HIPAA compliance without a dedicated compliance officer: a small practice guide

HIPAA requires designated Privacy and Security Officials — not a full-time hire. Here is what the role involves, who typically holds it, and what a defensible documentation baseline looks like.

By CoreFolio

Published June 2, 2026Verified June 2, 20269-minute read

A physician in solo practice, a four-provider dental group, a behavioral health clinic with seven therapists — none of these organizations can realistically justify a dedicated, full-time HIPAA compliance hire. What they can and must do is designate someone to hold the role that the Health Insurance Portability and Accountability Act (HIPAA) actually requires.

That distinction matters more than most small practices realize. The regulation does not require a compliance department, a credentialed officer, or a vendor engagement. It requires a named individual, documented in writing, who is responsible for a specific set of privacy and security obligations. In most small practices, that person is already on the payroll — they just may not know it yet.

What the regulation actually requires

HIPAA creates two separate designation requirements.

The Privacy Official designation comes from the Privacy Rule at 45 CFR § 164.530(a)(1)(i):¹

A covered entity must designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity.

The Security Official designation comes from the Security Rule's Administrative Safeguards at 45 CFR § 164.308(a)(2):²

Identify the security official who is responsible for the development and implementation of the policies and procedures required by this subpart for the covered entity or business associate.

Both designations are required — not addressable, not conditional on size. Both must be documented in writing.³ Neither requires a credential, a degree, or a dedicated job title.

The two designations can be held by the same person, and at practices with fewer than twenty employees, they typically are. The HHS Summary of the Security Rule explicitly states that at smaller organizations, the Security Official may be the same person as the Privacy Official.⁴

What the scaling principle does and does not cover

45 CFR § 164.306(b)(2) — the Security Rule's general rules section — allows small practices to consider their size, capabilities, technical infrastructure, and the probability of risk when determining what is "reasonable and appropriate" for their implementation. This scaling principle means a three-person family practice does not need to build an enterprise security operations center.

What the scaling principle does not change:

Whether the designations must exist. Both roles must be designated, regardless of practice size.
Whether the risk analysis must be conducted. The scaling principle affects how detailed and resource-intensive the analysis needs to be — not whether it must be done.
Whether business associate agreements must be signed. Every vendor with access to electronic protected health information (ePHI) requires a signed BAA, period.
Whether the Breach Notification Rule applies. Notification obligations do not scale with employee count.
Whether training must be documented. Training records are required even in a one-person practice.

The scaling principle is a compliance tool, not an exemption. It helps a small practice calibrate the depth and format of its implementation; it does not reduce the list of things that must be implemented.

The four core responsibilities the designation carries

1. The annual risk analysis

The Security Official is the functional owner of the annual security risk analysis under 45 CFR § 164.308(a)(1)(ii)(A). This is the single most consequential compliance obligation a small practice faces, and the most commonly cited failure in OCR enforcement.

Every enforcement action under OCR's Risk Analysis Initiative — 16 settlements between October 2024 and early 2026 — involved a covered entity or business associate that could not produce a current, defensible risk analysis.⁵ Settlement amounts ranged from $5,000 to $375,000. The pattern is consistent: an incident triggers an investigation, and the missing risk analysis is what drives the settlement.

For the Security Official in a small practice, this means ensuring the analysis is:

Scoped to every system that touches ePHI: the electronic health record (EHR), email, billing platform, cloud backup, portable devices, and any other vendor with ePHI access
Structured to identify specific threats and vulnerabilities, not just describe them generally
Dated and current — OCR's informal position is that an analysis older than twelve months is presumptively stale
Accompanied by a Risk Management Plan under § 164.308(a)(1)(ii)(B) that documents how identified risks will be reduced to a reasonable and appropriate level

2. Privacy policies and procedures

The Privacy Official is responsible for maintaining the practice's written privacy policies under 45 CFR § 164.530(i). These cover how protected health information (PHI) may be used and disclosed, how patient rights are handled, what the Notice of Privacy Practices says, and what the practice does when a privacy complaint arrives.

