I want to talk directly to the small practice owners reading this, because you are the group I worry about most. I have spent thirty years in compliance and privacy, and the single most expensive sentence I hear, over and over, comes from small practices: “We’re too small to be a target.” Too small for hackers to bother with. Too small for OCR to come looking. I understand why it feels true. It is also wrong in a way that has a price tag, and the 2026 enforcement record reads like it was assembled to prove the point.

Small organizations are exactly who got penalized this year

Think the regulators only chase big health systems? A substance use disorder treatment center in Illinois settled this year over an incident affecting fewer than 2,000 people — tiny by breach standards — and still paid $103,000 with a two-year corrective action plan attached. The breach started with a single phishing email in one employee’s inbox.

That case matters precisely because it is small. OCR did not weigh the penalty on the size of the organization or the glamour of the attack. They weighed it on preparation — or the lack of it. A small operation that had not done the foundational work got treated the same as anyone else who skipped it. “Small” bought them no leniency on the thing that actually counted.

Hackers do not check your revenue first

The other half of the myth is that you are too small for attackers to care about. But most of the large breaches reported to OCR are hacking and ransomware incidents, and the attackers running them are not hand-picking marquee targets. They are spraying phishing emails and walking through whatever door opens. Your four-person clinic’s front desk inbox is a door. Its size is irrelevant to an automated attack.

Remember the third-party administrator I have written about, where the attacker got in through a phishing email and sat in the network for six months before launching ransomware? That is the modern pattern. It does not require you to be important. It requires you to have an untrained person with an email address, and every practice, no matter how small, has at least one of those.

The good news, said plainly

Now the part I actually enjoy telling small practices, because so much compliance news is grim. The control that addresses this is the cheapest one you have, and it has gotten dramatically cheaper. The reason small practices historically under-trained was never negligence — it was budget. When every seat of HIPAA training for employees is a noticeable chunk of a tight month, you train the dentist and the hygienist and quietly hope the part-time front desk person never clicks the wrong thing.

That trade-off is gone. With bulk HIPAA training you can train your entire team for as little as $20. For a small practice that number is not a rounding error in a hospital budget — it is genuinely affordable for the smallest clinic, which means there is no longer any financial reason to leave the receptionist, the biller, or the weekend help untrained. Affordable HIPAA training for organizations turns full coverage from an aspiration into a Tuesday afternoon task.

And you can start for nothing. I built the free training at HIPAA Training US partly because small practices kept telling me cost was the barrier. More than 50,000 healthcare professionals have come through it. A small practice can get its entire team a baseline today, at no cost, and decide on a managed program afterward.

The small-practice reality I design around

In most small practices, one exhausted person is the clinician, the office manager, the IT department, and the compliance officer. I know that, so the program I recommend for them is deliberately simple.

  • Everybody gets HIPAA compliance training for employees — the provider, the front desk, the biller, the part-timer, the contractor who handles your records
  • New-to-healthcare hires get a live beginner session so they actually understand the rules instead of clicking past them
  • If you use a courier or a runner to move charts and specimens, they get training built for couriers, because that role lives outside your four walls
  • One simple roster, one annual reminder, and a saved certificate for every completion

Why documentation protects the little guy most

Small practices sometimes treat documentation as big-company overhead. It is the opposite. You do not have a legal department to mount an elaborate defense, so your clean, simple records — a one-page roster and a folder of certificates — are your entire defense if OCR ever comes knocking. They take minutes to maintain. For the milestones, I will even hand someone a framed certificate, because in a small office a visible mark of a trained team does real work with patients and with anyone reviewing you.

Retire the sentence

So here is my ask. Strike “we’re too small to be a target” from your vocabulary. The enforcement record shows small organizations paying six figures. The attack patterns show automated threats that do not care how many providers you have. And the one control that addresses the human front door is now cheap enough that no practice, however small, has a real excuse to skip it.

Being small does not lower your risk. In some ways it raises it, because you have less cushion to absorb a bad week. But small also means you can fix this fast — a whole team trained, documented, and protected for less than the cost of a nice dinner. After thirty years, I can tell you that is the best deal in compliance, and small practices are the ones who benefit from it most.