Back

HIPAA, SOC 2, and AI: What Small Healthcare Practices Actually Need to Know#

You run a five-doctor practice. You’ve heard HIPAA is mandatory, SOC 2 is “important,” and AI has “compliance implications.” But nobody has explained what any of that means for a practice your size—until now.

In January 2025, CMS proposed significant changes to the HIPAA Security Rule that would eliminate the distinction between “required” and “addressable” safeguards. As of mid-2026, these changes are still under review and have not been finalized. The existing rules remain in effect. Meanwhile, penalties for HIPAA violations reached $2.3 million in 2024, according to OCR enforcement data. Meanwhile, your staff is probably already using AI tools to draft patient communications, summarize charts, or transcribe notes—and nobody checked whether that’s allowed.

This article breaks down exactly what small healthcare practices need to do, what they can skip, and how to stay compliant while still using AI to work smarter.

HIPAA vs. SOC 2: Which One Do You Actually Need?#

HIPAA is mandatory if you handle Protected Health Information (PHI). There is no exception for small practices. If you see patients, store records, or transmit health data, you are a covered entity or business associate under HIPAA. Full stop.

SOC 2 is voluntary. It is an audit framework developed by the American Institute of CPAs (AICPA) that evaluates how well a company protects customer data. No government agency requires it. But it is increasingly expected by partners, vendors, and larger healthcare systems that refer patients to you.

Here’s how to decide:

  • Small practice handling PHI: HIPAA first. SOC 2 only if a partner or vendor requires it.
  • Practice management software serving clinics: HIPAA is mandatory because you touch PHI. SOC 2 helps you grow by proving your security to larger customers.
  • Healthcare SaaS selling to hospital systems: Both HIPAA and SOC 2 are effectively required. Hospital procurement teams won’t sign contracts without them.

HIPAA carries real penalties: up to $1.5 million per violation category per year under current OCR penalty tiers, depending on the level of negligence. SOC 2 has no government fines—you simply don’t get the report, which means you don’t close the deal. HIPAA is the floor, not the ceiling. SOC 2 is a growth tool, not a legal requirement. Start with HIPAA.

What the Proposed 2025 HIPAA Updates Mean for Small Practices#

The HIPAA Security Rule may receive its first major overhaul in twenty years. CMS published proposed changes in January 2025, but as of mid-2026 these are not yet finalized. Understanding what’s proposed helps you prepare, but existing rules remain the law.

Here’s what CMS proposed:

  • Mandatory encryption for all electronic PHI (ePHI). Already required under current rules for most data, but the proposal removes any ambiguity.
  • Breach notification potentially shortened from sixty days to thirty days. Currently sixty days; proposed change is not yet in effect.
  • Continuous monitoring expectations. Not annual audits. Automated systems that flag unauthorized access are already considered best practice.
  • Multi-factor authentication (MFA). Required under current rules for access to ePHI by workforce members.
  • Penalties adjusted for inflation. The maximum fine per violation category per year is $1.5 million under current OCR penalty tiers.

What this means in practice: you can’t check boxes once a year and hope for the best. Compliance is now an operational requirement, not a paperwork exercise.

There’s another wrinkle. Under the updated rules, you are responsible for your vendors’ compliance too. If your AI transcription tool processes patient data and that vendor suffers a breach, regulators will ask why you didn’t verify their security before handing them PHI. The 2025 updates raised the bar for everyone. Small practices are not exempt. The question is whether you’re prepared, or whether you’ll find out the hard way.

Where AI Fits Into Compliance (And Where It Doesn’t)#

AI tools that process, store, or transmit PHI must comply with HIPAA. No exceptions. It doesn’t matter whether the AI is built into your electronic health record (EHR) or whether a staff member copied patient notes into a free online tool.

Healthcare AI use falls into three categories, each with different risk levels:

Administrative AI handles scheduling, billing, and patient recall. Lower risk, but still touches PHI. An AI scheduler that texts patients about appointments is processing phone numbers and names, both are PHI.

Clinical decision support includes chart summarization, triage assistance, and diagnostic suggestions. Higher risk. These tools influence clinical judgment, which means errors can directly affect patient outcomes. They require human oversight every time.

Patient-facing AI includes chatbots, intake forms, and telehealth platforms. Highest risk. These tools interact directly with patients, often without a clinician in the room. Any mistake in information or advice can lead to immediate harm.

Your primary compliance tool for AI vendors is the Business Associate Agreement (BAA). This is a contract in which the vendor agrees to handle your PHI according to HIPAA rules. If an AI vendor won’t sign a BAA, you cannot use them with patient data. Period.

The stakes are real. The Change Healthcare breach exposed 190 million patient records. A separate agentic AI workflow breach affected 483,000 patients. Both cases involved vendors with insufficient security controls.

