The independent nurse practitioner's HIPAA guide for 2026

If you're a nurse practitioner running an independent practice — solo, with one or two staff, possibly part-time alongside another role — HIPAA compliance is one of those topics where the rules don't bend for your size. The 2026 HIPAA Security Rule amendments tightened the technical-controls floor for everyone, and the 25 states with full NP practice authority have been adding their own state-level data-protection layers on top.

This is the practical map I'd hand a friend who just opened their own NP practice in 2026.

You are now a covered entity

The single biggest mental shift for an NP moving from employee to independent practice is that you are now the covered entity. Whatever you used to assume your employer's compliance officer was handling — that's your job now.

Specifically you're personally responsible for:

• The Privacy Rule. Notice of Privacy Practices, patient rights, minimum-necessary rules, etc.
• The Security Rule. Administrative, physical, and technical safeguards for ePHI.
• The Breach Notification Rule. 60-day reporting obligations to affected individuals, OCR, and (for 500+) the media.
• HITECH and the 2026 amendments. Annual SRA, MFA on remote access, encryption, asset inventory, BA verification.

The good news: scale changes practical implementation, not the categories.

The 2026 amendments — what changed for small NP practices

The 2026 Security Rule amendments are still in finalization motion, but the directional changes are universally adopted in product roadmaps and audit posture already. The pieces that matter most for a solo or small NP practice:

1. MFA is the assumed default for remote access. If you log into your EHR from home or on the road, MFA needs to be turned on. Almost every modern EHR offers it — this is a checkbox, not a build.
2. Encryption at rest and in transit is no longer effectively optional. Cloud-hosted EHRs handle this natively; the gap is usually local devices and removable media.
3. Asset inventory — for a solo NP this is small, but it has to exist in writing. Laptop(s), phones, any external drives, point-of-care devices.
4. Annual BA verification. Each vendor that touches PHI — your EHR, billing service, transcription service, telehealth platform — needs annual evidence of continued compliance.
5. Documented configuration management. Even at NP-practice scale, you need a written record of who has access to what, with last-reviewed dates.

The minimum compliance stack for a solo NP practice

If I'm setting up an independent NP practice today, here's the minimum stack:

1. A HIPAA-compliant EHR with a signed BAA

Almost every cloud EHR aimed at small practices offers a BAA. The friction is asking for it explicitly and storing it. If your EHR vendor will not sign a BAA, that's a deal-breaker — switch.

2. A HIPAA-compliant telehealth platform if you do video visits

Same BAA gate. Most modern dedicated telehealth platforms cleared this years ago; some general-purpose video tools have HIPAA-compliant tiers, others don't.

3. MFA on every account that touches PHI

EHR, billing, telehealth, email if you use it for PHI. The phone-based authenticator app (Authy, Google Authenticator, etc.) is fine. SMS-only MFA is allowed but no longer the recommended default.

4. A device-level encryption posture

Your laptop disk should be encrypted (FileVault on Mac, BitLocker on Windows). Your phone's default encryption is sufficient as long as it's behind a strong passcode and biometric.

5. An annual SRA

This is the legally-required "are you in compliance" check. There's no good way around it. The choice is to use a guided tool, hire a consultant, or use a vendor platform — all are valid; the unfortunate option is "skip it."

6. Notice of Privacy Practices, posted and provided

Patients are entitled to receive your NPP at first encounter. This is a Privacy Rule requirement, not Security Rule, and it's easy to overlook in the technical-controls focus.

7. A breach response plan, even if it's one page

Knowing what you'd do in the first 24 hours of a suspected breach matters more than the document itself. The breach-notification clock starts at discovery, not at confirmation.

The state-level layer

If you practice in a full-practice-authority state, you also have state-level data-protection rules that interact with HIPAA. A few worth knowing:

• California: CMIA imposes its own confidentiality and breach-notification regime, sometimes stricter than HIPAA.
• Texas: HB 300 expands patient access rights and requires biennial training documentation.
• New York: SHIELD Act applies to any business holding NY-resident PI, with overlapping obligations.

State laws don't replace HIPAA; they layer on top. The practical answer is to comply with whichever rule is stricter on each issue.

Where most NP practices actually fail audits

Anecdotally, the most common gaps in small NP practice audits aren't the dramatic ones. They're:

1. No documented annual SRA. The legal foundation; missing it cascades.
2. No BA list. No record of which vendors have BAAs and when they were last reviewed.
3. NPP not visibly provided. Not posted, no acknowledgment captured.
4. Email containing PHI sent through non-compliant providers.
5. MFA off on EHR remote-login accounts.

None of these are technical engineering problems. They're operational rhythm problems.

Practical sequencing for a new NP practice

If I were standing one up tomorrow:

• Day 1: pick HIPAA-compliant EHR + telehealth platform; sign BAAs.
• Week 1: enable MFA on every PHI account; encrypt every device.
• Month 1: complete first SRA; write NPP and breach response plan; build BA list.
• Quarterly: BA verification rhythm; access review; backup verification.
• Annually: SRA refresh; NPP review; staff training (even if "staff" is one MA).

The cadence is what makes the system survive. Compliance done as one big push and then ignored becomes the audit gap two years later.

---

For a deeper dive on the 2026 HIPAA Security Rule and how independent NP practices are scoping these controls, see Medcurity's HIPAA compliance for small practices, the HIPAA Security Rule 2026 explainer, the BAA template page, and the best HIPAA SRA software comparison for 2026.