Estimated reading time: 13 minutes.
If you run a small or solo practice, HIPAA can feel like one more thing on your plate. You might think enforcement only affects large hospitals or insurers, but that needs to change. Regulators are paying close attention to smaller practices, too.
Enforcement is up across the board, with small practices now firmly in scope. The message from OCR is clear: all healthcare providers, including solo practitioners, must meet the same security standards.
In October 2024, OCR launched a new "risk analysis initiative" specifically designed to audit whether practices are assessing their security risks, one of the most common areas where practices stumble. Combined with proposed Security Rule updates, the regulatory landscape is shifting toward stricter compliance requirements and enforcement.
The good news?
A few simple steps can protect your clients' data and your peace of mind. You don't have to become an IT expert overnight, but regulators do expect you to take concrete steps to protect client information.
This guide will show you exactly what these enforcement trends mean for your practice, what changes are coming, and how simple tools like Hushmail can help you meet key safeguards without overwhelming your existing workflow.
TL;DR: Risk analysis has always been required under HIPAA, but OCR is now enforcing the requirement more strictly. New audits focus on whether small practices are conducting, documenting, and updating their risk assessments. A simple annual review and clear documentation can keep your practice compliant and stress-free.
Table of contents
Last year wasn't kind to healthcare practices that ignored HIPAA requirements. OCR closed 22 enforcement actions with penalties in 2024, collecting $9.9 million, making it the second-highest year in the agency's history.
The good news? Most penalties stem from missing simple, preventable steps, such as not encrypting email or skipping annual risk assessments. You don't need a massive IT department to avoid these fines. You just need to understand what OCR is looking for to show compliance.
👉 Learn more: How to do your HIPAA risk assessment (with template)
Since launching the Risk Analysis Initiative in October 2024, OCR has settled eight enforcement actions, collecting nearly $900,000. While many of these investigations began before the launch of the Initiative, the settlements underscore that failing to conduct and document a risk analysis adequately can lead to enforcement action.
This focused effort is part of a broader trend. The OCR has been increasing its oversight of HIPAA through initiatives such as the Right of Access Initiative, which enforces patients' rights to obtain copies of their records, and the newer Risk Analysis Initiative, focused on preventing data breaches. Size doesn't grant immunity. Even small practices are on the radar.
Let's be clear about who's getting fined. These aren't just massive hospital systems. They're practices just like yours.
In 2020, Dr. Steven Porter, a solo gastroenterologist, was fined $100,000 and entered a 2-year corrective action plan for failing to conduct a risk analysis. This remains one of the clearest examples of how missing basic documentation can lead to severe penalties for a single-provider practice.
More recent cases show the same pattern:
đź’ˇ What do these cases have in common? Every practice failed to conduct a proper risk analysis and document the results before the incident.
These numbers might feel overwhelming, but remember: every practice that got fined was missing basic protections that you can implement this week. You don't need to be perfect; you need to show you're trying.
Beyond the financial penalty, here's what really happens when OCR issues a fine and you are required to enter into a corrective action plan:
“The financial penalty is just the beginning. What really impacts small practices is the ongoing oversight and documentation burden. I've seen solo practitioners spend 10-15 hours per quarter just on compliance reporting for years after a settlement. That's time they could have spent with clients.”
Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool
When OCR says they expect an "accurate and thorough assessment of potential risks and vulnerabilities," what they really mean is this:
Here's what you actually need to document:
| đź“„ What to document? | đź’ˇ What this means in practice |
|---|---|
| 1. Where your client data lives | Every computer, phone, tablet, email account, cloud storage service, and even that old fax machine with a hard drive. If it touches client information, list it. |
| 2. What could go wrong | For each place where data lives, write down the threats. Could someone steal that laptop? Could an employee accidentally email client info to the wrong person? |
| 3. What protection you have now | Document your current safeguards. Do you use passwords? Is your email encrypted? Do you lock your office? |
| 4. How likely and serious each risk is | You don't need complex math here. Just rate risks as low, medium, or high based on probability and impact. |
| 5. Your plan to manage the risks | Write down what you will do to reduce each risk. This could include enabling encryption, adding MFA, updating policies, or choosing HIPAA-compliant tools. |
| 6. Written documentation of all this | OCR wants to see that you've thought this through. A few pages of clear documentation beat nothing every time. |
| 7. Regular updates | Review and update annually, or whenever you make significant changes, such as adding new software or staff. |
There's a lot of confusion about what counts as a proper risk analysis. Some practices think downloading a template and filling in a few blanks is enough. Others assume they need to hire expensive consultants to create a complex document.
