New: Autonomous AI risk intelligence is live — your compliance program in 12 minutes. Get started →
SCARLET RISK

← Blog

HIPAA Compliance for Solo Practitioners: Everything You Need in One Afternoon

GRC & Compliance · May 11, 2026

If you're a solo therapist, chiropractor, or independent healthcare provider, HIPAA feels designed for hospitals — not for a practice of one. The language is dense, the guidance is written for compliance officers, and every vendor who wants to sell you something makes it sound impossibly complex.

It's not. Let me walk you through what HIPAA compliance for a solo practitioner actually requires in 2026.

The basics: who HIPAA applies to

HIPAA applies to covered entities — healthcare providers who transmit health information electronically. If you bill insurance, schedule appointments via a patient portal, or communicate with patients via email about their care, you are a covered entity. There is no minimum patient count.

The three rules that matter most:

  • The Privacy Rule: Governs how you use and disclose Protected Health Information (PHI)
  • The Security Rule: Governs how you protect electronic PHI (ePHI)
  • The Breach Notification Rule: Governs what you do when something goes wrong

What Protected Health Information actually means

PHI is any information that can identify a patient and relates to their health, healthcare, or payment for healthcare. This includes names, addresses, phone numbers, email addresses, dates of service, diagnoses, treatment notes, billing records, and photographs.

The four things every solo practice must have

  1. A Privacy Policy and Notice of Privacy Practices. Required disclosure, not optional.
  2. A Security Risk Assessment. The HIPAA Security Rule requires you to assess risks to your ePHI. The OCR provides a free Security Risk Assessment tool at healthit.gov.
  3. Business Associate Agreements (BAAs). Any vendor who handles your ePHI must sign a BAA. This includes your EHR vendor, billing service, email provider, telehealth platform, and cloud storage provider.
  4. A Breach Response Plan. If something goes wrong, you need a documented process. HIPAA requires notification of affected patients within 60 days.

The most common violations in solo practices

Texting patient information on a personal phone without encryption. Using a personal Gmail without a BAA. Sharing login credentials with a part-time assistant. Leaving a laptop unattended and unlocked. The OCR has levied fines against solo practitioners. A $10,000 fine for a solo practice is not a rounding error.

Where to spend your energy

  1. Complete the Security Risk Assessment.
  2. Execute BAAs with every vendor who touches your ePHI.
  3. Draft your Notice of Privacy Practices.
  4. Document employee training.
  5. Create a simple incident response checklist.

You don't need a compliance officer. You need about four hours of focused work — or a platform like Scarlet Risk that generates HIPAA-aligned policies and a risk assessment in minutes.

← Back to all articles