A small practice does not need a 50-page policy manual. It needs policies that are accurate, implemented, and documented. OCR looks for whether the policies actually reflect how the practice operates — a mismatch between written policy and actual practice is itself a finding.

3. Workforce training

45 CFR § 164.530(b)(1) requires training for all workforce members "as necessary and appropriate for them to carry out their functions." For the Privacy and Security Official in a small practice, this means:

Delivering annual HIPAA awareness training to all staff
Documenting what was covered, when, and who attended
Providing training to new staff within a reasonable period of joining the practice
Updating training when policies materially change

The form of training scales to practice size. A documented group discussion with dated sign-in sheet satisfies the requirement for a three-person office. What does not satisfy it is training that happened once at the practice's founding and was never repeated.

4. Breach identification and response

When a security incident or privacy breach occurs, the Privacy and Security Official is the lead for the response. This means conducting the four-factor assessment to determine whether the incident constitutes a reportable breach under 45 CFR §§ 164.400–414, and if it does, ensuring individuals are notified within 60 days and HHS is notified on the applicable schedule.

In a small practice, this is typically a low-frequency responsibility. But the response window is fixed regardless of staff size, and the documentation requirements apply regardless of how small the practice is.

The documentation baseline

"What do I actually need to have on file?"

At minimum, a defensible small practice has the following documents:

Document	Regulatory anchor	What it needs to say
Privacy Official designation	§ 164.530(a)(1)(i), (a)(2), (j)	Named individual, date of designation, responsible for privacy policies
Security Official designation	§ 164.308(a)(2)	Named individual, date of designation, responsible for security policies
Risk Analysis Report	§ 164.308(a)(1)(ii)(A)	Scoped to all ePHI systems; threats, vulnerabilities, likelihood, impact, risk levels; dated; methodology documented
Risk Management Plan	§ 164.308(a)(1)(ii)(B)	Maps identified risks to remediation steps, responsible parties, timelines
Privacy policies and procedures	§ 164.530(i)	Written; covers uses/disclosures, patient rights, NPP, sanctions, complaints
Security policies and procedures	§§ 164.308–164.316	Written; covers administrative, physical, and technical safeguards
Training records	§ 164.530(b)(2)(ii)	Dated; names workforce members trained; describes content covered
BAA inventory	§ 164.308(b)(1)	Lists all vendors with ePHI access; confirms signed BAA exists for each
Breach log	§ 164.414	Documents all incidents; outcome of four-factor analysis; notification records

The documentation requirements are real. A practice that has done the work but cannot produce the documentation when OCR asks is in the same position as a practice that has not done the work.

Common failure patterns OCR finds in small practices

The informal understanding. The practice owner is "generally aware" of HIPAA requirements but has never formally designated themselves. If an investigation opens, there is no written record of who was responsible for what — which means OCR's investigators write their own conclusions.

The one-time project. The practice hired a consultant in 2019 to produce a risk analysis. The report is in a drawer somewhere. Nothing has been updated since. This pattern is consistent enough that OCR treats any analysis older than twelve months as presumptively stale.

The EHR assumption. The practice assumes its EHR vendor handles HIPAA compliance. An EHR vendor is a business associate — it handles its portion of the ePHI environment, covered by the BAA it signs. It cannot conduct the covered entity's risk analysis because it cannot see most of the practice's ePHI systems. The obligation runs to the covered entity.

The undocumented training. Staff received HIPAA training. Someone remembers it. There is no sign-in sheet, no agenda, no record of what was covered. Documentation is the requirement; the underlying training, undocumented, provides no protection in an investigation.

