HIPAA Compliance Checklist for Florida Medical Practices: Federal + State Requirements

If you run a medical practice in Florida, you already know HIPAA compliance is required. But when was the last time you actually sat down and checked whether your practice meets every requirement?

Most office managers and practice administrators we talk to in Tampa, Orlando, and Lakeland say the same thing: “We think we’re compliant, but we’re not 100% sure.”

That uncertainty is exactly what leads to fines. The U.S. Department of Health and Human Services (HHS) doesn’t care if you thought you were covered — they care whether you can prove it.

This checklist covers both federal HIPAA requirements and Florida-specific regulations so you can see exactly where your practice stands today.

Why This Matters in 2026

HIPAA enforcement is getting stricter, not looser. The Office for Civil Rights (OCR) has increased audits of small practices, and the 2026 HIPAA Security Rule updates now require more rigorous documentation of your technical safeguards.

In Florida specifically, the Florida Information Protection Act (FIPA) adds state-level requirements on top of federal HIPAA rules — including a 30-day breach notification window (stricter than the federal 60-day requirement).

The bottom line: small practices are no longer flying under the radar. If you haven’t done a formal risk assessment in the past 12 months, you’re already behind.

Part 1: Administrative Safeguards

These are the policies and procedures your practice needs to have documented and actively followed.

Risk Assessment (Required Annually)

• Completed a formal HIPAA Security Risk Assessment in the past 12 months
• Documented all identified risks and your plan to address each one
• Risk assessment covers all systems that store, process, or transmit PHI (protected health information)
• Results reviewed by practice leadership (not just IT)

Policies and Procedures

• Written HIPAA Privacy Policy that staff can access
• Written HIPAA Security Policy covering electronic PHI (ePHI)
• Breach Notification Policy with clear steps for who does what
• Sanction Policy for employees who violate HIPAA rules
• Policies reviewed and updated at least annually

Staff Training

• All employees completed HIPAA training within 30 days of hire
• Annual refresher training completed for all staff
• Training covers phishing awareness, password hygiene, and proper PHI handling
• Training completion documented with dates and signatures
• Staff can identify a HIPAA violation and know who to report it to

Business Associate Agreements (BAAs)

• BAA signed with every vendor that accesses PHI (IT provider, EHR vendor, billing company, shredding service, cloud storage, etc.)
• BAAs reviewed when contracts renew
• List of all business associates maintained and up to date

Part 2: Technical Safeguards

This is where your IT setup comes into play. If you’re unsure about any of these, your IT provider should be able to confirm.

Access Controls

• Every user has a unique login — no shared accounts
• Access to PHI is role-based (front desk sees different data than billing staff)
• Former employees are deactivated within 24 hours of departure
• Automatic session timeout on all workstations (15 minutes or less)
• Multi-factor authentication (MFA) enabled on EHR, email, and remote access

Encryption

• All ePHI encrypted at rest (stored data) and in transit (data being sent)
• Email containing PHI uses encrypted transmission (TLS at minimum)
• Laptops and mobile devices have full-disk encryption enabled
• USB drives containing PHI are encrypted (or USB ports are disabled)

Audit Controls

• EHR system logs who accessed what records and when
• Audit logs reviewed regularly (at least quarterly) for unusual access patterns
• Logs retained for at least 6 years (HIPAA requirement)

Network Security

• Business-grade firewall installed and actively monitored
• Guest Wi-Fi is on a separate network from clinical systems
• Endpoint protection (antivirus/anti-malware) on all devices
• Software and operating systems patched within 30 days of updates
• Remote access uses VPN with MFA — not exposed RDP

Part 3: Physical Safeguards

HIPAA isn’t just digital. Physical access to patient data matters too.

• Server room/closet is locked and access-restricted
• Workstations positioned so screens aren’t visible to patients in waiting areas
• Paper records stored in locked cabinets
• Printers in secure areas (PHI doesn’t sit in shared printer trays)
• Visitor access to clinical areas is controlled
• Old hard drives and devices are properly wiped or destroyed before disposal

Part 4: Backup and Disaster Recovery

This section is especially critical for Central Florida practices that face hurricane season every year.

• Automated daily backups of all systems containing PHI
• Backups stored offsite or in the cloud (not just on a drive in the same building)
• Backup restoration tested at least twice per year
• Written disaster recovery plan that covers data loss, ransomware, and natural disasters
• Recovery Time Objective (RTO) defined — how quickly can you be back up?
• Staff knows the disaster recovery process (not just IT)

Part 5: Florida-Specific Requirements

Federal HIPAA rules apply everywhere, but Florida adds additional obligations:

Florida Information Protection Act (FIPA) — Fla. Stat. §501.171

• 30-day breach notification — You must notify affected individuals within 30 days of discovering a breach (federal HIPAA allows 60 days)
• Notify the Florida Attorney General if 500+ individuals are affected
• Reasonable security measures required for personal information (broader than just PHI)

Florida Patient’s Bill of Rights — Fla. Stat. §381.026

• Patients have the right to access their medical records
• Copies must be provided within a reasonable time
• Charges for copies must comply with Florida fee schedules

Florida Electronic Health Records Exchange Act

• If you participate in health information exchange (HIE), additional interoperability and consent requirements apply

How to Use This Checklist

1. Print it out and go through each item with your office manager and IT provider
2. Mark each item as compliant, non-compliant, or unsure
3. Prioritize the gaps — anything marked “non-compliant” or “unsure” is a risk
4. Create a remediation plan with deadlines for each gap
5. Schedule your annual risk assessment if it hasn’t been done in the past 12 months

If you have more than 5 items marked “unsure,” it’s time to bring in a HIPAA-experienced IT provider to do a proper assessment.

Get a Free HIPAA Risk Audit

Not sure where your practice stands? iTech Plus provides free HIPAA risk audits for medical practices in Tampa, Orlando, Lakeland, and throughout Central Florida.

We’ll walk through your technical safeguards, review your policies, and give you a clear report of what’s compliant and what needs attention — no sales pitch, just a straightforward assessment.

Schedule your free HIPAA risk audit or call us at (321) 221-7117.