HIPAA Compliance for Small Medical & Dental Practices (Without an IT Team)
What small medical and dental practices need for HIPAA compliance without an IT team: the required Security Risk Analysis, BAAs, MFA, and ransomware defense.
A twelve-person dental office and a thousand-bed hospital are held to the same HIPAA Security Rule. The hospital has a compliance department, a CISO, and an IT team. The dental office has a practice manager, an outsourced computer-repair guy, and a dentist who hasn't thought about a "risk analysis" since the software was installed.
That gap is exactly why small practices are now the ones showing up in breach reports. This guide covers what HIPAA actually requires of a small medical or dental practice, the one document regulators ask for first, and how to run a real compliance program when you have no IT department.
The short answer
If your practice creates, receives, or stores protected health information (PHI) electronically — and every practice with a computer does — you're a covered entity under HIPAA. That obligates you to the HIPAA Security Rule, whose very first requirement is a documented Security Risk Analysis (SRA). Most small-practice enforcement actions and Medicare clawbacks trace back to a missing, stale, or box-checking SRA.
The rest of compliance is a manageable set of controls — MFA, encryption, backups, vendor agreements, training. The hard part isn't knowing what to do; it's owning and maintaining the program year-round without an IT team.
Why small practices are targeted
Healthcare has the highest average data-breach cost of any industry — well into eight figures for large organizations — and attackers have learned that small practices hold the same valuable data with a fraction of the defenses:
- Ransomware that stops care. Encrypt a practice's server and you don't just steal data — you halt scheduling, charting, and billing. Practices under that pressure pay.
- PHI is durable and valuable. A medical record can't be cancelled like a credit card. It contains identity, insurance, and payment data in one place.
- Phishing and email fraud. Front-desk staff process a high volume of outside email — insurance, referrals, patients — which makes a practice an easy phishing and business-email-compromise target.
None of these require a sophisticated attacker. They require an unpatched server, a reused password, or one staff member clicking a convincing invoice. Small practices are exposed on exactly those fronts.
What HIPAA actually requires
The Security Risk Analysis (start here)
The HIPAA Security Rule requires every covered entity to conduct an accurate, thorough risk analysis of the potential risks to electronic PHI — and to do it on an ongoing basis, not once. It is the single most-cited failing in HHS Office for Civil Rights (OCR) settlements with small providers.
An SRA is not an antivirus scan or a vendor's checklist. It's a documented assessment of where ePHI lives (server, laptops, practice-management software, email, cloud backups, personal phones), how it could be exposed, and what you're doing about each risk. HHS even publishes a free SRA Tool — though most small practices need help turning its output into an actual remediation plan.
If a Medicare incentive program (MIPS Promoting Interoperability) applies to your practice, you attest each year that you completed an SRA. Attesting without a real one is how a routine audit turns into a repayment demand.
The safeguards
Beyond the risk analysis, the Security Rule requires administrative, physical, and technical safeguards. For a small practice, the ones that matter most in practice:
| Safeguard | What it looks like in a small practice |
|---|---|
| Access controls | Unique logins per staff member; no shared "front desk" account; access removed at termination |
| Multi-factor authentication | On email, remote access, and any cloud-based practice software |
| Encryption | Full-disk encryption on every laptop and device that touches PHI; encrypted backups |
| Audit controls | Logging of who accessed which records |
| Backup & disaster recovery | Tested backups that survive ransomware, so you can restore in hours |
| Workforce training | Regular security-awareness training, documented |
| Physical safeguards | Screens not visible to patients; devices and media secured |
Business Associate Agreements (the quiet gap)
If a vendor touches your PHI — cloud hosting, off-site backup, email, IT support, billing, some practice-management platforms — HIPAA requires a signed Business Associate Agreement (BAA) with them. Many small practices have none, or have them with only one or two vendors. In a breach investigation, missing BAAs are low-hanging evidence of non-compliance.
Breach notification
Under the Breach Notification Rule, a breach of unsecured PHI must be reported to affected individuals and to HHS. Breaches affecting 500 or more people must be reported within 60 days and are published on the public OCR breach portal — the so-called "Wall of Shame." Encryption is your best protection here: properly encrypted data that's lost or stolen may not count as a reportable breach at all.
The good news: it's one program, maintained
The controls above aren't twelve separate projects. They're one security program:
- Do the SRA — know where PHI is and where you're exposed.