Meanwhile, AI adoption is accelerating. The American Medical Association’s 2024 survey found that physician use of AI nearly doubled year over year. Compliance has not kept pace. AI in healthcare isn’t a special category that gets a pass. It’s a tool that handles PHI, which means it’s subject to the same rules as everything else. The BAA is your lifeline.

The Small Practice Compliance Checklist#

You don’t need an enterprise compliance team. You need a checklist you can execute.

Step 1: Conduct a risk assessment. HIPAA requires this. Many practices skip it. Don’t. List every system that touches PHI, identify the threats to each, and document what you’re doing about them.

Step 2: Identify every AI tool your staff uses with PHI. Include shadow AI, tools you didn’t approve and don’t know about. Survey your team. Check browser histories if necessary. You can’t protect what you can’t see.

Step 3: Get BAAs signed with every AI vendor that touches PHI. No BAA, no PHI. If a vendor refuses, find an alternative.

Step 4: Implement mandatory encryption. Email, file storage, backups, transmission, everything encrypted, everywhere.

Step 5: Enable multi-factor authentication on all systems. Every login, every user, no exceptions.

Step 6: Set up continuous monitoring. Automated audit logs, access tracking, and anomaly detection. You don’t need a security operations center. You need alerts when something unusual happens.

Step 7: Train your staff on the AI acceptable use policy. They need to know which tools are approved, which data tiers exist, and what happens if they bypass the rules.

Step 8: Document everything. Compliance is paperless or it didn’t happen. If a regulator asks, you need timestamps, signatures, and proof.

For a five-provider practice, expect $5,000–$15,000 for initial setup and $2,000–$5,000 per year for ongoing compliance. That includes tools, training, and professional review. Compare that to a single HIPAA penalty. Compliance is a series of concrete steps, not a mystical state of being. Do the checklist, document your work, and repeat it regularly.

SOC 2 for Healthcare: When It’s Worth Pursuing#

SOC 2 comes in two flavors. Type I is a snapshot of your controls at a single point in time. Type II is evidence that your controls work consistently over a period, usually three to twelve months. Type II is what most serious buyers expect.

Small clinical practices typically don’t need SOC 2. You need it when:

  • You sell software or services to hospitals or larger practices
  • Your EHR or practice management vendor requires it for integration
  • You’re pursuing partnerships or contracts that mandate it

You probably don’t need it yet if:

  • You’re a clinical practice with no business-to-business software component
  • Your primary need is HIPAA compliance for direct patient care

Here’s the good news: HIPAA compliance gets you approximately 70% of the way to SOC 2. The controls overlap heavily, encryption, access management, monitoring, documentation. If you do HIPAA properly, adding SOC 2 is mostly filling gaps, not starting over.

Tools like Scrut, Compliancy Group, and Abyde can manage both frameworks simultaneously. They automate evidence collection, policy management, and audit preparation. For a small practice, they’re often cheaper than hiring a compliance consultant. SOC 2 is a growth investment, not a survival requirement. Pursue it when your business model demands it. Don’t chase it just because you heard it’s “important.”

Common AI Compliance Mistakes Small Practices Make#

Mistakes are inevitable. These are the ones that get practices fined:

  • Using free ChatGPT with patient data. No BAA means HIPAA violation. The free version of ChatGPT does not sign BAAs and does not guarantee data protection.

  • Assuming your EHR’s AI features are automatically compliant. They may not be. The EHR might be HIPAA-compliant, but the third-party AI module bolted onto it might not be. Check the subprocessor list.

  • Letting staff use personal devices for PHI without mobile device management (MDM) and encryption. A lost phone with unencrypted patient data is a reportable breach.

  • Not reviewing vendor BAAs annually. AI vendors change their terms, their infrastructure, and their security practices. Annual review catches problems before they become breaches.

  • Treating AI output as clinical advice without human verification. AI can suggest. Only a licensed clinician can decide.

Most compliance failures aren’t dramatic. They’re small decisions made daily, using the wrong tool, skipping the review, assuming someone else checked, that compound into violations.

Your Next Move#

HIPAA isn’t optional at any size. SOC 2 is optional but strategic. The real risk isn’t the regulation, it’s the AI tools your staff is already using without a BAA, without encryption, and without your knowledge.

Fix that first. Then build the compliance program around it.

Compliance isn’t a destination. It’s a practice. Start with the checklist, review it quarterly, and adjust as your tools and threats change. The practices that stay out of trouble aren’t the ones with the most elaborate programs. They’re the ones that do the basics consistently.


“Ready to implement this?” Get the templates, checklists, and step-by-step guides at Rozelle.ai

Sources#

HIPAA, SOC 2, and AI: What Small Healthcare Practices Actually Need to Know
https://answerbot.cloud/articles/hipaa-soc2-ai-healthcare
Author Rozelle
Published at April 30, 2026
Copyright © 2026 Rozelle.ai. All rights reserved.