HIPAA requirements for solo and small practices: what applies and what is scaled

HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.

By CoreFolio

Published May 20, 2026Verified May 20, 20267-minute read

When small and solo practices look at HIPAA compliance requirements, the list of obligations can appear designed for hospital systems with compliance departments, IT staff, and legal counsel. The instinct to treat it as inapplicable is understandable but wrong.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains no employee-count threshold, no revenue floor, and no solo practitioner carve-out. A physician in private solo practice who submits claims electronically is a covered entity subject to the same rules — Privacy, Security, and Breach Notification — as a 500-bed hospital.

What the HIPAA Security Rule does provide is a scaling principle that allows small practices to meet the same requirements with proportionately sized solutions. That scaling principle has limits, and understanding where it applies is as important as knowing that it exists.

The scaling principle and its limits

45 CFR § 164.306(b)(2) — the general security rule — permits covered entities to consider the following factors when determining what is “reasonable and appropriate” for their specific implementation:

The size, complexity, and capabilities of the covered entity
The covered entity’s technical infrastructure, hardware, and software security capabilities
The costs of security measures
The probability and criticality of potential risks to ePHI

For a solo practitioner with one workstation, one EHR, and no IT staff, this means:

The risk analysis can be shorter and more focused than what a health system produces — but it still must be conducted, documented, and current
Technical safeguards must be implemented, but they can use the security features already built into the EHR and operating system — not enterprise security software
Training documentation can be as simple as a dated log of what was reviewed — not an LMS with formal assessments

What the scaling principle does not change:

Whether the risk analysis must be conducted — it must
Whether the Security Official must be designated — they must
Whether business associate agreements must be executed — they must
Whether the Breach Notification Rule applies — it does
Whether patient right of access requests must be honored within 30 days — they must

The Privacy Rule obligations for a solo practice

The Privacy Rule (45 CFR §§ 164.500–164.534) governs how PHI may be used and disclosed. Key obligations that apply fully regardless of practice size:

Notice of Privacy Practices (Required): A covered health care provider must have a written Notice of Privacy Practices (NPP) that describes how PHI is used and disclosed and patients’ rights regarding their information. The NPP must be provided to patients at their first service delivery and posted in the office and on the practice website if one exists.

Privacy Official designation (Required): A designated Privacy Official responsible for privacy policies and procedures. For a solo practitioner, this is typically the physician. The designation must be in writing.

Minimum necessary standard: When using or disclosing PHI, covered entities must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose. This applies to disclosures to insurers, referral summaries, and responses to information requests.

Right of access: Patients have the right to inspect and receive a copy of their records within 30 days of request (extendable to 60 days with written notice). OCR has brought more than 54 enforcement actions against covered entities that denied or delayed records access — several involving solo or small practices.

Patient authorization for disclosures: Most disclosures outside treatment, payment, and health care operations require written patient authorization. Disclosures to employers, family members, attorneys, and marketers without authorization are among the most common sources of patient complaints.

The Security Rule obligations for a solo practice

The Security Rule (45 CFR §§ 164.302–164.318) applies to ePHI — electronic PHI. For a solo practitioner, the primary ePHI locations are typically the EHR, email, billing system, and any portable devices.

Risk analysis (Required): An accurate and thorough assessment of the potential risks to ePHI. For a solo practice, this means systematically reviewing every system that touches ePHI — the EHR, email platform, cloud backup, payment processor — identifying the risks to each, and documenting the assessment.

The risk analysis is the most commonly cited finding in OCR enforcement actions. Practices that cannot produce a current, written risk analysis are in an indefensible position regardless of how good their actual security is.

Security Official (Required): The solo practitioner or owner designates themselves. The written designation and a brief description of the role are sufficient.

Workforce training: Training records are required even in a one-person practice. Document what was reviewed, when, and by whom. A dated note in a binder is sufficient for a solo practitioner.

Business associate agreements (Required): Every vendor with access to ePHI requires a signed BAA. For a solo practice, this typically includes: the EHR vendor, the billing service (if external), the cloud backup service, the IT support provider, and the email platform (if it can access ePHI).

Sanction policy (Required): Even in a solo practice with no other staff, a written sanction policy is required. For a solo practitioner, this addresses what happens if the practitioner delegates work to temporary staff, students, or contractors who violate policies.

