Providers in small office practices often think they don’t need to worry about HIPAA investigations because they’re simply too small for the government to consider. However, this simply is not true and can get them into a lot of trouble.

OCR (the Office of Civil Rights), the entity that is responsible for enforcement of HIPAA, has aggressively pursued ALL covered entities and business associates for enforcement activities.  If proper administrative, technical and physical controls to protect the privacy and security of protected health information (PHI) are not in place and followed, civil and criminal penalties have been levied.

In fact, private practices are the MOST common type of covered entity that OCR has required to take corrective action to achieve HIPAA compliance.

OCR investigates complaints and also does “random” audits to ensure compliance with HIPAA.  If OCR determines that a violation exists, the covered entity or business associate may be required to do one or more of the following:

  • Implement a voluntary compliance plan – a plan where you monitor your own compliance against the HIPAA requirements.
  • Enter into a resolution agreement – a plan where OCR monitors your compliance for up to 3 years.
  • Pay fines or criminal penalties. While these are reserved for the most extreme violations, they have been levied in cases of small practices as well.  To determine the penalties, OCR takes into account the length of time the violation has been occurring, the number of people affected, the nature of the PHI exposed, the overall efforts the organization has made to be compliant with HIPAA, and the willingness of the organization to cooperate in the investigation.


ALL practices, regardless of size, must have a HIPAA compliance plan in place and must conduct an annual risk assessment to determine the gaps between what HIPAA requires and what you are doing.  Your annual review must include statements on how you are addressing (or not addressing) each gap you have identified. 

Be sure to create or review your plan TODAY so you can be compliant with HIPAA – It’s the Law!