HIPAA Compliance Checklist for Miami-Dade Medical Offices

The Office for Civil Rights can fine a single Miami-Dade medical practice up to $2,134,831 per violation category per year. Settlements for small practices in recent enforcement actions have ranged from $182,000 to $800,000 — enough to permanently end most independent practices.

What’s frustrating is that the majority of these penalties stem from issues every practice can fix with a structured checklist: missing risk assessments, untrained staff, unencrypted laptops, sloppy business associate agreements, and the absence of any real documentation that compliance work is actually happening.

This is that checklist. It covers every HIPAA pillar — administrative, physical, technical, privacy, and breach notification — plus the 2026 Security Rule updates and the Florida-specific items most national checklists miss. Use it as a self-assessment, an audit prep tool, or a starting framework for cleaning up the gaps.

Key Takeaways

• HIPAA compliance is a living program, not a one-time project. Every item on this checklist needs annual review and documentation refresh.
• The 2026 Security Rule eliminates “addressable” safeguards. Encryption, MFA, and several other controls that used to be optional are now mandatory for every practice regardless of size.
• Documentation is the audit currency. “We do that” is not a defense. “Here’s the policy, here’s the training log, here’s the test result” is.
• Florida-specific risks add layers most national templates miss — hurricane DR planning, the Florida Information Protection Act (FIPA), and bilingual Notice of Privacy Practices needs in Miami-Dade.
• A solo practitioner faces the same compliance obligations as a 200-physician group. HHS has been explicit on this.

How to Use This Checklist

Walk through every section in order. For each item, mark one of three statuses:

• Green — fully implemented, documented, current within the last 12 months.
• Yellow — partially in place, undocumented, or older than 12 months.
• Red — missing entirely, unknown, or last addressed more than 24 months ago.

When you’re done, the count of yellow and red items is your gap report. Anything red is an active violation risk. Anything yellow is a finding waiting to happen during an audit.

What the 2026 Update Changes

Before the checklist itself, a quick orientation to what shifted in 2026. The full breakdown lives in our 2026 HIPAA Security Rule guide, but the high-level changes that affect this checklist are:

• All previously “addressable” safeguards are now required.
• Encryption of ePHI is mandatory at rest and in transit. AES-256-GCM is the current standard.
• MFA is required for every user accessing ePHI — clinical staff, administrative staff, vendors, and remote users.
• A 72-hour system recovery capability must be demonstrated.
• Vulnerability scans every six months and penetration tests annually.
• Business associates must report incidents within 24 hours of discovery.
• Annual written verification of business associate technical safeguards is required.

If any item in the sections below references “now required” or “no longer addressable,” that’s the 2026 rule speaking.

1. Administrative Safeguards Checklist

Administrative controls are the policies, people, and processes that make compliance possible. This is also where audits typically begin.

• HIPAA Security Officer designated in writing. Often the office manager or practice administrator in smaller offices.
• HIPAA Privacy Officer designated in writing. Can be the same person as the Security Officer.
• Annual risk assessment completed and documented within the past 12 months. Must be a real assessment, not a checkbox exercise.
• Risk management plan that addresses identified risks with assigned owners and target dates.
• Written policies and procedures covering: access control, workforce sanctions, incident response, contingency planning, device and media controls, business associate management, workforce training, and audit logging.
• Workforce training completed at hire and annually for every employee, contractor, and vendor with PHI access. Training records retained for at least 6 years.
• Sanctions policy documenting consequences for HIPAA violations by workforce members.
• Termination procedures that revoke access to PHI immediately upon employee departure.
• Access management procedures that grant minimum necessary PHI access based on job role.
• Periodic access reviews verifying that current access still matches current job duties.
• Annual policy review with documented updates — under the 2026 rule, policies must be reviewed at least annually.

2. Physical Safeguards Checklist

Physical controls protect the spaces and devices where PHI lives.

