Most small healthcare practices know they are supposed to be HIPAA compliant. Few know what that actually means in practice. This is a plain walkthrough of what the HIPAA Security Rule requires, what OCR looks for in an audit, and where most small practices fall short.
The Security Risk Assessment
The HIPAA Security Rule (45 CFR 164.308(a)(1)) requires every covered entity to conduct and document a security risk assessment. This is the single most commonly cited deficiency in OCR enforcement actions. In OCR's Phase 2 audit program (2016 to 2017, the most recent completed audit cycle), 86% of audited covered entities failed to meet this requirement. The numbers have not improved meaningfully since. OCR launched a dedicated Risk Analysis Initiative in October 2024 specifically targeting practices that lack this documentation.
A risk assessment is not a checklist. It is a documented analysis of every risk to electronic protected health information in your environment: systems, devices, staff practices, physical access, vendor relationships, and policies. The deliverable is a written document that identifies risks, rates their severity, and describes what you are doing about each one.
Three safeguard categories
The Security Rule organizes requirements into three categories. All three apply to every covered entity regardless of size.
Administrative safeguards (164.308): risk analysis, workforce security, access management, security awareness training, incident response procedures, contingency planning, BAA compliance. This is where most practices have the biggest gaps because it requires written policies and documented procedures.
Physical safeguards (164.310): facility access controls, workstation use and security, device disposal. Can patients see monitors from the waiting room? Is the server room locked? Are old hard drives destroyed properly?
Technical safeguards (164.312): access controls, audit logging, data integrity, authentication, and transmission security. This covers encryption, unique user IDs, automatic logoff, and how electronic health information moves between systems.
What OCR looks for
In an audit or investigation, OCR asks for two things first: your documented risk assessment and your risk management plan. The risk assessment identifies the problems. The risk management plan describes what you are doing about them and when.
OCR does not expect everything to be fixed overnight. They expect a documented plan and reasonable progress. A practice with a thorough assessment and an active remediation plan is in a far stronger position than a practice with no documentation at all.
Where small practices typically fall short
No documented risk assessment. No signed Business Associate Agreements with vendors. Shared logins across staff. No encryption policy. No formal training program. No incident response plan. No audit logging. These are the findings that show up repeatedly in OCR enforcement actions against small practices.
Most of these are documentation and configuration problems, not expensive infrastructure problems. They are fixable.
Enforcement context
OCR enforcement activity through 2025 has been dominated by risk analysis failures. Civil penalties are tiered by negligence level under 45 CFR 160.404 and adjusted annually for inflation; the current tier minimums and annual caps are published by HHS each year and are worth checking against the most recent Federal Register notice before relying on a specific figure.
What is changing
HHS has proposed updates to the Security Rule that would eliminate the distinction between "addressable" and "required" implementation specifications. Under the current rule, a practice can document why encryption is not "reasonable and appropriate" for their environment and skip it. Under the proposed rule, encryption of ePHI at rest and in transit would be required, as would multi-factor authentication for systems that access ePHI. The NPRM also proposes regular penetration testing and vulnerability scanning requirements and faster incident notification timelines.
As of April 2026, these changes are still in the proposed rule stage. HHS has not announced a final rule publication date or compliance timeline. Practices that start the underlying work (risk analysis, policy documentation, MFA, encryption review) now will be positioned for any likely outcome, including the current rule staying in force.
Compliance readiness work is available on request for healthcare practices.
Get in Touch