Does the HIPAA Security Rule apply to small medical practices?

Yes. The HIPAA Security Rule applies to every covered entity regardless of size. 45 CFR § 164.306(b) allows safeguards to be 'reasonable and appropriate' based on the organization's size, complexity, and capabilities, but OCR enforces the same set of standards — including all 8 administrative safeguard specifications — against solo practitioners and large health systems alike.

What are the 8 administrative safeguards required by HIPAA?

The 8 administrative safeguard standards under 45 CFR § 164.308 are: (1) Security Management Process including risk analysis, (2) Assigned Security Responsibility, (3) Workforce Security, (4) Information Access Management, (5) Security Awareness and Training, (6) Security Incident Procedures, (7) Contingency Plan, and (8) Evaluation. Each has implementation specifications that must be addressed regardless of practice size.

What is the most common HIPAA violation for small practices?

Failure to conduct a documented risk analysis under 45 CFR § 164.308(a)(1)(ii)(A) is the most frequently cited violation in OCR enforcement actions. More than half of OCR's 2024–2025 enforcement actions cited risk analysis deficiencies. Small practices often assume their IT vendor handles this or treat a compliance checklist as a substitute for an actual risk assessment.

February 19, 2026·11 min read

HIPAA Security Rule Requirements for Small Medical Practices in 2026

The HIPAA Security Rule does not have a small-practice exemption. It has a scalability clause — which is not the same thing. OCR has made that distinction painfully clear through enforcement actions against practices with as few as one or two providers.

The Security Rule applies to every covered entity

The HIPAA Security Rule (45 CFR Part 164, Subpart C) requires every covered entity — hospitals, health plans, clearinghouses, and every healthcare provider who transmits health information electronically — to implement safeguards protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI).

Section 164.306(b) includes a "flexibility of approach" provision that allows covered entities to consider their size, complexity, capabilities, technical infrastructure, and cost when deciding how to implement safeguards. HHS included this so a two-physician dermatology practice is not held to the same implementation standard as a 500-bed hospital system.

But "reasonable and appropriate" does not mean "optional." OCR has been explicit: every covered entity must address every standard. The flexibility is in how you implement, not whether you implement.

The three categories of safeguards

The Security Rule organizes requirements into three categories. All three apply to small practices.

Administrative safeguards (45 CFR § 164.308)

These are the policies, procedures, and personnel requirements that govern how your practice manages ePHI security. There are 8 standards with 22 implementation specifications. The 8 standards are:

Security Management Process. Conduct a risk analysis, implement a risk management plan, apply sanctions for violations, and review system activity. The risk analysis specification alone accounts for the majority of OCR enforcement actions.
Assigned Security Responsibility. Designate one person as your Security Officer. In a small practice, this is often the practice owner or office manager. It does not have to be a dedicated role, but it must be a named individual.
Workforce Security. Ensure that employees have appropriate access to ePHI based on their role, and that access is terminated when they leave.
Information Access Management. Implement policies for granting access to ePHI, particularly for systems like your EHR and patient portal.
Security Awareness and Training. Train all workforce members on security policies. This includes training on malicious software, login monitoring, and password management. Training must be periodic, not one-time.
Security Incident Procedures. Have a process for identifying, responding to, and documenting security incidents.
Contingency Plan. Establish a data backup plan, disaster recovery plan, and emergency mode operations plan. Test it.
Evaluation. Periodically evaluate your security measures to confirm they still meet the Security Rule requirements.

Physical safeguards (45 CFR § 164.310)

Physical safeguards protect the facilities and equipment that house ePHI. For small practices, this includes:

Facility access controls. Limit physical access to areas where ePHI is accessible — server rooms, workstations, filing areas with devices containing ePHI.
Workstation use and security. Define how workstations that access ePHI should be used and physically protected. A front-desk computer facing the waiting room is a physical safeguard problem.
Device and media controls. Track devices that contain ePHI (laptops, external drives, decommissioned servers) and ensure ePHI is wiped before disposal or reuse.