• Facility access controls limiting who can enter areas where PHI is stored or accessed.
• Workstation security policy specifying appropriate use, location, and protection of devices that handle PHI.
• Workstation positioning so screens are not visible to patients, visitors, or unauthorized staff.
• Screen lock policy — automatic lock after a defined idle period (15 minutes max recommended).
• Device and media inventory tracking every laptop, desktop, tablet, phone, and external drive that touches PHI.
• Mobile device management (MDM) for any device accessing PHI off-network.
• Media disposal procedures for hard drives, USB drives, paper records, and any storage that has held PHI. Documented destruction certificates retained.
• Device reuse procedures — secure wipe before any device changes hands or roles.
• Server room or telecom closet physical security — locked, access-logged, environmentally monitored.
• Visitor logs for any non-staff entering PHI-handling areas.

3. Technical Safeguards Checklist

Technical controls are where the 2026 update hits hardest.

• Unique user identification — every workforce member has their own login. No shared logins, ever.
• Multi-factor authentication enforced for all users accessing systems containing ePHI (now mandatory under the 2026 rule).
• Encryption at rest for all devices storing ePHI — full-disk encryption on every workstation, laptop, server, and mobile device.
• Encryption in transit — TLS 1.2 or higher for all network traffic involving ePHI, including internal traffic.
• Encrypted email for any communications containing PHI.
• Encrypted backups — unencrypted backup media is a 2026 violation.
• Automatic logoff configured on all PHI-accessing systems.
• Audit logging enabled on EHR, practice management, email, and any system accessing PHI. Logs retained for at least 6 years.
• Log review procedures — someone actually reviews audit logs on a defined cadence, not just generates them.
• Vulnerability scans every 6 months with documented remediation.
• Penetration testing annually with documented findings and remediation plan.
• Patch management program with defined SLAs for critical vs. routine patches.
• Endpoint detection and response (EDR) deployed across all PHI-handling devices.
• Email security (anti-phishing, attachment scanning, link rewriting) on every mailbox.
• DNS filtering to block access to known malicious sites.
• Network segmentation separating clinical systems from guest Wi-Fi and other lower-trust networks.

4. Privacy Rule Checklist

The Privacy Rule governs how PHI can be used and disclosed.

• Notice of Privacy Practices (NPP) posted in the office, on the website, and provided to every new patient — updated for 2026 reproductive and behavioral health changes (effective February 2026).
• Bilingual NPP available where appropriate — in Miami-Dade, this typically means Spanish, and increasingly Haitian Creole.
• Acknowledgment of receipt of NPP collected from every patient.
• Minimum necessary standard applied to internal and external PHI disclosures.
• Patient access procedures — patients can access, copy, and amend their records within 30 days.
• Authorization forms properly used for any PHI use beyond treatment, payment, or operations.
• Accounting of disclosures maintained for non-routine PHI disclosures.
• Patient complaint process documented and accessible.
• Marketing and fundraising restrictions understood and enforced — especially around patient testimonials, social media posts, and email campaigns.

5. Breach Notification Checklist

When something goes wrong, the clock starts.

• Breach response plan documented with named roles, contact info, and step-by-step procedures.
• Incident classification process — distinguishes between security incidents, suspected breaches, and confirmed breaches.
• Risk assessment template for evaluating whether an incident rises to breach notification thresholds.
• Patient notification procedures — required without unreasonable delay, no later than 60 days after discovery.
• HHS notification procedures — within 60 days for breaches of 500+ individuals; annual reporting for smaller breaches.
• Media notification procedures — required for breaches affecting 500+ Florida residents.
• Florida Information Protection Act (FIPA) procedures — Florida adds state-level notification requirements layered on top of HIPAA. Notification to the Florida Attorney General within 30 days for breaches affecting 500+ Florida residents.
• Documentation retention — breach records retained for at least 6 years.
• Tabletop exercises — your team has actually rehearsed a breach response, not just written a plan.

6. Business Associate Management Checklist

The 2026 rule materially raised the bar on BA management.

• Complete inventory of business associates — every vendor, IT provider, billing company, EHR vendor, cloud service, transcription service, and any third party that creates, receives, maintains, or transmits PHI on your behalf.
• Current Business Associate Agreement (BAA) signed by every BA, reviewed within the past 24 months.
• Updated BAA language addressing the 2026 rule’s incident reporting timelines and verification requirements.
• 24-hour incident reporting clause — required under the 2026 rule.
• Annual written verification that each BA has implemented required technical safeguards (new under 2026).
• Subcontractor BAAs verified — your BAs must have BAAs with their subcontractors.
• BA termination procedures — what happens to PHI when the relationship ends.
• BA risk tier assessment — not all BAs carry the same risk; document accordingly.

