHR systems, billing platforms, shredding companies, and IT support providers.

Step 7: Prepare for Breach Notification

Despite best efforts, breaches happen. HIPAA requires you to:

  • Notify affected individuals within 60 days of discovering a breach
  • Notify HHS — immediately if 500+ people are affected, or annually for smaller breaches
  • Notify local media if 500+ people in a single jurisdiction are affected
  • Document every breach, no matter how small, in a breach log

Step 8: Document Everything

HIPAA requires you to retain compliance documentation for six years. This includes all policies and procedures, risk assessments, training records, BAAs, breach logs, incident response records, and system access logs.

Documentation is your defense. If OCR investigates and you can show a documented, good-faith compliance program, you're far less likely to receive a significant fine.

Common HIPAA Mistakes Small Businesses Make

Based on OCR enforcement data, these are the most frequent violations:

  1. Not conducting a risk assessment (the #1 reason for fines)
  2. Failing to have BAAs with vendors
  3. Insufficient access controls — too many people with access to PHI
  4. Lack of employee training
  5. Not encrypting ePHI on mobile devices
  6. Responding too slowly to breaches

Don't let a preventable gap turn into a six-figure fine. ComplyZen identifies exactly which HIPAA requirements apply to your business, generates customized policies, and gives you a prioritized action plan — all for less than the cost of one hour with a healthcare attorney.

Get Your HIPAA Compliance Roadmap →

Frequently asked questions

Does HIPAA apply to my small business?+

If your business creates, receives, stores, or transmits Protected Health Information (PHI) — even indirectly as a service provider to healthcare companies — HIPAA likely applies. This includes IT companies, billing services, cloud storage providers, and any business that handles patient data on behalf of healthcare providers.

What are the penalties for HIPAA violations?+

HIPAA violation fines range from $137 per violation for unknowing violations up to $2,067,813 per violation for willful neglect. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years. In 2025, the HHS Office for Civil Rights issued over $8 million in fines across 19 settlements.

How much does HIPAA compliance cost for a small business?+

For a small business, HIPAA compliance typically costs between $5,000 and $50,000 depending on complexity. This includes risk assessments, policy development, employee training, and technical safeguards. Using an AI-powered tool like ComplyZen can reduce this to under $600/year.

Do I need a HIPAA compliance officer?+

Yes. HIPAA requires every covered entity and business associate to designate a Privacy Officer and a Security Officer. In small businesses, one person can fill both roles. This person is responsible for developing policies, training staff, and managing compliance.

Check your HIPAA compliance in 2 minutes

Our AI analyzes your business type, data handling, and operations to tell you exactly which HIPAA requirements apply to you.

Start Free Assessment →

Related articles

SOC 2

How Much Does SOC 2 Compliance Cost in 2026? (The Real Numbers)

10 min read

Compliance

What Happens If You Fail a Compliance Audit? (Fines, Penalties & How to Avoid Them)

11 min read