HIPAA basics for small teams.
You don't need a compliance department to run a HIPAA-aware practice. Five controls handle most of what regulators actually care about.
HIPAA is often talked about like it requires a compliance department. For a small dental, medical, or allied practice, most of what regulators actually care about boils down to five practical controls you can implement this quarter.
What regulators actually check
When a small practice gets a HIPAA inquiry — often after a breach, a terminated employee complaint, or a patient complaint — the auditors want to see the same things every time. Who has access. How access is controlled. How data is encrypted. What happens when someone leaves. Whether you have a Business Associate Agreement with every vendor that touches patient data.
Where small practices actually get burned
“A four-provider dental office faxed a set of records to the wrong fax number.”
Red flag: No encryption, no logs of who sent what. One patient complaint turned into a full OCR inquiry. Fines plus remediation cost over $40K.
“A small medical group fired a billing employee who kept VPN access for six weeks afterward.”
Red flag: No offboarding checklist. The employee downloaded patient lists before the access was finally revoked.
The five controls that cover 80% of it
- MFA on every account that can reach patient data — EHR, email, billing systems.
- Full-disk encryption on every laptop and mobile device used for work.
- A signed Business Associate Agreement with every vendor — EHR, IT, cloud storage, fax, billing.
- A written, followed offboarding checklist that revokes access on day zero.
- Annual security awareness training with a signed acknowledgment on file.
We do HIPAA for small practices.
If any of this feels like a lift, we run compliance-as-a-service for dental and medical offices across the region. One call and we'll tell you where you stand.
- 1Make a list of every vendor that touches patient data. Confirm you have a BAA with each.
- 2Turn on MFA for EHR, email, and billing today if you haven't.
- 3Verify full-disk encryption is on for every laptop — BitLocker on Windows, FileVault on Mac.
- 4Write a one-page offboarding checklist and make the office manager the owner.
- 5Schedule annual security awareness training and keep the signed roster in a safe place.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
PCI basics for accepting cards.
You don't need a CISO to handle PCI compliantly. Five practical habits cover most of what small businesses accepting cards actually need.
ReadTip #36 · ComplianceCyber insurance questions to ask.
Not all cyber insurance actually covers a cyber event. Here are the questions to ask your broker before you need the policy.
Read