7. Documentation and Audit Readiness

Auditors don’t grade what you do. They grade what you can prove you do.

• Policy and procedure binder (digital or physical) organized and current.
• Training records for every workforce member, with dates, content covered, and acknowledgments.
• Risk assessment reports — every annual assessment archived for at least 6 years.
• Vulnerability scan and penetration test reports with remediation evidence.
• Backup test results — not just that backups exist, but that you’ve successfully restored from them.
• Incident logs — every security incident documented, even minor ones.
• Audit log review records showing someone actually reviews logs.
• BA inventory and BAA repository centrally maintained.
• Breach risk assessments for any incident that triggered a notification analysis.
• Sanctions records for any HIPAA violations by workforce members.

If you have to scramble to produce these documents, you’re not audit-ready. The standard for HHS is that documentation is current, organized, and produced on request.

8. Miami-Dade and Florida-Specific Considerations

Most national HIPAA checklists miss the items below. They’re not optional in our market.

• Hurricane disaster recovery plan — assume facility loss, prolonged power outage, and staff displacement. The 72-hour recovery mandate intersects directly with hurricane scenarios.
• Geographically diverse backups — primary and secondary data outside the South Florida hurricane corridor, ideally in a different region entirely.
• Cloud-based EHR consideration — if your EHR runs on a server in your office, evaluate whether HIPAA-compliant cloud infrastructure better meets the recovery mandate.
• FIPA notification procedures layered on top of HIPAA for any breach affecting Florida residents.
• Spanish-language privacy materials — Miami-Dade is over 70% Hispanic; English-only NPPs and patient communications are a real exposure point.
• Hurricane season tabletop exercise — annually, in May or June, before the season starts.
• Generator and UPS coverage for any on-premises infrastructure that handles PHI.
• Cellular and broadband redundancy at facilities — primary and secondary connectivity from different carriers.

The healthcare cybersecurity reality in Florida makes these items more urgent than they sound. Florida consistently ranks among the worst states for healthcare data breaches. Practices here are not theoretical targets — they are active ones.

Self-Assessment Scoring

Count your reds, yellows, and greens.

Result	Status
0 reds, < 5 yellows	You’re audit-ready. Maintain the cadence.
0 reds, 5–15 yellows	Solid foundation, gaps to close in the next 90 days.
1–3 reds, OR 15+ yellows	Active risk. Start a remediation plan this quarter.
4+ reds	Likely non-compliant. Bring in healthcare IT and compliance support immediately.

Be honest in the scoring. The point of a self-assessment is to find gaps before HHS does.

When to Bring in Professional Help

You can run this checklist internally. Many practices do, and many practices succeed at the items they understand well.

The trouble is that the items most practices fail are not the ones their internal team can fix:

• Risk assessments require methodology that holds up under audit, not a spreadsheet.
• Encryption deployment across every device, including BYOD and remote users, takes specialized tooling.
• Vulnerability scans and pen tests require qualified third parties.
• Business associate verification is a year-round vendor management function, not a one-time check.
• Documentation discipline is the hardest part — every audit-pass story we’ve seen starts with consistent documentation.

This is exactly where a specialized healthcare IT partner earns its keep. Instead of trying to staff a CISO ($120,000+), a compliance officer ($95,000+), and an IT director ($140,000+) in a five-physician office, you partner with a team that delivers all three through a managed engagement at a fraction of the cost — and one that already understands the 2026 Security Rule and the Florida-specific layer.

The Bottom Line

HIPAA compliance is not a project that ends. It’s a program that runs continuously — risk assessments, training, encryption, monitoring, vendor verification, documentation. The 2026 Security Rule raised the floor on every one of these, and the practices that wait will be scrambling when the rule takes effect.

Run this checklist this quarter. Score it honestly. Close the reds first, the yellows next. And document everything you do, because that documentation is the only thing standing between your practice and a six-figure penalty when something eventually goes wrong.

If you’d like a structured HIPAA assessment with a remediation plan tailored to your practice and the 2026 Security Rule, our healthcare IT team does exactly that — no cost, no pressure, just a clear picture of where your practice stands.