Small businesses often overlook the technical safeguards that the HIPAA Security Rule requires. Put in place a strong cybersecurity plan to protect employee data. Encrypt data whenever it goes beyond your firewall. Have a disaster recovery plan in place in case of a breach.
Remember to physically secure electronic PHI from unauthorized access, in your data center, server, cloud, workstations, and on mobile devices. Lock everything.
Strengthen your administrative security too, with risk management policies and assessments, contingency plans, and restrictions on who can access data. Train employees in HIPAA compliance each year. Report any data breaches to employees.
For more, see this HIPAA Security Checklist from HealthIT.gov.