The truth is somewhere in between. A risk analysis doesn't need to be complicated, but it does need to be real. Here's what separates a compliant risk analysis from one that will get you in trouble:
| A risk analysis is NOT: | What it IS: |
|---|---|
| ❌ A checkbox exercise or a generic template | ✅ Your specific risk assessment based on your actual practice |
| ❌ The same as a HIPAA compliance gap assessment | ✅ Understanding what could go wrong (not just what rules you follow) |
| ❌ A one-time activity | ✅ An ongoing process that is reviewed and updated regularly |
| ❌ Optional for small practices | ✅ Required for every covered entity, regardless of size |
How you document your risk assessment matters just as much as doing it. OCR auditors know the difference between a hastily completed template and a thoughtful assessment of your actual practice.
Here's what separates adequate documentation from the kind that raises red flags:
| What it's NOT | What it IS |
|---|---|
| ❌ A generic template you found online | ✅ Practice-specific documentation with your actual systems and workflows |
| ❌ Just documenting your EHR system | ✅ Documenting ALL systems touching ePHI |
| ❌ Something you can discard after a year | ✅ Retained for at least 6 years (OCR can request old analyses) |
| ❌ A document you create once and forget | ✅ Regular reviews and updates with dates to prove ongoing compliance |
“Most small practices overthink the risk analysis process. You don't need a 50-page report or expensive consultants. OCR wants to see that you understand where your client data lives, what could threaten it, and what you're doing to protect it. A thorough 5-10 page document that's specific to your practice is far more valuable than a generic 100-page template.”
Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool
Instead of dwelling on failures, let's focus on what successful practices do right:
You can do this without hiring anyone. Set aside a little time each week, and you'll be compliant before you know it.
By the end of Week 1, you should have a simple, written list of your systems, the risks, and your current safeguards.
đź’ˇ Tip: You can use the free HHS Security Risk Assessment Tool, explore the HIPAA E-Tool for an easy-to-use, practical paid alternative, or follow Hushmail's step-by-step guide to completing a HIPAA risk assessment.
đź’ˇ For email safeguards, this is where Hushmail comes in.
Most small practices start with email encryption because it's an easy safeguard to implement. You can set up encrypted email the same day, addressing one of the most common vulnerabilities that OCR finds.
Learn more: HIPAA technical safeguards explained for your small practice
👉 Recommended reading: HIPAA documentation requirements for small healthcare practices made simple
Email remains one of the biggest security gaps in healthcare. Most breaches involve email compromise, and OCR investigates email encryption in every audit. While encryption is an addressable safeguard, not a required one, practices without it face much higher scrutiny and risk.
Hushmail provides three essential safeguards that address the most common email-related violations:
đź’ˇ These safeguards provided by Hushmail alone would have prevented or significantly reduced roughly 60% of the small practice fines we've discussed. Email breaches, unsecured client communications, and authentication failures are entirely preventable with the right tools and security measures.
Hushmail also includes a signed BAA with all healthcare plans, requires no complex IT configuration, and works with your existing email workflow. At a fraction of the cost of a single OCR fine, it's protection you can implement today.
In December 2024, the OCR division of HHS proposed major HIPAA security updates. The proposed changes include mandatory annual Security Rule compliance assessments, the requirement of encryption across all systems, six-month vulnerability scans, and annual penetration tests.
If you've followed the steps above, you're already well on the way to being prepared for these updates. This is the perfect time to get ahead: small steps now will save stress later when the new rules take effect.
If reading about fines and enforcement makes you anxious, you're not alone. Most small practice owners feel overwhelmed by HIPAA requirements. The good news is that compliance doesn't require perfection. It requires showing you're making a genuine effort to protect client information.
Here are 3 actions to take today:
The reality: 22 practices paid fines in 2024, and OCR's Risk Analysis Initiative is currently investigating small practices.
But you have an advantage. You can implement changes in days, not months.
Take the first step toward simpler compliance. Start with encrypted email to protect client information, then add safeguards one at a time. You're not too small to be fined, but you're exactly the right size to get compliant quickly.
Learn how Hushmail for Healthcare helps small practices stay compliant with confidence:
Reviewed by: Margaret Hales, J.D., CEO of ET&C Group LLC and The HIPAA E-Tool, and Steven O. Youngman, VP of Legal and Compliance, Hushmail.