If you run a small medical practice in Northern Virginia or Washington DC — a family medicine clinic, a specialist office, a dental practice, or a mental health group — HIPAA compliance may feel like a problem for larger organizations. It isn't. The Office for Civil Rights enforces the same rules regardless of practice size, and 2026 brings the most significant update to the HIPAA Security Rule since 2013. If your practice hasn't reviewed its compliance program recently, now is the time.
This guide breaks down exactly what your practice needs to have in place, what changed in 2026, and what to do first if you're starting from scratch.
What Changed in 2026
The 2026 HIPAA Security Rule update is the biggest regulatory change in over a decade. Several protections that were previously "addressable" — meaning practices could choose alternative approaches — are now mandatory. Here is what changed and what it means for your practice:
- Encryption is now required. All electronic protected health information (ePHI) must be encrypted both at rest and in transit. There is no longer a flexibility option to skip encryption if you document a reason.
- Multi-factor authentication is mandatory. Every system that accesses ePHI must require MFA. This includes your EHR, billing platform, patient portal, and any cloud storage that holds patient data.
- Technology asset inventories are required. You must maintain a written, current inventory of every device and system that creates, receives, stores, or transmits ePHI, along with a network map showing how data flows.
- Vulnerability scanning every six months. Practices must now conduct formal vulnerability scans of ePHI systems twice per year.
- Annual penetration testing. At least once per year, your systems must be tested to identify exploitable weaknesses before an attacker does.
- 72-hour system restoration. In the event of an incident, your practice must be able to restore critical systems within 72 hours.
Important: The OCR is launching its first formal audit program since 2017 this year. Small practices in Northern Virginia and across the country should expect increased scrutiny. An unannounced audit without a documented compliance program can result in immediate fines.
The Core HIPAA Compliance Checklist
Use this checklist to assess where your practice stands today. These are the areas OCR auditors examine first.
1. Security Risk Analysis
The Security Risk Analysis (SRA) is the single most important compliance requirement — and the most commonly cited deficiency in enforcement actions. Every covered entity must conduct one, regardless of size. It identifies where ePHI lives in your systems, how it flows, what threats exist, and what gaps need to be closed.
- Conducted a formal Security Risk Analysis within the last 12 months
- Documented findings in a written report (not just verbal notes)
- Created and are following a remediation plan based on SRA findings
- Updated the SRA after adding new systems, vendors, or locations
2. Administrative Safeguards
These are the policies, procedures, and workforce requirements that govern how your practice manages ePHI.
- Designated a HIPAA Privacy Officer and Security Officer (can be the same person in small practices)
- Written policies covering access management, workforce sanctions, and incident response
- All staff trained on HIPAA at hire and annually — with documented completion records
- Workforce access limited to minimum necessary ePHI for each role
- Procedures for responding to and documenting security incidents
3. Technical Safeguards
This is where most small practices are exposed. Technical safeguards cover the IT systems and controls that protect ePHI.
- All ePHI encrypted at rest and in transit (required under 2026 rule)
- Multi-factor authentication enabled on all systems accessing ePHI
- Audit logs enabled — every access to ePHI is recorded automatically
- Automatic session timeouts on workstations and portals
- Technology asset inventory documented and current
- Vulnerability scans completed within the last 6 months
4. Physical Safeguards
Physical safeguards protect the spaces and devices where ePHI exists.
- Workstations positioned so patient screens cannot be seen from waiting areas
- Server room or data closet is locked with access controls
- Policies for disposal of devices — hard drives wiped or destroyed before disposal
- Policies for lost or stolen mobile devices that access ePHI
5. Business Associate Agreements
Every vendor that touches your patient data must sign a Business Associate Agreement (BAA) before they access any ePHI. This is a frequent gap in small practices — especially with vendors that have been working with the practice for years without one on file.
Common BAA gaps: EHR vendors, medical billing companies, cloud storage providers, IT support firms, answering services, email encryption tools, and even shredding companies all require BAAs. Audit your vendor list now.
- Current, signed BAA on file for every vendor that accesses ePHI
- BAAs reviewed and updated when vendor contracts renew or change
- Vendor inventory maintained with BAA status tracked
6. Breach Notification Plan
If a breach of unsecured ePHI occurs, HIPAA requires specific notifications within defined timeframes. Many enforcement fines stem not from the breach itself but from late or incorrect notifications.
- Written breach response procedure in place
- Staff know how to recognize and immediately report potential breaches
- Breach log maintained — even for small incidents that don't require external notification
- Individuals notified within 60 days of breach discovery
- HHS/OCR notified annually for breaches affecting fewer than 500 individuals
Where Small Practices in Northern Virginia Are Most Exposed
Working with healthcare practices across Northern Virginia and the Washington DC area, we see the same gaps repeatedly. The most common are missing Business Associate Agreements with IT vendors, outdated or undocumented Security Risk Analyses, no multi-factor authentication on the EHR, and staff who received HIPAA training at hire but never again.
The 2026 changes make the IT component especially critical. Encryption and MFA are no longer optional — and most small practices haven't verified whether their current IT setup actually meets these requirements. Assuming your EHR vendor handles all of this is the most common and costly mistake we see.
Quick test: Ask your current IT provider to show you your encryption documentation, your MFA configuration for ePHI systems, and the last vulnerability scan report. If they can't produce all three within 24 hours, your practice has a compliance gap.
What to Do First
If your practice hasn't conducted a Security Risk Analysis in the last 12 months, start there. It is the foundation of everything else. Document your findings, create a remediation plan, and work through it systematically.
For practices in Northern Virginia and Washington DC, JPert INC provides HIPAA-aligned managed IT services specifically designed for healthcare organizations. We handle the technical safeguards — encryption, MFA, vulnerability scanning, audit logging, asset inventory — and document everything in a format OCR auditors expect to see. We also sign Business Associate Agreements as your IT partner, which is a requirement your current provider should already have offered.
A free IT and security assessment is the fastest way to understand exactly where your practice stands before an auditor does.