Technical safeguards (45 CFR § 164.312)

Technical safeguards are the technology-based protections for ePHI:

Access controls. Unique user IDs, emergency access procedures, automatic logoff, encryption and decryption mechanisms.
Audit controls. Implement mechanisms to record and examine activity in systems that contain ePHI.
Integrity controls. Protect ePHI from improper alteration or destruction.
Transmission security. Protect ePHI when it is transmitted over electronic networks — this is where encryption of data in transit applies.
Authentication. Verify that a person or entity seeking access to ePHI is who they claim to be.

What "addressable" actually means

Some implementation specifications are labeled "required" and others "addressable." This is one of the most misunderstood aspects of the Security Rule. Addressable does not mean optional.

If a specification is addressable, you must assess whether it is reasonable and appropriate for your environment. If it is, implement it. If it is not, document why and implement an equivalent alternative measure. If neither is possible, document why. The key word is "document" — OCR expects a written determination, not an assumption.

In practice, most addressable specifications should be implemented by most practices. Encryption, for example, is addressable under the current rules but difficult to justify not implementing given that off-the-shelf encryption is readily available and inexpensive.

Where small practices fail: the enforcement record

More than half of OCR's enforcement actions in 2024 and 2025 cited risk analysis failures — the first specification under the first administrative safeguard. This is not a coincidence. Risk analysis is the foundation of the entire Security Rule, and it is where small practices most consistently fall short.

Common failure patterns include:

No risk analysis at all.The practice assumed their EHR vendor or IT company "handled HIPAA" and never conducted a formal assessment of their own environment.
Checklist instead of analysis. A yes/no compliance questionnaire is not a risk analysis. OCR expects identification of specific threats, evaluation of likelihood and impact, and a documented remediation plan.
No documentation. Even practices that take security seriously often fail to write anything down. Verbal policies, informal procedures, and undocumented decisions do not survive an OCR investigation.
No follow-through. Identifying risks and filing the report without acting on the findings. Under HITECH, knowing about a risk and ignoring it can constitute willful neglect.
No Security Officer. The assigned security responsibility standard requires a named individual. Many small practices never formally designate anyone.

How the Security Rule scales for small practices

The flexibility clause does not reduce the number of standards you must address. It adjusts the complexity and cost of your implementation. In practical terms:

A large health system needs a dedicated security team, enterprise SIEM, and formal change management. A small practice needs a named Security Officer, basic audit logging from their EHR, and documented policies.
A large health system needs network segmentation and advanced intrusion detection. A small practice needs a properly configured firewall, current antivirus, and encrypted devices.
Both need a risk analysis. Both need training. Both need incident response procedures. The depth differs, but the requirement does not.

What to do now

If you run a small healthcare practice and are not sure where you stand with the Security Rule, start here:

Designate a Security Officer. Pick someone. Write it down. It can be you.
Conduct a risk analysis. Use the free HHS SRA Tool if you need structure. Identify where your ePHI lives, what threatens it, and what you are doing about it.
Write policies. You need written policies covering access management, workforce training, incident response, and contingency planning. They do not need to be long. They need to exist.
Train your staff. Document the training. At least annually.
Encrypt everything. Full-disk encryption on all devices, TLS for data in transit, encrypted email for patient communications.
Document everything. Every policy, every risk assessment, every training session, every incident. If you cannot show it to OCR, it did not happen.

How BlackSheep helps small practices

BlackSheep's HIPAA compliance platform is built for practices that do not have a compliance department. It walks you through every Security Rule standard — administrative, physical, and technical — with guided workflows sized for small teams. Risk analysis, policy generation, training tracking, and remediation management in one platform at a price that does not require a hospital budget.

The Security Rule applies to your practice. Make sure you can prove compliance.

Start your HIPAA compliance with BlackSheep