Many solo therapists and private-practice clinicians assume HIPAA only applies to big clinics. In reality, if you see patients and handle PHI—even as a one-person practice—you are a covered entity under HIPAA.
1) You still need a Privacy & Security Officer (even if it’s you)
HIPAA requires every covered entity to designate someone responsible for privacy and security policies. In a solo practice, that’s usually you. The good news: you can formalize this in writing and use templates instead of drafting everything from scratch.
2) A formal risk analysis is required
It’s not optional. A risk analysis identifies where PHI could be exposed—lost laptops, weak passwords, unencrypted backups, or unauthorized access in your office. Document your findings and the steps you’ll take to address them.
3) Your vendors must sign BAAs
If a vendor can access PHI—EHR, telehealth platform, billing service, cloud storage—you need a signed Business Associate Agreement (BAA). Without it, you’re responsible for any mistakes they make with your patients’ data.
4) You need a breach notification plan
Accidents happen. A written breach policy outlines who you’ll notify (patients and HHS), how fast, and what steps you’ll take to contain the issue. Having this in place before something goes wrong makes a stressful situation manageable.
5) Physical safeguards still matter
Not all PHI is digital. Lock file cabinets, control access to rooms where devices are stored, and clear printed materials from desks at the end of the day.
If this feels like a lot, you’re not alone. We built resources specifically for solo providers: