HIPAA for Non-Medical Small Businesses: A Complete Guide

Understanding HIPAA for non-medical SMB owners starts with a number that might surprise you: roughly 55% of current HIPAA enforcement actions target small vendors and practices — not the large hospital networks most people picture. If your business provides IT support, billing services, cloud storage, or software to a doctor’s office, clinic, or insurer, you may already be on the hook for federal compliance requirements you never signed up for.

The tricky part is that HIPAA’s reach extends well beyond stethoscopes and patient charts. Thousands of small businesses handle Protected Health Information (PHI) every day without realizing it — and without the policies, safeguards, or contracts the law demands.

This guide is built for small business owners who want straight answers. We’ll cover whether HIPAA applies to you, which rules matter most, how to conduct a risk assessment, what policies you need, how to manage vendors, and what to do if something goes wrong. By the end, you’ll have a clear action plan — not a stack of unanswered questions.

What Is HIPAA and Does It Apply to Your SMB?

HIPAA — the Health Insurance Portability and Accountability Act — was signed into law in 1996. Its original goal was to protect patients’ health information while making it easier to transfer insurance coverage between jobs. Over time, it evolved into a comprehensive federal framework that governs how health data is used, stored, and shared across an entire ecosystem of organizations.

Here’s where it gets relevant for non-medical businesses: HIPAA draws a clear line between two categories of organizations.

Covered entities are the obvious players — healthcare providers who submit electronic billing, health insurers, and healthcare clearinghouses. Your local doctor’s office and a major insurance carrier are both covered entities.

Business associates (BAs) are companies that work with covered entities and, in doing so, touch PHI. If your business creates, receives, maintains, or transmits PHI on behalf of a covered entity — even indirectly — you qualify as a business associate under the law.

PHI is broader than most people expect. It includes any information that could be used to identify a patient in connection with their health. Common examples are:

• Full names paired with medical conditions or treatment history
• Medical record numbers and billing codes
• Insurance ID numbers
• Dates of service or admission
• Email addresses and phone numbers tied to health data

You don’t need to read patient charts to handle PHI. Non-medical SMBs that frequently fall under HIPAA include:

• IT vendors who manage networks or servers for medical practices
• SaaS providers offering practice management or telehealth software
• Medical billing companies processing claims and payments
• Cloud storage and hosting firms storing health records or backups
• HR and payroll platforms serving healthcare employers with employee health data
• Accountants and legal firms handling healthcare client finances involving PHI

If your business falls into any of these categories and you serve healthcare clients, HIPAA almost certainly applies to you. The right first move is to confirm your status before assuming otherwise.

The Three Core HIPAA Rules Non-Medical SMBs Must Know

HIPAA for non-medical SMB compliance centers on three interconnected rules. Each one carries its own requirements and its own risks if ignored.

The Privacy Rule

The Privacy Rule sets the standards for how PHI can be used and disclosed. The governing principle is the minimum necessary standard — you should only access, use, or share the minimum amount of PHI required to do your job. Casual access to data outside your role, even internally, is a violation.

For non-medical SMBs, this means limiting who on your team sees PHI, building data-handling procedures around least-privilege principles, and ensuring any disclosures to third parties are documented and authorized.

The Security Rule

The Security Rule applies specifically to electronic PHI (ePHI) — any PHI stored, processed, or transmitted digitally. It requires three categories of safeguards:

• Administrative safeguards: Policies, procedures, workforce training, and assigned compliance roles
• Physical safeguards: Controls over who can physically access servers, workstations, and devices storing ePHI
• Technical safeguards: Encryption, role-based access controls, multi-factor authentication (MFA), and audit logs

The Security Rule includes an important built-in flexibility: the law doesn’t mandate one-size-fits-all controls. Smaller businesses can scale their safeguards to match their size and risk profile. But — and this is critical — you must be able to justify every decision you make in writing. “We’re too small” is not a compliant justification for skipping a safeguard.

The Breach Notification Rule

The Breach Notification Rule tells you what to do when something goes wrong. If a breach of unsecured PHI occurs, the timelines are strict:

1. Notify affected individuals within 60 days of discovering the breach
2. Notify the HHS Office for Civil Rights (OCR) — immediately for breaches affecting 500 or more individuals, or annually for smaller breaches
3. Notify prominent local media outlets for breaches affecting 500 or more individuals in a specific state

Business associates must also notify their covered entity clients without unreasonable delay — and no later than 60 days after discovering a breach.

How to Conduct a Security Risk Assessment (SRA)

The Security Risk Assessment (SRA) is not optional — it is the mandatory foundation of HIPAA compliance. The HHS Security Rule guidance explicitly requires organizations to conduct an accurate and thorough assessment of potential risks to ePHI. Everything else you build depends on what the SRA reveals.

Here’s how to approach it step by step.

Step 1: Inventory Your PHI Flows

Start by mapping where PHI enters your organization, where it lives, and where it goes. Include every system, application, device, and third party involved. Cloud drives, email accounts, laptops, mobile phones, and backup systems all count. You can’t protect data you don’t know you have.

Step 2: Identify Threats and Vulnerabilities

For each PHI touchpoint, ask: what could go wrong here? Common threats for non-medical SMBs include phishing attacks, ransomware, unauthorized employee access, unsecured remote connections, and lost or stolen devices. Vulnerabilities are the gaps that make those threats possible — weak passwords, unpatched software, missing encryption.

Step 3: Rank Risks by Likelihood and Impact

Not every risk carries equal weight. Score each identified risk based on how likely it is to occur and how severe the damage would be if it did. This ranking tells you where to focus first.

Step 4: Build a Remediation Roadmap

Turn your ranked risk list into a structured action plan. Assign a responsible owner to each item, set realistic timelines, and prioritize quick wins that deliver meaningful protection fast. Strong starting points include:

• Enabling full-disk encryption on all devices that store ePHI
• Enforcing MFA on every system touching ePHI
• Configuring automatic logoff on workstations
• Switching to a HIPAA-compliant encrypted email service

Conduct your first SRA before you begin handling ePHI. After that, repeat the process annually. You should also run a reassessment whenever a significant operational change occurs — adopting new software, migrating to the cloud, onboarding new vendors, or expanding your remote workforce. Document every SRA and keep records for at least six years.

Policies, Documentation, and Safeguard Requirements

Written policies are the backbone of HIPAA compliance. An auditor from the OCR won’t just ask what you do — they’ll ask to see proof. If it isn’t documented, it doesn’t count.

Every non-medical SMB handling PHI needs written policies covering at minimum:

• Access management: Who is authorized to access which PHI and under what circumstances
• Encryption: Standards for protecting ePHI both at rest (stored) and in transit (transmitted)
• Mobile device and BYOD rules: Requirements for personal devices used to access ePHI
• Contingency planning: Data backup procedures, disaster recovery, and emergency access protocols
• Incident response: Steps to detect, contain, assess, and report potential breaches
• Vendor management: How you vet and monitor third parties who may access PHI

Even if your team is small, HIPAA requires you to designate a Privacy Officer (responsible for PHI use and disclosure policies) and a Security Officer (responsible for ePHI safeguards and the SRA). In a small business, one person can fill both roles — but the responsibilities must be clearly assigned and documented.

All HIPAA-related documentation must be retained for a minimum of six years from the date of creation or the date it was last in effect, whichever is later.

Use this checklist to track your core technical safeguards:

• Full-disk encryption on all devices storing ePHI
• MFA enabled on all accounts accessing ePHI
• Role-based access control (RBAC) so each user accesses only what they need
• Secure, HIPAA-compliant email for any messages containing PHI
• Automatic logoff after a set period of inactivity
• Audit logs recording who accessed ePHI, when, and what actions they took

For more foundational guidance on building your small business compliance infrastructure, see our guide on small business data security basics.

Vendor and Business Associate Agreement (BAA) Management

One of the most overlooked HIPAA requirements for non-medical SMBs involves the vendors you rely on every day. Any vendor that accesses, stores, or transmits PHI on your behalf must sign a Business Associate Agreement (BAA) before they ever receive a byte of that data. No exceptions.

A BAA is a legally binding contract that defines how the vendor will protect PHI, what they’ll do in the event of a breach, and what your rights are if they fail to comply. Signing one doesn’t transfer your liability — it establishes shared accountability.

Before signing a BAA — or allowing any vendor access — conduct due diligence:

• Ask for documentation of their HIPAA compliance program
• Look for third-party certifications like SOC 2 Type II or HITRUST
• Review their breach history and how past incidents were handled
• Confirm their data storage locations and encryption standards

BAAs also need to flow downstream. If your subcontractors touch PHI — even indirectly — they must sign BAAs with you. Your liability does not end at the first tier of your vendor chain. If a subcontractor you hired causes a breach, you bear responsibility for failing to secure the right agreements.

Practical steps for ongoing vendor management:

• Maintain a vendor inventory that identifies every third party with PHI access
• Use only HIPAA-compliant platforms for cloud storage, email, and communication (standard Gmail and Dropbox do not qualify without a signed BAA)
• Review all BAAs annually to confirm they still reflect current services and meet updated requirements
• Terminate access immediately when a vendor relationship ends

Workforce Training and Access Controls

Your technology safeguards are only as strong as the people using them. HIPAA requires that every employee who accesses PHI receive formal compliance training — at onboarding and at least once per year after that. This isn’t a suggestion. Training records must be documented and retained.

Effective training covers:

• What PHI is and how to recognize it
• How to handle, store, and transmit PHI according to company policy
• How to identify phishing attempts and social engineering tactics
• Steps to take when a potential breach is suspected
• Consequences of non-compliance — both for the company and the individual

Pair training with strong access controls. Role-based access control (RBAC) ensures that employees can only see the PHI required to perform their specific job. A billing coordinator doesn’t need access to clinical notes. A help desk technician doesn’t need access to patient financial records. Limit access by design, not as an afterthought.

For remote and BYOD environments, the risks multiply. Enforce MFA across every system that stores or transmits ePHI. Require device encryption on personal devices used for work. Consider a Mobile Device Management (MDM) solution that lets you remotely wipe a lost or stolen device.

Audit logs are your compliance safety net. Configure your systems to record who accessed what data, when, and what they did with it. Review these logs regularly. In the event of an incident or audit, your logs tell the story — and demonstrate that you were paying attention. Learn more about access management frameworks in our overview of small business cybersecurity policies.

Incident Response and Breach Notification

No security program is perfect. The organizations that weather breaches best are the ones that had a plan before anything went wrong. HIPAA requires a documented incident response plan — and the time to write it is not after a breach is discovered.

Your plan should address four core phases:

1. Detection: How will you identify that an incident has occurred? What systems generate alerts?
2. Containment: What immediate steps limit further exposure? Who is authorized to act?
3. Assessment: Does the incident meet the legal definition of a breach? Was PHI actually accessed or acquired by an unauthorized party?
4. Notification: Who needs to be notified, and by when?

Notification timelines under the Breach Notification Rule are firm. For breaches affecting 500 or more individuals:

• Notify affected individuals within 60 days of discovery
• Report to the HHS OCR within the same 60-day window
• Notify prominent media outlets in affected states

For breaches affecting fewer than 500 individuals, you still notify affected individuals within 60 days, but you may report to HHS annually rather than immediately.

As a business associate, you must also notify the covered entity you work with without unreasonable delay — and in no case later than 60 days after discovery. Your healthcare client then carries the obligation to notify their patients.

After any incident — even one that doesn’t meet the breach threshold — conduct a root-cause analysis. Update your SRA and policies to close the gap that allowed the incident to occur. Document everything: what happened, when you discovered it, what you did, and what you changed. Thorough records are your strongest defense in an OCR investigation.

Common HIPAA Mistakes Non-Medical SMBs Make

Most HIPAA violations by non-medical SMBs don’t come from malicious intent — they come from avoidable oversights. Knowing what trips other businesses up puts you ahead of the curve.

Assuming HIPAA doesn’t apply. “We’re not in healthcare” is the most dangerous assumption a BA can make. If your business touches PHI on behalf of a covered entity, the law applies — full stop. Ignorance is not a defense the OCR accepts.

Skipping or delaying the SRA. Many small businesses treat the SRA as a future task rather than an immediate requirement. There is no compliant path that doesn’t run through a completed, documented risk assessment.

Missing BAAs with vendors and subcontractors. Signing a BAA with your direct healthcare client but forgetting to secure one with the cloud provider hosting that client’s data is a compliance gap the OCR routinely finds. Every link in the chain needs a signed agreement.

Ignoring remote work and BYOD risks. The shift to distributed work expanded the attack surface for most businesses dramatically. Unmanaged personal devices, unsecured home networks, and informal file-sharing habits all create PHI exposure that on-site security controls can’t address.

Inconsistent or missing documentation. Compliance that exists in practice but not on paper offers no protection during an audit. Train your team not just on what to do, but on how to record that they did it. For a broader look at building solid compliance documentation habits, visit the SBA’s guide to staying legally compliant.