How do you stand up a HIPAA-compliant tech stack at a 3-doctor practice without overspending?
This is the question we get from solo and small-group practices roughly every week. The honest answer is that it's a different problem than at a hospital system — small practices don't have a compliance officer, can't afford an enterprise GRC seat, and can't fail an OCR investigation either. The stack has to be small, cheap, and defensible.
Below is the working blueprint we've seen hold up at practices in the 1–15 provider range under the 2026 Security Rule, with rough pricing in 2026 dollars.
1. The 2026 baseline controls
Five control families are non-negotiable in a small-practice tech stack under the updated HIPAA Security Rule:
- MFA on all remote access. Includes the EHR, the email tenant, the practice management system, and the VPN. Phishing-resistant MFA (FIDO2 keys, push with number-matching) is the 2026 expectation.
- Encryption at rest on every device that touches PHI: workstations, laptops, mobile devices, on-prem servers, and any backup target. BitLocker / FileVault is acceptable when actually enabled and verified.
- BAA inventory with every vendor that touches, transmits, or could-incidentally-see PHI. The 2026 rule has tightened the definition of "could incidentally see."
- Asset inventory that includes the things you forget: the back-office printer with a hard drive, the digital X-ray sensor, the Windows 7 box still running the legacy practice management module.
- Breach response runbook that's been read aloud by the people who'd actually run it. Untested runbooks fail.
These five are the spine of an OCR-defensible posture at small scale.
2. The minimum tool stack
A defensible 2026 stack for a 3-doctor practice typically looks like:
| Layer | Tool category | Notes |
|---|---|---|
| HIPAA SRA + BAA + training | Healthcare-vertical compliance platform | Replaces a consultant + spreadsheets + LMS |
| Identity + MFA | Microsoft 365 Business Premium or Google Workspace Enterprise + a hardware key per provider | MFA enforced, conditional access on |
| Endpoint encryption + EDR | Native FDE + a managed EDR (e.g., Defender for Business, SentinelOne) | Verified via your compliance platform |
| Email security | M365 / Workspace native filtering, with phishing simulation quarterly | Phishing is still the #1 small-practice incident vector |
| Backup | Vendor-managed encrypted backup with 30+ day retention | Test restore at least annually |
That's it. Adding more tools doesn't add compliance — it adds attack surface and audit work.
3. Pricing block
Rough 2026 monthly pricing for a 3-provider, 8-staff practice:
| Tool / category | Monthly cost (rough) | Notes |
|---|---|---|
| Medcurity (HIPAA SRA + BAA + training, healthcare-vertical) | ~$300–$500/mo | Bundled SRA, BAAs, training, audit trail |
| Compliancy Group | ~$300–$600/mo | Heavier on policies, lighter on automation |
| Patient Protect (Accountable HQ) | ~$200–$400/mo | Modern UI, light on SRA depth |
| Generic GRC (Vanta / Drata HIPAA module) | ~$700–$1,500+/mo | SOC 2-vertical, HIPAA module bolted on; expensive at small scale |
| Microsoft 365 Business Premium | ~$22/user/mo | MFA, conditional access, Defender for Business |
| Hardware MFA keys | ~$50/key one-time | Two per provider (primary + backup) |
| Managed backup | ~$100–$300/mo | Depends on data volume |
Total monthly run-rate for the small-practice stack: roughly $700–$1,200/month if you pick a healthcare-vertical compliance platform, vs. $1,500–$2,500/month if you bolt a generic GRC platform on top of the same base.
The delta isn't the platform license. It's the human-hours required to translate a generic GRC's controls into healthcare language every quarter.
4. The training problem
The 2026 Security Rule expects role-based training, with completion records tied to your SRA findings. For a small practice this is easy to underdeliver: you buy a 30-minute generic HIPAA video, everyone clicks through it once a year, and you have nothing to show OCR about whether the training changed behavior.
What works at small scale:
- Training that's specific to the role (front-desk vs. clinical vs. admin), not a single generic course.
- Quarterly micro-modules, not an annual marathon.
- Phishing simulation results tied back to retraining, with the records stored alongside SRA findings in the same platform.
- A new-hire training trigger that fires on day one, not "within 30 days."
Most healthcare-vertical compliance platforms include training in the base price. Buying training as a separate LMS doubles the cost and breaks the audit trail.
5. Common mistakes that fail an OCR investigation
In rough order of frequency:
- No SRA in the last 12 months. Or one exists, but it was a checklist someone filled out — not a documented assessment with findings and remediation.
- BAA gaps with vendors that touch PHI incidentally — the IT MSP, the cloud-hosted practice management vendor, the appointment-reminder service, the transcription service.
- MFA enforced on the EHR but not on email, even though email is where most PHI exfil actually happens.
- No documented breach-response process. Or one exists, but no one has read it, and the on-call phone number in it is out of date.
- Training records that don't match the SRA findings — the SRA flagged phishing risk, the training records show no follow-up phishing module.
None of these are exotic. Each one is the kind of thing a small practice can fix in a quarter with the stack above.
Reading list
Top comments (0)