Are You Too Small to Care About HIPAA? (No. Here's Why.)

“We’re too small for anyone to come after us.”

If you’ve ever said this — or even thought it — you’re not alone. It’s the most common assumption in small practice healthcare, and it’s dangerously wrong.

The Office for Civil Rights doesn’t have a minimum practice size. A solo therapist with 200 patients has the same HIPAA obligations as a hospital system with 200,000. And OCR has proven, repeatedly, that they will enforce against practices of any size.

The Myth: “OCR Only Goes After Big Fish”

This belief persists because the headline-grabbing settlements involve large health systems and insurance companies — $4.75 million against Anthem, $5.55 million against Advocate Medical Group, $16 million against Premera Blue Cross.

But those settlements represent one end of the enforcement spectrum. On the other end, OCR has taken action against:

• A solo physician in a two-person dermatology practice — $150,000 settlement for failure to conduct a risk assessment and implement security measures
• A small clinic with fewer than 30 employees — $125,000 for a breach affecting just 831 patients, with most of the penalty stemming from having no risk assessment, no policies, and no training documentation
• A dental practice — $10,000 penalty for failure to provide a patient with access to their records within 30 days (a Right of Access violation, not even a breach)
• Individual providers across the country through the Right of Access Initiative, with penalties ranging from $3,500 to $240,000

The Right of Access Initiative alone has produced over 45 enforcement actions since 2019, and many of them targeted solo practitioners and small group practices.

Why Small Practices Are Actually at Higher Risk

Here’s the uncomfortable truth: small practices aren’t just equally at risk — they may be at greater risk for enforcement, for three reasons.

1. You’re More Likely to Have Gaps

Large health systems have compliance departments, legal teams, and dedicated security staff. Small practices have… the office manager. Maybe.

When compliance is nobody’s full-time job, things get missed. The risk assessment never gets done. Policies never get written. Training happens informally (“I told Sarah about HIPAA when she started”) but there’s no documentation. The IT provider handles “security” but nobody can explain what that covers.

These aren’t hypothetical gaps. They’re the exact findings OCR cites in enforcement actions against small practices.

2. Patient Complaints Don’t Scale by Practice Size

Most OCR investigations begin with a complaint. A patient whose records request was denied. An employee who witnessed a privacy violation. A former staff member with a grudge.

Small practices don’t get fewer complaints because they’re small. In fact, the personal nature of small practice relationships can make complaints more likely — a patient who feels wronged by their family doctor is more motivated to act than one who has an issue with a faceless hospital system.

3. You Can’t Absorb the Financial Impact

A $100,000 settlement might be a rounding error for a hospital system. For a three-person physical therapy practice, it’s existential. And the settlement is just the beginning — you’ll also face legal fees, corrective action plan costs, potential loss of patients, and increased insurance premiums.

”But I’ve Never Had a Breach”

Two problems with this logic.

First: HIPAA compliance isn’t just about preventing breaches. It’s a set of ongoing administrative, physical, and technical requirements that you must maintain regardless of whether a breach occurs. OCR can — and does — fine practices for compliance failures even when no breach has happened. The complaint-driven investigations often find violations that have nothing to do with the original complaint.

Second: You may have had breaches you don’t know about. A staff member accessing records they shouldn’t. An unencrypted laptop left in a car. A fax sent to the wrong number. A former employee whose system access was never terminated. If you don’t have audit logging and regular access reviews, you have no way to know.

What HIPAA Actually Requires of Small Practices

HIPAA’s requirements are “scalable” — the Security Rule explicitly says that covered entities should consider their size, complexity, and capabilities when implementing safeguards. But “scalable” doesn’t mean “optional.” It means you can implement simpler solutions, not that you can skip requirements entirely.

Here’s what every practice, regardless of size, must have:

The Non-Negotiables

1. Security Risk Assessment (SRA) — A documented analysis of risks to the confidentiality, integrity, and availability of ePHI. Must be updated regularly (annually is the standard expectation). This is the single most commonly cited deficiency in enforcement actions.

2. Written Policies and Procedures — Covering access controls, workstation security, device management, breach notification, sanctions, and more. These must be specific to your practice — not a generic template you downloaded and never read.

3. Workforce Training — All employees who handle PHI must receive HIPAA training, and you must document it. Annual refresher training is the standard. New hires must be trained before they access PHI.

4. Business Associate Agreements — Signed BAAs with every vendor that creates, receives, maintains, or transmits PHI on your behalf. This includes your EHR vendor, billing company, IT provider, cloud storage, email service, shredding company, and any other vendor with access to patient data.

5. Breach Notification Procedures — A documented plan for identifying, investigating, and reporting breaches. You must notify affected individuals within 60 days of discovery. Breaches affecting 500+ individuals must also be reported to OCR and local media.

6. Access Controls — Unique user IDs for every system user (no shared logins), role-based access, automatic logoff, and a process for terminating access when employees leave.

The “We’ll Get to It Later” Items That OCR Actually Checks

• Audit controls — Can you show who accessed what records and when?
• Encryption — Is ePHI encrypted on all devices, including laptops, phones, and USB drives?
• Contingency plan — What happens to patient data if your systems go down?
• Physical safeguards — Are screens positioned away from public view? Is your server in a locked area?
• Device inventory — Do you know every device that stores or can access ePHI?

The Solo Provider Question

“I’m a solo practitioner. I work alone. Do I really need all of this?”

Yes. If you electronically create, receive, maintain, or transmit protected health information — and if you use an EHR, process electronic claims, or send patient information via email, you do — then you are a covered entity subject to HIPAA.

The scale of your compliance program can be simpler. A solo provider’s risk assessment will be shorter than a hospital’s. Your policies can be simpler. But they must exist, they must be documented, and they must be current.

The solo providers who get in trouble aren’t the ones with imperfect compliance programs. They’re the ones with no compliance program at all.

What “Good Enough” Compliance Looks Like for a Small Practice

You don’t need a six-figure compliance budget. You don’t need a full-time compliance officer. You don’t need a 500-page policy manual. Here’s what a defensible compliance program looks like for a small practice:

1. A current, thorough SRA that identifies your specific risks and rates them by likelihood and impact
2. Policies that match your actual operations — short, clear, and specific to how your practice works
3. Annual training with documentation — even if it’s a 30-minute session, document it with dates, topics, and signatures
4. BAAs with all vendors — create a vendor inventory and verify every one has a signed agreement
5. Basic technical safeguards — encryption, unique logins, automatic logoff, regular backups
6. A simple incident response plan — who to call, what to document, when to report
7. Regular review — look at your compliance program at least annually and update it when things change

That’s it. Not easy, but not impossible. The practices that get in trouble aren’t the ones with a few gaps in an otherwise genuine program — they’re the ones that never started.

The Cost of Doing Nothing

Let’s do some quick math.

A basic compliance program for a small practice (using a SaaS tool): $1,200–$5,000/year.

The average cost of a HIPAA enforcement action against a small practice: $50,000–$200,000+ in settlements, legal fees, and corrective action costs.

The cost of a single preventable breach (notification, forensics, legal, reputation): $100,000–$500,000+.

You’re not choosing between spending money and not spending money. You’re choosing between spending a little now and potentially spending a lot later. The practices that invest in compliance before they need it are the ones that survive.

Stop Hoping You Won’t Get Noticed

Hope is not a compliance strategy. The practices that avoid enforcement actions aren’t the ones that fly under the radar — they’re the ones that build real compliance programs, even simple ones, and maintain them.

If your current compliance strategy is “we’re too small for anyone to care,” replace it with something that will actually hold up when tested.