- Fix the access basics — unique logins, MFA, prompt offboarding.
- Encrypt everything — laptops, backups, devices.
- Harden email — filtering, DMARC and phishing defense so no one can spoof the practice or trick the front desk.
- Make backups ransomware-proof — tested, isolated, quick to restore.
- Collect your BAAs — one signed agreement per vendor that touches PHI.
- Train staff and write it down — annual training and the policies HIPAA expects.
- Keep it current — the SRA and controls get reviewed as the practice changes.
Build it once, keep it running, and you satisfy HIPAA's requirements and can attest to MIPS honestly.
The "no IT team" problem
Here's where small practices get stuck. Every item above needs someone who understands both HIPAA and modern security tooling, is available all year, and actually maintains the program instead of filing an SRA in a drawer. A dentist or physician-owner does not have time to be that person, and a solo practice can't justify a full-time IT security hire.
| Approach | Reality for a small practice |
|---|---|
| Break-fix IT vendor | Fixes broken computers; rarely owns HIPAA compliance or the SRA |
| DIY with the HHS tool | Free, but you still have to interpret findings and implement fixes |
| Hire internally | $120K+ and hard to recruit; overkill for a small practice |
| Managed provider | A team runs the SRA, the controls, and the documentation year-round — HIPAA coverage without headcount |
That last row is the model PlatOps was built for: security and compliance for organizations without an internal IT team — an entire ops team, without the headcount, for 50–70% less than hiring one in-house.
Where to start
For a practice, the right first step isn't a big retainer — it's a HIPAA Security Risk Analysis that tells you exactly where you stand. It's the document HIPAA requires first, it's what an OCR investigator or MIPS auditor asks for, and its findings become the roadmap for everything else.
The fastest way to get one is a fixed-scope engagement: our HIPAA Risk Analysis Sprint delivers a real SRA, closes the fast-win controls (MFA, encryption, policies), and hands you an OCR- and MIPS-ready roadmap in 30 days for a fixed $5,000 — no open-ended retainer. If you'd rather start smaller, a free assessment maps your practice's PHI and gaps against the HIPAA Security Rule at no cost, or book a strategy call to talk through your specific risk — from ransomware exposure to missing BAAs — first.
A practical first-90-days checklist
Even before a formal engagement, these close the gaps behind most small-practice breaches:
- Confirm you have a current, documented Security Risk Analysis — not one from five years ago.
- Turn on MFA for email, remote access, and cloud practice software.
- Verify backups exist and have been test-restored, and that at least one copy is isolated from ransomware.
- Encrypt every laptop and device that touches PHI.
- Collect a signed BAA from every vendor handling PHI.
- Run one security-awareness session with front-office staff on phishing and wire fraud.
What to do next
Small practices don't get breached because HIPAA is impossible. They get breached because no one owns the program, the risk analysis never gets done or updated, and "we're too small for anyone to bother with" holds right up until the ransomware note appears.
You have a clear legal obligation, a valuable data set, and no internal team to carry it. Start with the one thing HIPAA asks for first and everything else follows from.
Start with the HIPAA Risk Analysis Sprint to get your required SRA done right in 30 days — or get a free assessment if you'd rather begin with a no-cost gap check, or book a strategy call before your next audit or attestation. For the wider picture on running a practice without in-house IT, see our guide to IT and security for businesses without an IT team and our healthcare practice.
Put this into practice
Get a free assessment of your current security and infrastructure posture, or check your email security in 30 seconds.
Related Articles
HIPAA Compliance Checklist for SaaS Companies
Does your SaaS product touch protected health information? This checklist covers BAAs, technical safeguards, cloud provider requirements, and what violations actually cost.
AWS vs GCP vs Azure: Which is Best for HIPAA?
Comparing AWS, GCP, and Azure for HIPAA compliance: BAA availability, eligible services, real costs, and which cloud platform fits your company size.
Cybersecurity & Compliance for Accounting Firms: WISP, FTC Safeguards & SOC 2
IT security and compliance for accounting firms without an IT team: the FTC Safeguards Rule, the IRS WISP requirement, and SOC 2, explained plainly.
Get articles like this in your inbox
Practical security, infrastructure, and DevOps insights for teams in regulated industries. Published weekly.