HIPAA for solo practitioners: the parts you actually need to understand

HIPAA is a sprawling body of US federal regulations covering how healthcare-related personal information is handled. The full text is intimidating, and most of the available guidance is written for large hospital systems. If you are a solo clinician or a very small practice, that guidance is overkill in some places and under-specified in others.

This article is a translation — the working parts of HIPAA most relevant to a solo practitioner, stated plainly. It is not legal advice. It will not make you HIPAA-compliant on its own. But it will give you a mental model that makes the more detailed guidance comprehensible.

Is HIPAA actually your problem?

HIPAA covers Covered Entities and Business Associates.

• Covered Entity (CE): healthcare providers who transmit health information electronically for things like billing (almost all modern practices), health plans, and healthcare clearinghouses. If you bill insurance electronically, you are almost certainly a CE.
• Business Associate (BA): a person or company that handles protected health information on behalf of a CE. Your cloud storage provider, your practice-management software, your email provider (if you email PHI) — all potentially BAs.

If you’re a solo clinician accepting insurance, you’re a CE. If you’re a cash-only therapist who never bills insurance and never transmits electronic transactions, the HIPAA picture is different — but if you’re on a practice-management platform that supports insurance, you’re probably still within scope.

The three rules that matter

HIPAA has many parts, but for operational purposes you care about three:

1. Privacy Rule — what PHI is, what you can do with it, what patients are entitled to.
2. Security Rule — specifically how you protect electronic PHI (ePHI).
3. Breach Notification Rule — what you do if ePHI is exposed.

The Privacy Rule, in one paragraph

PHI is any health information that can be tied to a specific person — name, date of birth, diagnosis, treatment notes, billing information, appointment dates, anything. You can use and disclose PHI for treatment, payment, and operations (TPO) without patient authorization. For other uses — research, marketing, non-TPO disclosure to third parties — you need written authorization. Patients have rights to access their records, to request amendments, and to know who has had their records disclosed (with some exceptions).

The Security Rule, practically

The Security Rule is the part most relevant to this site. It organizes controls into three families, each with “required” and “addressable” implementation specifications. “Addressable” does not mean “optional”; it means “you must document why you did (or did not) implement this specific control”.

The required and addressable controls that affect a solo practitioner’s technical setup include:

Administrative safeguards

• Security management process — a documented risk analysis and risk management plan. At the solo-practice scale, this can be a written document of a few pages.
• Workforce security — even for a solo practice, documented policies about who (including yourself) has access to what.
• Information access management — a basis for granting access to ePHI.
• Security awareness and training — documented training for anyone with access. Yes, this includes you.
• Contingency plan — a backup plan, a disaster recovery plan, and a data backup plan.
• Business associate contracts — written Business Associate Agreements (BAA) with every BA that touches PHI.

Physical safeguards

• Facility access controls — lock the office; limit access to paper records.
• Workstation use / security — policies about where and how devices are used; screen privacy; locked when unattended.
• Device and media controls — how you dispose of drives and paper records (this is where retiring old devices becomes a HIPAA issue).

Technical safeguards

• Access control — unique user identification, automatic logoff, encryption where reasonable.
• Audit controls — logs of who accessed what.
• Integrity — controls to prevent unauthorized modification.
• Person or entity authentication — verifying the identity of anyone accessing ePHI.
• Transmission security — integrity and encryption for transmitted ePHI.

The Breach Notification Rule

If unsecured PHI is exposed, you have to notify:

• The affected individuals, without unreasonable delay and within 60 days of discovery.
• HHS, either immediately (for breaches affecting 500+ people) or annually (for smaller breaches).
• Prominent media outlets, for breaches in a state/jurisdiction affecting 500+ residents of that jurisdiction.

“Secured” (so a disclosure is not reportable) generally means “encrypted per HHS guidance” or otherwise destroyed. This is why encryption of ePHI is so consistently recommended — it changes the math on breach notification.

The practical checklist

For a solo practice, a workable setup:

1. Get BAAs in writing with every vendor that handles PHI — your EHR, your practice-management software, your cloud storage, your email provider (if email contains PHI), your backup service. Most major vendors have standard BAAs available; you may need to email their compliance team. A vendor that won’t sign a BAA cannot be used for PHI.
2. Turn on encryption everywhere ePHI lives: full-disk encryption on laptops, phones, and external drives; encrypted backups; encrypted transmission.
3. Use unique credentials for every user (including yourself); a password manager; phishing-resistant MFA on anything touching ePHI.
4. Separate home and work devices where possible, or at least use separate user accounts.
5. Document a basic risk analysis, a security policy, a contingency plan, and a training record for yourself. At the solo-practice scale, these are short documents — but they must exist in writing.
6. Log access. Most practice-management systems do this automatically; make sure logging is on and retained.
7. Dispose of drives and paper securely. Use cryptographic erasure for digital media; cross-cut shred for paper.
8. Practice restores. Your contingency plan needs to work. A quarterly test-restore is the minimum.
9. Stay up to date. HHS publishes guidance regularly; the NIST SP 800-66 Rev. 2 is the most practice-friendly interpretation.

The BAA question, in more depth

The BAA is one of the most frequently-misunderstood parts of HIPAA. In short:

• A BAA is a legal contract in which the business associate agrees to protect PHI in the same way the covered entity would, with specific liabilities for breaches.
• Major cloud providers (Google Workspace, Microsoft 365, AWS, Zoom) offer BAAs — but often only on specific, more expensive plans. The consumer free tier of Google Drive does not include a BAA; Google Workspace Business Standard (paid) does.
• A BAA often restricts you to specific services within the provider’s portfolio. Google’s BAA doesn’t cover YouTube, for example. Read the scope.
• Without a BAA, using a vendor for PHI is itself a HIPAA violation — regardless of how secure the vendor is.

What this article does not cover

• State-specific requirements. Many US states have additional health-information privacy laws stricter than HIPAA. California (CMIA, CCPA), New York (SHIELD Act), Texas (Medical Records Privacy Act), and others add obligations.
• The mechanics of Notice of Privacy Practices and patient authorization forms.
• 42 CFR Part 2, which applies additionally to substance-use disorder treatment records.
• International patients / cross-border data issues.

Those parts are where a healthcare attorney or an experienced compliance consultant is genuinely worth the money. The technical hygiene — encryption, access control, backups, BAAs with every vendor — you can and should handle yourself before you even pick up the phone to a consultant. It’s the foundation everything else sits on.