Determine if you are a covered entity under HIPAA
To answer this, check out DPC Frontier's thorough discussion of HIPAA here. If you are not covered, feel free to ignore the rest of this list.
Check for state laws regarding patient privacy
In some states they are even more stringent than HIPAA.
Covered entities only: complete a Security Risk Assessment
This free tool from the ONC will make this much easier.
Covered entities only: draft a Release of Records/Authorization Form
HIPAA requires you to have a Release of Records (Authorization) form on file for any disclosure of protected health information for purposes other than treatment, payment, and health care. Here is an example from AtlasMD.
Every time you have a patient sign one of these, make a note in an Accounting of Disclosures log such as this. You must be able to acocunt for all PHI discosures you've made should you get audited.
Covered entities only: draft a Patient Consent Form
Though not required by HIPAA, many practices also have a Patient Consent Form which lets the patient green-light certain forms of communication (email, text, phone calls, answering machines). It also affords your practice an extra measure of protection. Here is a sample Consent Form.
Covered entities only: gather and maintain proof of HIPAA compliance
This is a multi-faceted problem; full compliance involves writing a Breach Plan, a Training Plan, a Communications Plan, a Disaster Recovery Plan, and an Audit and Monitoring Plan, plus the maintenance of a detailed Policies and Procedures Manual and data governance documentation. Check out this page from the AMA for some resources to get you started. You can find a lot of the Policies and Procedures online - check out Kim Corba's DPC Manual.
Covered entities only: gather Business Associate Agreements
You need to get a signed Business Associate Agreement from every company/product/service that handles your patients' health info. Some notable exceptions are labs, specialists you refer to, and data "conduits" (some messaging services qualify). See a complete description here and an agreement template here.