HIPAA compliance can feel overwhelming, especially for small healthcare practices, dental offices, therapy clinics, and the many business associates that handle protected health information (PHI). The regulations are lengthy and the consequences of non-compliance are severe, but the core requirements are more manageable than they appear.
This checklist is designed for small businesses in Maryland, the Baltimore metro area, and the broader DMV region that need a practical, actionable overview of what HIPAA requires from a cybersecurity standpoint in 2026.
Understanding HIPAA's Security Requirements
HIPAA's Security Rule establishes three categories of safeguards that covered entities and business associates must implement: administrative, physical, and technical. While larger health systems have dedicated compliance teams to manage this, small businesses often lack those resources.
The most common HIPAA violations at small organizations come down to a few recurring problems: no documented risk assessment, unencrypted devices, weak access controls, and a lack of employee training. The good news is that each of these is fixable.
Important: HIPAA penalties range from $100 to $50,000 per violation, with an annual maximum of $2,068,000 per violation category. The HHS Office for Civil Rights actively investigates small practices, not just hospitals.
The 10-Point HIPAA Compliance Checklist
1 Conduct a Formal Risk Assessment
This is the single most important requirement and the most frequently cited deficiency in HIPAA audits. You must document a thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI you create, receive, maintain, or transmit. This is not a one-time event. It should be updated annually or whenever significant changes occur in your environment.
2 Implement Access Controls
Every person who accesses ePHI should have a unique user ID. Implement role-based access so that staff only see the data they need for their job function. Use automatic logoff on workstations and have procedures for granting and revoking access when employees join or leave.
3 Encrypt Data at Rest and in Transit
All devices that store or transmit ePHI must use encryption. This includes laptops, desktops, portable drives, email, and any cloud services. If an encrypted laptop is lost or stolen, it is not considered a reportable breach. If an unencrypted one is lost, it is.
4 Deploy Audit Logging and Monitoring
HIPAA requires the ability to record and examine activity in information systems that contain or use ePHI. This means audit logs on your EHR system, file servers, email, and network infrastructure. Logs should be reviewed regularly for unauthorized access attempts. This is where managed SIEM services become invaluable for small practices.
5 Establish a Breach Notification Plan
You need a documented process for identifying, responding to, and reporting breaches. Breaches affecting 500 or more individuals must be reported to HHS within 60 days. Smaller breaches must be logged and reported annually. Your plan should include who is responsible, how affected individuals will be notified, and what steps will be taken to mitigate harm.
6 Train All Workforce Members
Every employee who handles ePHI must receive HIPAA security awareness training. This includes clinical staff, front desk personnel, billing teams, and IT support. Training should cover phishing recognition, password hygiene, proper data handling, and incident reporting. Document the training and require annual refreshers.
7 Execute Business Associate Agreements (BAAs)
Any vendor that creates, receives, maintains, or transmits ePHI on your behalf must sign a BAA. This includes your IT provider, cloud hosting company, email service, billing service, and shredding company. Review your vendor list and ensure every applicable relationship has a current, signed BAA.
8 Secure Physical Access
Workstations that display ePHI should be positioned so screens are not visible to unauthorized individuals. Server rooms and network equipment should be locked. Implement visitor sign-in procedures and ensure disposal of hardware and media follows documented sanitization procedures.
9 Implement Endpoint Protection
Every device that accesses ePHI needs more than basic antivirus. Deploy endpoint detection and response (EDR) software that can identify and contain threats in real time. Ensure operating systems and software are patched promptly, and maintain an inventory of all devices that access your network. Learn more about what EDR is and why it matters.
10 Develop and Test a Contingency Plan
HIPAA requires a data backup plan, a disaster recovery plan, and an emergency mode operation plan. Back up ePHI regularly, store backups securely (encrypted and offsite), and test your ability to restore from backup at least annually. If ransomware hits tomorrow, can you recover?
Common Violations That Catch Small Businesses Off Guard
Based on HHS enforcement actions and breach reports, here are the violations that most frequently affect small healthcare organizations in the Maryland and DMV area:
- No risk assessment on file. This is cited in the majority of enforcement actions. If you do nothing else, complete a risk assessment.
- Lost or stolen unencrypted devices. A single unencrypted laptop left in a car can trigger a breach notification affecting thousands of patients.
- Using personal email for PHI. Staff sending patient information via Gmail or Yahoo is a violation. Use encrypted, HIPAA-compliant email.
- Lack of audit logs. If you cannot demonstrate who accessed what and when, you cannot prove compliance.
- Outdated or missing BAAs. Especially common when practices switch vendors but do not update their agreements.
How a Managed Security Provider Helps with HIPAA
For small healthcare businesses, partnering with a managed security services provider (MSSP) is often the most practical path to compliance. An MSSP like PalisadeOne can handle the technical safeguards that require specialized expertise:
- 24/7 monitoring and logging through a managed SIEM that satisfies the audit control requirement
- Endpoint detection and response deployed and managed across all your devices
- Vulnerability scanning to identify unpatched systems and misconfigurations
- Incident response support so you have expert guidance when a potential breach occurs
- Compliance documentation including evidence collection for risk assessments and audits
This does not replace the need for administrative and organizational measures that your practice must own, but it covers the most technically demanding components and gives you documented evidence of your security posture. Explore our platform to see how we support healthcare organizations, or review our pricing for plans designed for small practices.