HIPAA Compliance Checklist for Small Medical Practices: 2026 Requirements

Running a small medical practice means wearing many hats—and HIPAA compliance officer is one of them. Whether you're a solo practitioner, small clinic, or physician group, you're held to the same HIPAA standards as large hospital systems. This comprehensive checklist will help you ensure your practice meets all current requirements and prepares for upcoming 2026 changes.

Administrative Safeguards Checklist

Security Management Process

• Risk Analysis: Conduct and document a comprehensive risk analysis at least annually
• Risk Management: Implement security measures to reduce identified risks to reasonable levels
• Sanction Policy: Have a written policy for disciplining employees who violate HIPAA
• Information System Activity Review: Regularly review system logs, access reports, and security incidents

Workforce Security

• Authorization: Ensure only authorized personnel can access ePHI
• Workforce Clearance: Implement background checks for employees with ePHI access
• Termination Procedures: Have documented procedures for revoking access when employees leave

Information Access Management

• Access Authorization: Document who has access to what ePHI and why
• Access Modification: Have procedures for changing access when job roles change
• Minimum Necessary: Limit access to the minimum ePHI needed for each job function

Security Awareness Training

• Training Program: Provide HIPAA security training to all employees
• Security Reminders: Send periodic security updates and reminders
• Password Management: Train staff on creating and protecting strong passwords
• Malware Protection: Train staff to recognize and report suspicious emails and links

Contingency Planning

• Data Backup Plan: Maintain retrievable exact copies of ePHI
• Disaster Recovery Plan: Document procedures to restore systems after an emergency
• Emergency Mode Operation: Have procedures to continue critical operations during emergencies
• Testing: Test backup and recovery procedures regularly (the new rule requires 72-hour recovery capability)

Physical Safeguards Checklist

Facility Access Controls

• Contingency Operations: Procedures for facility access during emergencies
• Facility Security Plan: Document physical security measures (locks, alarms, cameras)
• Access Control: Control and validate access to areas with ePHI systems
• Maintenance Records: Document repairs and modifications to security components

Workstation Use and Security

• Workstation Policies: Document proper use of computers accessing ePHI
• Screen Positioning: Position monitors away from public view
• Automatic Logoff: Enable automatic screen lock after inactivity
• Physical Access: Restrict physical access to workstations with ePHI

Device and Media Controls

• Disposal: Secure procedures for disposing of devices containing ePHI
• Media Re-use: Procedures to remove ePHI before re-using media
• Accountability: Track all devices and media containing ePHI
• Data Backup: Backup ePHI before moving equipment

Technical Safeguards Checklist

Access Controls

• Unique User IDs: Every user has their own login credentials
• Emergency Access: Procedures for accessing ePHI in emergencies
• Automatic Logoff: Systems automatically log off after inactivity
• Encryption: Encrypt ePHI at rest and in transit (becoming mandatory in 2026)

Audit Controls

• Audit Logs: Implement systems that record access to ePHI
• Log Review: Regularly review audit logs for unauthorized access
• Log Retention: Retain logs for at least six years

Integrity Controls

• Data Integrity: Implement measures to prevent improper ePHI alteration
• Authentication: Verify that ePHI hasn't been altered or destroyed improperly

Transmission Security

• Encryption: Encrypt ePHI when transmitting over networks
• Integrity Controls: Ensure ePHI isn't modified during transmission

Authentication

• Person Authentication: Verify the identity of anyone accessing ePHI
• Multi-Factor Authentication: Implement MFA for all ePHI access (becoming mandatory in 2026)

Privacy Rule Checklist

Notice of Privacy Practices (NPP)

• Current NPP: Maintain an up-to-date Notice of Privacy Practices
• NPP Updates: Update NPP by February 16, 2026 to reflect recent rule changes
• Distribution: Provide NPP to all patients and obtain acknowledgment
• Posting: Post NPP in your facility and on your website

Patient Rights

• Access: Patients can access and obtain copies of their records
• Amendment: Patients can request amendments to their records
• Accounting of Disclosures: Provide accounting of PHI disclosures upon request
• Restrictions: Honor patient requests to restrict certain disclosures

Minimum Necessary Standard

• Policies: Limit PHI use and disclosure to minimum necessary
• Role-Based Access: Define access by job function
• Requests: Request only minimum necessary PHI from others

Breach Notification Checklist

• Breach Response Plan: Documented procedures for responding to breaches
• Risk Assessment: Process to assess whether a breach requires notification
• Individual Notification: Notify affected individuals within 60 days
• HHS Notification: Report breaches affecting 500+ individuals within 60 days
• Media Notification: Notify media for breaches affecting 500+ individuals in a state
• Annual Reporting: Report smaller breaches to HHS annually
• Documentation: Document all breaches and response actions

Business Associate Requirements

• Identify BAs: List all vendors with access to PHI
• BAA in Place: Have signed Business Associate Agreements with all BAs
• Annual Verification: Verify BA compliance annually (new requirement)
• Due Diligence: Assess BA security practices before engagement

Documentation Requirements

• Policies and Procedures: All HIPAA policies in writing
• Training Records: Document all employee training
• Risk Assessments: Retain risk analysis documentation
• Incident Reports: Document all security incidents
• Retention: Keep all documentation for six years

Get Help with HIPAA Compliance

This checklist covers the major HIPAA requirements, but compliance is an ongoing process, not a one-time project. Smith Network Solutions helps small medical practices throughout Atlanta implement and maintain HIPAA compliance with practical IT solutions designed for healthcare.

Contact us today for a free HIPAA compliance assessment.