Free Assessment

HIPAA Compliance
Quick-Check for Small Practices

Answer 41 questions across 6 compliance areas. Get a scored assessment with prioritized, actionable recommendations -- in under 5 minutes.

Section 1 of 6: Administrative Safeguards0/41 answered

Administrative Safeguards

Policies, procedures, and workforce management

1

Does your practice have a designated HIPAA Privacy Officer?

Critical
2

Does your practice have a designated HIPAA Security Officer?

Critical
3

Do all workforce members (staff, contractors, volunteers) receive HIPAA training upon hire?

Critical
4

Is HIPAA training refreshed at least annually for all workforce members?

5

Do you have written HIPAA policies and procedures that staff can access?

Critical
6

Do you have a documented sanction policy for HIPAA violations by workforce members?

7

Do you perform a formal risk assessment at least annually?

Critical
8

Do you have a process for terminating access to PHI when an employee leaves?

Critical
9

Do you maintain a log of who has been granted access to systems containing PHI?

HIPAA Compliance for Small Medical Practices

Small practices face the same HIPAA requirements as large health systems -- but often without dedicated compliance staff. Here is what you need to know.

What does HIPAA require?

HIPAA requires covered entities (including medical practices of all sizes) to implement administrative, physical, and technical safeguards to protect patient health information (PHI). This includes written policies, workforce training, access controls, encryption, business associate agreements, and breach notification procedures.

What are the penalties?

HIPAA penalties range from $141 to $2,134,831 per violation depending on the level of negligence. The HHS Office for Civil Rights (OCR) has increasingly focused enforcement on small practices. A single breach investigation can result in penalties, corrective action plans, and monitoring lasting years.

Common gaps in small practices

  • - No formal risk assessment conducted
  • - Missing or expired Business Associate Agreements
  • - No documented HIPAA policies and procedures
  • - Unencrypted emails containing PHI
  • - Shared login credentials among staff
  • - No incident response plan

The risk assessment requirement

A HIPAA risk assessment is required by the Security Rule (45 CFR 164.308(a)(1)). It must identify potential threats to ePHI, assess current safeguards, determine the likelihood and impact of threats, and assign risk levels. HHS offers a free Security Risk Assessment (SRA) Tool specifically for small practices.

Frequently Asked Questions

Is this quiz a substitute for a formal HIPAA risk assessment?
No. This quiz is an educational self-assessment tool to help small practices identify potential compliance gaps. A formal HIPAA risk assessment (required by the Security Rule) is a more thorough process that should be conducted annually and documented. The HHS provides a free Security Risk Assessment Tool at healthit.gov for small practices.
Who needs to be HIPAA compliant?
HIPAA applies to "covered entities" (health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically) and their "business associates" (vendors who create, receive, maintain, or transmit PHI on their behalf). If you are a medical practice that bills insurance electronically, you are a covered entity.
Do solo practitioners need to comply with HIPAA?
Yes. HIPAA applies regardless of practice size. Solo practitioners who transmit any health information electronically (including electronic claims) are covered entities and must comply with all applicable HIPAA rules, including the Privacy Rule, Security Rule, and Breach Notification Rule.
How does prior authorization relate to HIPAA compliance?
Prior authorization involves transmitting PHI between your practice and insurance companies. Ensuring that PA workflows are conducted through HIPAA-compliant channels (encrypted transmissions, audit-logged systems, proper access controls) is part of your overall compliance obligation. Greenlight Medical's PA automation platform is designed to be fully HIPAA-compliant.
How often should we review our HIPAA compliance?
At minimum, conduct a formal risk assessment annually. Additionally, review policies whenever there are significant changes (new EHR system, new vendors, office relocation, staffing changes). HIPAA training should be refreshed annually for all workforce members.