The Breach Notification Rule for a solo practice

Breach notification obligations apply fully to solo practices. If a breach of unsecured PHI occurs — a stolen laptop, a misdirected fax, a ransomware attack — the solo practitioner must:

Conduct the four-factor risk assessment to determine if notification is required
Notify affected individuals within 60 days if notification is required
Report to HHS: for breaches affecting 500 or more, within 60 days; for breaches affecting fewer than 500, in the annual log submitted within 60 days after year-end
Notify media for breaches of 500 or more in a state or jurisdiction

A solo practice with one laptop containing unencrypted patient records that is stolen from an unattended car has experienced a reportable breach of unsecured PHI. The notification obligations do not scale with practice size.

Common shortcuts that create disproportionate liability

The verbal understanding: A solo practitioner assumes that an IT vendor who “already knows about HIPAA” does not need a formal BAA. The absence of a signed BAA is a violation regardless of the vendor’s awareness or intentions.

The one-time training: Training happened at the time the practice was established and was never repeated or documented. OCR expects training records demonstrating that workforce members — including the practitioner themselves — receive regular security awareness training.

The informal risk assessment: A mental note that “we don’t really have that many patients so we’re probably fine” is not a risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). The requirement is for a written, documented assessment.

The assumption that the EHR handles it: EHR vendors handle some security controls, and most provide BAAs. But the covered entity’s Security Rule obligations extend to every system that touches ePHI — not only the EHR. Email, cloud backup, patient portals, and ancillary scheduling systems all require separate analysis.

A practical starting point

For a solo practitioner beginning HIPAA compliance work:

Confirm covered-entity status using the CMS decision tool
Designate yourself as both Privacy Official and Security Official in writing
Inventory every system that touches ePHI: EHR, email, billing, backup, portable devices
Execute BAAs with every vendor on that list
Conduct and document the risk analysis
Develop and document a risk management plan
Draft a one-page Notice of Privacy Practices for patients
Set a calendar reminder to update the risk analysis annually and after any major system change

The obligation is real. The implementation, for a one-person practice, is proportionately manageable — provided it is documented.

Sources: 45 CFR § 160.103 (covered entity definitions); 45 CFR § 164.306(b)(2) (reasonable and appropriate, scaling factors); 45 CFR § 164.308(a)(1)(ii)(A) (risk analysis); 45 CFR § 164.308(a)(2) (security official); 45 CFR § 164.524 (patient right of access); 45 CFR § 164.530(a) (privacy official); 45 CFR §§ 164.400–414 (Breach Notification Rule); HHS “Covered Entities and Business Associates,” hhs.gov/hipaa/for-professionals/covered-entities; CMS Covered Entity Decision Tool. Last verified May 20, 2026.

FAQ

Common questions

Is a solo physician subject to HIPAA?

Yes. A sole practitioner who furnishes health care services and transmits health information electronically in connection with covered transactions is a covered entity under 45 CFR § 160.103. The Privacy Rule, Security Rule, and Breach Notification Rule all apply. There is no size exception.

Can a solo practitioner be their own HIPAA Security Official?

Yes. 45 CFR § 164.308(a)(2) requires covered entities to designate a Security Official responsible for developing and implementing security policies and procedures. There is no requirement that this be a separate employee. A solo practitioner may serve as their own Security Official. The designation must be documented in writing.

What does 'reasonable and appropriate' mean for a one-person practice?

The HIPAA Security Rule requires covered entities to implement safeguards that are 'reasonable and appropriate' based on their size, capability, and the nature of the ePHI they hold (45 CFR § 164.306(b)(2)). For a solo practice, this means the safeguards do not need to be enterprise-grade. They must be proportionate to the risks, documented, and actually implemented.

Does a solo practitioner need a Privacy Officer?

Yes. The Privacy Rule (45 CFR § 164.530(a)) requires covered entities to designate a Privacy Official responsible for developing and implementing privacy policies and procedures. For a solo practitioner, this is the same individual who serves as Security Official. The designation must be documented.

Keep learning

How-to
Does HIPAA apply to small practices?
Many small healthcare practices assume they are too small for HIPAA. The law has no size exemption. Here is the two-part test that determines whether you are a covered entity — and what applies if you are.
May 20, 20265-minute read
How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read
How-to
HIPAA administrative safeguards: the complete checklist for small practices
Administrative safeguards under 45 CFR § 164.308 are the most commonly cited standard in OCR enforcement actions. Here is every requirement, what 'addressable' actually means, and what a small practice must have documented.
May 20, 20268-minute read