HIPAA Compliance Failures Hitting Miami Healthcare Providers in 2026

Why Miami Healthcare Providers Are Under the Microscope

HHS Office for Civil Rights (OCR) enforcement has accelerated since 2022. Settlement amounts are increasing, the time from complaint to resolution has shortened, and OCR has made clear that "we didn't know" is no longer an acceptable defense for violations of a regulation that has been in force since 2003.

South Florida healthcare providers face compounding risk factors:

• High concentration of independent practices without dedicated compliance staff
• Rapid M&A activity that leaves acquired entities operating on disparate, unreviewed systems
• Heavy reliance on third-party billing and answering services — each of whom is a potential BAA gap
• An above-average fraud environment that draws federal investigator attention to the region

HHS OCR has resolved over 36,000 HIPAA cases and collected more than $155 million in penalties since 2003 — and the pace of enforcement is accelerating.

The following 7 failures appear most frequently in OCR enforcement actions and settlement agreements. Each one is preventable with a structured compliance program.

---

Failure 1: Missing or Incomplete Risk Assessment

What HIPAA requires: The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires covered entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This must be updated regularly — which OCR interprets as at least annually, or when significant changes occur.

What OCR finds: Risk assessments that were completed once during EHR implementation and never updated. Risk assessments that cover only one location of a multi-site practice. Risk assessments completed by the practice manager without any technical input on system-level vulnerabilities.

The penalty pattern: A missing or inadequate risk assessment appears as a finding in virtually every HIPAA enforcement action, often as the root cause that enabled the subsequent breach.

What to do: Conduct a documented risk assessment annually. It must cover all systems that create, receive, maintain, or transmit ePHI — not just your EHR. The output must be a written risk analysis with identified gaps and a remediation plan. HHS provides free Security Risk Assessment guidance including a downloadable tool.

---

Failure 2: Weak Access Controls on PHI

What HIPAA requires: The Access Control standard (45 CFR § 164.312(a)(1)) requires unique user identification — meaning every user who accesses ePHI must have their own login. Shared credentials are a direct HIPAA violation.

What OCR finds: Front desk staff sharing a login to the scheduling system. Physician assistants using the attending physician's credentials. Former employees whose accounts were never disabled.

What to do:

• Every person who accesses ePHI must have a unique username and password
• Multi-factor authentication on all systems containing ePHI, especially remote access
• Role-based access control: clinical staff see clinical records; billing staff see billing data; no one has unnecessary access
• Quarterly access reviews to remove accounts that are no longer needed
• Automatic account lockout after separation — same business day as the employee's last day

NIST's Cybersecurity Framework identity and access management controls align directly with HIPAA Access Control requirements and provide a structured implementation path.

---

Failure 3: Unencrypted PHI at Rest and in Transit

What HIPAA requires: Encryption is an "addressable" implementation specification under HIPAA — meaning you must either implement it or document why an equivalent alternative measure is in place. In practice, OCR expects encryption on portable devices and across any network transmission of ePHI.

What gets providers fined: A stolen unencrypted laptop containing 8,600 patient records. An unencrypted USB drive lost in a parking lot. PHI sent over unencrypted email because it was "faster."

What to do:

• Full-disk encryption on all laptops, workstations, and mobile devices (BitLocker on Windows, FileVault on Mac)
• Enforce encrypted email for any PHI transmission — Microsoft Purview Message Encryption is included in M365 Business Premium
• No ePHI on USB drives. If portable storage is required, use encrypted, hardware-locked devices only
• Document your encryption choices as part of your risk analysis

According to IBM's Cost of a Data Breach Report 2024, healthcare data breaches cost an average of $9.77 million — the highest of any industry for 14 consecutive years, and a strong argument for the cost-effectiveness of encryption.

---

Failure 4: Deficient Business Associate Agreements

What HIPAA requires: Any vendor that handles PHI on your behalf is a Business Associate. Before they touch PHI, you must have a signed BAA in place that meets the specific content requirements of 45 CFR § 164.308(b)(1).