Where to start

If your practice has no formal designations and no current risk analysis, the sequence that makes the most sense is:

Write the designation. A dated, signed document naming the Privacy Official and Security Official takes fifteen minutes and closes an enforcement gap that OCR has cited in multiple resolved cases.
Inventory ePHI locations. Before you can analyze risk, you need to know where ePHI lives. Write down every system: EHR, email, billing, imaging, backup, portable devices, vendor portals.
Set a date for the risk analysis. The analysis itself is a project — it requires focused time, not a slot between patients. Block three to four hours and treat it as a clinic-closed priority.
Audit BAA coverage. Pull the vendor list from the ePHI inventory and confirm a signed BAA exists for each. Missing BAAs are among the most consistently cited findings in investigations.
Check training records. Confirm when training last occurred and that documentation exists. If the last training was more than twelve months ago, schedule the next one.

Each of these steps is preparatory work — none of them completes the full compliance program. The risk analysis in particular requires the time and structure to do it accurately. But they move the practice from an undocumented starting point to a documented one, which is the first meaningful distinction OCR draws.

Sources

Sources current as of June 2, 2026. This article is educational and does not constitute legal advice.

45 CFR § 164.530(a)(1)(i). Full text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.530. Last verified June 2, 2026. ↩
45 CFR § 164.308(a)(2). Full text via the Legal Information Institute, Cornell Law School: https://www.law.cornell.edu/cfr/text/45/164.308. Last verified June 2, 2026. ↩
45 CFR § 164.530(a)(2) (documentation of personnel designations); § 164.530(j) (general documentation requirements, six-year retention period). ↩
U.S. Department of Health and Human Services, Office for Civil Rights, Summary of the HIPAA Security Rule. Notes that the Security Official "may be the same person as the Privacy Officer" at smaller organizations. https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html. ↩
U.S. Department of Health and Human Services, Office for Civil Rights. Resolution agreements under the Risk Analysis Initiative, October 2024–June 2026. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ ↩

FAQ

Common questions

Do small practices need a HIPAA compliance officer?

Every covered entity must designate both a Privacy Official (45 CFR § 164.530(a)(1)) and a Security Official (45 CFR § 164.308(a)(2)) in writing. There is no requirement for a full-time employee or a specific credential — in small practices, the owner or office manager typically holds both designations. The obligation is real; the implementation is proportionate to practice size.

Can the practice owner be both the Privacy and Security Official?

Yes. HIPAA does not require separate individuals for these two roles. In solo and small group practices, the owner, managing physician, or dentist commonly holds both designations simultaneously. The regulation requires the designation to be in writing, but imposes no other restriction on who may serve.

How much time does HIPAA compliance actually take in a small practice?

It depends heavily on the practice's current state. For a practice that has never conducted a risk analysis, the initial documentation project is substantial — a realistic estimate is 20–40 hours for a thorough first pass. Once that foundation exists, annual maintenance is considerably lighter: a few hours for the risk analysis update, quarterly review of incidents and training records, and time as needed when vendors change or a breach occurs.

What happens if a small practice has no one formally designated as Privacy or Security Official?

OCR does not audit designations proactively. The risk materializes when an investigation opens for any other reason — a patient complaint, a reported breach, a ransomware incident. Once OCR is looking at a practice, missing or undocumented designations compound the exposure. In 2022, both Jacob & Associates and Northcutt Dental had the absence of a formally designated Privacy Official cited among the violations in their resolution agreements.

Keep learning

How-to
What is a fractional HIPAA compliance officer?
HIPAA requires every covered entity to designate a Privacy Official and Security Official. Here is what that means, who typically fills the role in small practices, and when an outside consultant can serve in it.
June 2, 202610-minute read
How-to
HIPAA compliance responsibilities for office managers
In most small practices, the office manager is the de facto Privacy and Security Official. Here is what that means — the specific CFR obligations, the annual cycle, and what documentation needs to exist.
June 2, 202610-minute read
How-to
HIPAA requirements for solo and small practices: what applies and what is scaled
HIPAA has no size exemption. A solo practitioner is a covered entity subject to the same Privacy Rule, Security Rule, and Breach Notification Rule as a large health system. Here is what that means in practice, what is scaled to size, and what is not.
May 20, 20267-minute read