HIPAA compliance is one of those topics that makes solo docs' eyes glaze over, which is exactly why it's important to talk about in plain language. The regulations were written for hospital systems with dedicated compliance officers. But the penalties apply to you just as much as they apply to Johns Hopkins, and a breach at a solo practice can be financially devastating in ways that a large system can absorb.
Here's the practical, non-theoretical guide to HIPAA security that I wish someone had given me when I started my practice. Everything I recommend here costs less than $100/month total, and most of it is free.
The Non-Negotiables
1. Use a password manager. Bitwarden ($10/month for the premium tier, or free for the basic tier). Every account gets a unique, randomly generated password that is at least 20 characters long. You memorize exactly one password: your Bitwarden master password. That password should be long, memorable, and not used anywhere else. If you take nothing else from this article, do this.
2. Enable two-factor authentication on everything. Your EMR, your email, your bank, your pharmacy accounts. Use an authenticator app (I use Authy), not SMS-based 2FA, because SIM-swap attacks are real and targeting healthcare providers. If a service doesn't offer 2FA, that's a red flag about their security posture and I'd think twice about storing PHI there.
3. Encrypt your devices. FileVault on Mac, BitLocker on Windows. Both are free and built into the operating system. If your laptop gets stolen from your car (this happens more than you'd think), encryption means the thief gets a paperweight instead of access to patient records. Turn it on, verify it's running, and move on.
4. Use a cloud-based EMR. This is going to sound like a plug for Hero EMR, and it partially is, but the broader point is important. A well-run cloud EMR handles server security, data encryption, backups, and disaster recovery for you. Running a local server in your office closet means you're responsible for all of that yourself, and unless you're moonlighting as a systems administrator, you're going to miss something. Hero EMR encrypts data at rest and in transit, maintains SOC 2 Type II compliance, runs on redundant infrastructure, and handles backups automatically. I could not replicate that security posture on my own for any reasonable amount of money.
The Important-But-Often-Skipped Steps
5. Write a Security Risk Assessment. HIPAA requires an annual risk assessment. You can do this yourself using the HHS Security Risk Assessment Tool (free, available at healthit.gov). It walks you through a questionnaire about your security practices and generates a report. It takes about two hours, and it will absolutely reveal gaps you haven't thought about. Do it annually and keep the reports. If you're ever audited, having documented risk assessments is the single most important thing you can show an investigator.
6. Maintain a BAA (Business Associate Agreement) with every vendor that touches PHI. Your EMR vendor, your fax service, your cloud storage provider, your IT support person. If they can access patient data, they need a BAA. Hero EMR provides theirs automatically during onboarding. SRFax has one on their website. Google Workspace has a BAA you can enable in admin settings. If a vendor won't sign a BAA, do not use that vendor for anything involving patient information.
7. Secure your office WiFi. WPA3 encryption, strong password, separate guest network for patients (if you offer WiFi in your waiting room). Your practice network and your patient WiFi should be completely separate. Most modern routers support this out of the box. If yours doesn't, buy a new router. A $150 router upgrade is infinitely cheaper than a HIPAA breach.
8. Physical security matters. Lock your office. Lock your server closet (if you have one). Position computer screens so patients in the waiting room can't see them. Use privacy screen filters on laptops. Log out of your EMR when you step away, even for a minute. These feel like obvious things, but OCR (the HHS Office for Civil Rights) investigation reports are full of breaches that started with an unlocked door or an unattended screen.
The Free Tools I Use
Cloudflare Zero Trust (free tier): DNS-level filtering that blocks known malicious domains. It takes about 20 minutes to set up and runs silently in the background. It won't stop a sophisticated targeted attack, but it blocks the vast majority of drive-by malware and phishing domains.
macOS built-in firewall: Turned on, configured to block all incoming connections except the specific services I need. If you're on Windows, the built-in Windows Defender firewall is similarly capable.
Automatic OS updates: Turned on for both my Mac and my iPhone. Security patches get applied automatically. I know some people prefer to wait and test updates before applying them, but for a solo practice without an IT team, the risk of an unpatched vulnerability being exploited is higher than the risk of an update causing problems.
The $100/Month HIPAA Security Stack
| Tool | Cost | Purpose |
|---|---|---|
| Bitwarden Premium | $10/mo | Password management |
| Cloudflare Zero Trust | Free | DNS security |
| Authy | Free | Two-factor authentication |
| FileVault / BitLocker | Free | Device encryption |
| HHS SRA Tool | Free | Annual risk assessment |
| macOS / Windows firewall | Free | Network protection |
| Hero EMR (security features) | Included | PHI encryption, backups, SOC 2 |
| Managed router (one-time) | ~$150 | WPA3, network segmentation |
| Total monthly | $10 |
Yes, the ongoing monthly cost is just $10 for Bitwarden. Everything else is either free or a one-time purchase. HIPAA compliance doesn't have to be expensive. It has to be deliberate. The practices that get into trouble aren't the ones that can't afford security tools. They're the ones that never sat down and thought systematically about their security posture.
Spend two hours this weekend doing the HHS risk assessment, set up Bitwarden, enable 2FA everywhere, and verify your devices are encrypted. You'll be more secure than 80% of solo practices in the country, and you'll have documentation to prove it.