What OCR finds: IT providers with remote access to servers who were never asked to sign a BAA. Cloud storage providers (Dropbox, Google Drive) where PHI is stored without a BAA. Billing companies operating under a 2008 BAA that predates the 2013 Omnibus Rule changes.

Common BAA gaps that invalidate the agreement:

• Missing required provisions (breach notification requirements, subcontractor BAA obligations)
• BAA signed with the wrong entity (the reseller, not the actual processor)
• Unsigned — sent but never countersigned
• Expired or superseded by a new service agreement that doesn't reference the BAA

What to do: Maintain a BAA inventory — every vendor, their BAA status, and the date signed. Review BAAs when you renew contracts. Require new vendors to sign before any access is granted.

---

Failure 5: No Audit Logs or Access Tracking

What HIPAA requires: The Audit Controls standard (45 CFR § 164.312(b)) requires hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use ePHI.

What this means in practice: You must be able to answer "who accessed patient record X on date Y" — not just at the EHR level, but at the network and system level. If you cannot answer that question, you do not have adequate audit controls.

What OCR finds: EHR audit logging disabled to improve performance. No logging on the network firewall or workstations. Logs that exist but are never reviewed, making them useless for detecting unauthorized access.

What to do:

• Enable audit logging in your EHR and verify it is capturing user-level access events
• Retain audit logs for at least 6 years (HIPAA's retention requirement for documentation)
• Enable Windows Event Log forwarding and firewall logging to a centralized SIEM
• Review anomalous access — a staff member accessing 500 records on a Saturday night is a detectable event if logging is in place

CISA recommends log monitoring as a foundational security control — and for HIPAA-covered entities, it is also a regulatory requirement.

---

Failure 6: Insufficient Workforce Training

What HIPAA requires: The Security Awareness and Training standard (45 CFR § 164.308(a)(5)) requires covered entities to implement a security awareness and training program for all members of the workforce, including management. Training must be documented.

What OCR finds: Practices that point to onboarding documentation as "training" but have no records of who completed it, when, or what it covered. Annual training that covers HIPAA in general but does not address the specific threats employees face (phishing, ransomware, social engineering).

What to do:

• Conduct documented HIPAA security training at hire and at least annually thereafter
• Include real-world scenario training (phishing simulations, what to do if a laptop is stolen)
• Retain signed acknowledgment forms or completion records for 6 years
• When significant threats emerge (new phishing campaign, a breach at a competitor), send a timely update — document it

---

Failure 7: Improper Device and Media Disposal

What HIPAA requires: The Device and Media Controls standard (45 CFR § 164.310(d)(1)) requires policies and procedures governing the receipt and removal of hardware and electronic media containing ePHI — including final disposal.

What gets providers fined: Donating old computers to a school without wiping the hard drives. Throwing a decommissioned server in a dumpster. Returning a leased copier without sanitizing the internal hard drive (most office copiers store scanned documents on an internal drive).

What to do:

• Document every device that touches ePHI — workstations, laptops, tablets, copiers, phones
• Use DoD-standard disk wiping (3-pass overwrite) or physical destruction before disposal
• Use a certified ITAD (IT Asset Disposition) vendor who provides a certificate of destruction
• Add copier/printer hard drive sanitization to your lease return checklist

---

HIPAA Compliance Gap Assessment

Requirement	Status Check	Penalty Risk if Missing
Annual risk assessment (documented)	✅ Done / ❌ Missing	High — appears in nearly every OCR action
Unique user credentials + MFA	✅ Done / ❌ Missing	High — access control violations fined up to $2M
Encryption on laptops + mobile devices	✅ Done / ❌ Missing	High — most common breach vector
BAA inventory (all vendors)	✅ Done / ❌ Missing	High — no BAA = direct violation
Audit logging enabled + retained 6 yrs	✅ Done / ❌ Missing	Medium-High
Annual documented workforce training	✅ Done / ❌ Missing	Medium-High
ITAD certificate for disposed devices	✅ Done / ❌ Missing	Medium

RRG Networks provides HIPAA compliance services for South Florida healthcare providers — including the annual risk assessment, technical safeguards implementation, BAA management, and workforce training — delivered as part of a managed compliance program with a flat monthly fee.