HIPAA can feel overwhelming for a small practice. It isn't — not if you focus on the parts that actually prevent breaches. Most small-practice HIPAA incidents come from the same small set of failures.
The five things that matter most
- MFA on every account that touches PHI
- Encrypted laptops and mobile devices
- Secure email for PHI-containing communications
- A tested backup you could actually restore from
- A breach response plan you've rehearsed at least once
That's it. Those five controls will stop 80% of the incidents we've seen in small-practice environments.
Why MFA beats almost everything else
The single most common breach vector for small practices is a phished or reused password on a webmail account. MFA — even basic app-based MFA — defeats this almost entirely. If you do nothing else on this list, do this.
Encryption isn't optional
HIPAA has a safe harbor provision: if a lost or stolen device was encrypted, the breach notification requirements don't apply. Every laptop, tablet, and phone that touches PHI should be encrypted. Windows BitLocker and macOS FileVault are free and included. Use them.
Secure email — the specifics
Plain SMTP email is not secure for PHI. You need either a HIPAA-compliant email platform (Paubox, Virtru, or Microsoft 365 with the right licensing and configuration) or a secure portal for PHI exchange. Your regular email with 'confidential' in the subject line isn't enough.
Backups you haven't tested aren't backups
The second most common breach we see is practices that had backups but couldn't restore from them during a ransomware incident. Test your restore quarterly. Document the result. If you haven't tested it, you have a dream, not a backup.
Breach response isn't a 2 a.m. improv exercise
The HIPAA breach notification clock is 60 days from discovery. That clock ticks during weekends. Having a written IR plan — who you call, what you preserve, when you notify — means you're not making decisions under pressure with a timer running.
What this looks like in practice
For most small practices, implementing these five controls takes one week of focused work and a modest ongoing investment. It's the highest-leverage security spend in the business. It also makes your cyber insurance premium meaningfully cheaper.
The rest of HIPAA — the policies, the documentation, the annual reviews — matters too. But if your core controls are weak, no amount of binder-filling will save you when something goes wrong.
Talk through your situation.
The articles cover the general shape. Your specific situation deserves a real conversation.