// Pillar Guide · 2026 Update · ~25 min read

THE COMPLETE HIPAA CYBERSECURITY GUIDE FOR FLORIDA MEDICAL PRACTICES.

What the HIPAA Security Rule actually requires of a medical practice in Florida, how Business Associate Agreements work in practice, the 10 cyber-insurance controls that double as a HIPAA-aligned baseline, and the practical IT stack we deploy at every Florida healthcare client. Written by a veteran-owned managed IT provider headquartered in Ocala, FL.

By Steve Condit, USMC Veteran · 30+ yrs ITPublished 2026-05-01Updated 2026-05-13
Get a Free HIPAA Assessment →Jump to Guide ↓
// What's In This Guide

ELEVEN SECTIONS. ABOUT 4,000 WORDS.

  1. // 01What the HIPAA Security Rule Actually Requires
  2. // 02Who Counts as a Business Associate
  3. // 03The 10 Cyber Insurance Controls Every Practice Needs
  4. // 04Microsoft 365 BAA Activation (The #1 Documentation Gap)
  5. // 05EHR Vendor Security: What Your BAA Doesn't Cover
  6. // 06Florida-Specific Requirements: FIPA & AHCA Layers
  7. // 07The HIPAA Security Risk Analysis (Annual Cadence)
  8. // 08Breach Response: The First 60 Minutes
  9. // 09The Practical HIPAA-Aligned IT Stack
  10. // 1010 Common HIPAA Cybersecurity Mistakes (and How to Fix Them)
  11. // 11Frequently Asked Questions
// 01

WHAT THE HIPAA SECURITY RULE ACTUALLY REQUIRES.

The HIPAA Security Rule lives at 45 CFR Part 164, Subpart C — sections 164.302 through 164.318. It applies to every “covered entity” (medical practice, hospital, health plan) and to every “business associate” that handles protected health information (PHI) on the covered entity's behalf. The Rule organizes its requirements into three categories of safeguards: administrative, physical, and technical. A practical Florida medical practice has to implement all three. This isn't a checklist; it's an operational posture.

Administrative Safeguards (164.308)

The administrative safeguards are about process and governance: who is responsible for security at the practice, how the practice trains its workforce on PHI handling, how access to PHI is granted and revoked, and how the practice responds to incidents. The core requirement: a designated Security Officer (an actual named person — often the practice administrator) and a written security management process that includes documented risk analysis, sanctions policy for workforce members who violate procedure, information system activity review, and incident response procedures.

Physical Safeguards (164.310)

The physical safeguards are about where PHI lives and who can touch it physically: facility access controls (locked doors to areas with servers or unattended workstations), workstation security (screens not visible to waiting-room patients, password-locked when unattended), and device controls for any hardware that stores PHI — including the disposal procedures for old workstations, servers, and any backup media.

Technical Safeguards (164.312)

The technical safeguards are what most people think of as “HIPAA IT”: access controls (unique user IDs, automatic logoff, encryption of PHI at rest), audit controls (logging who accessed what records and when), integrity controls (preventing improper alteration or destruction of PHI), and transmission security (encryption of PHI in transit, including email, fax replacements, and any cloud service).

Critically, the Security Rule distinguishes between “required” and “addressable” implementation specifications. “Required” means the practice must implement it. “Addressable” means the practice must either implement it OR document why an alternative is reasonable. In our experience, the “addressable” designation is the source of most confusion — addressable does not mean optional.

// 02

WHO COUNTS AS A BUSINESS ASSOCIATE (AND WHY YOUR IT PROVIDER SHOULD SIGN A BAA).

A Business Associate is any person or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity. Under 45 CFR 164.502(e) and 164.504(e), the practice is required to have a written contract — the Business Associate Agreement (BAA) — with every Business Associate. The BAA binds the Business Associate to the same Security Rule and Privacy Rule obligations that bind the practice itself, with specific provisions for breach notification, subcontractor agreements, and what happens to PHI when the relationship ends.

For a typical Florida medical practice, the Business Associates include: the IT managed service provider (MSP), the cloud-hosted EHR vendor, the email security gateway, the cloud backup service, the patient portal vendor, the medical billing and revenue cycle management company, the answering service, the transcription service, the cloud-hosted PACS for imaging, and any document destruction or paper-records shredding company. Every one of those should have a signed, current BAA on file at the practice.

Here's the practical reality we see at most Florida practices: the original BAAs got signed once when the relationship started, then sat in a filing cabinet for years while vendor names changed, vendors got acquired, services were renewed under different terms. The first thing a HIPAA-aware managed IT provider does at a new client is inventory the BAA portfolio and identify gaps. The Microsoft 365 BAA gap (Section 4 of this guide) is the most common.

// 03

THE 10 CYBER INSURANCE CONTROLS EVERY PRACTICE NEEDS.

By 2026, every major cyber insurance carrier (Coalition, Travelers, AIG, Chubb, Beazley, AmTrust) requires a baseline set of technical controls before binding or renewing a policy. The list varies slightly per carrier, but the consolidated “10 controls” you'll see on most underwriter questionnaires are also a clean operational floor for HIPAA-aligned IT. Implementing all ten means you're both insurable and audit-defensible.

  1. 01
    Multi-Factor Authentication (MFA)
    On every email account, every remote-access entry point (VPN, RDP, RMM), every privileged admin account, every cloud service holding PHI. Microsoft research consistently shows MFA blocks 99.9% of automated credential attacks.
  2. 02
    Endpoint Detection & Response (EDR)
    On every workstation and server. EDR is the modern replacement for legacy antivirus — it behaviorally detects and contains ransomware rather than relying solely on known-signature matching.
  3. 03
    Email Security Gateway
    Beyond Microsoft 365's default protection. Attachment sandboxing, URL rewriting, display-name impersonation alerts, DMARC enforcement on your domain.
  4. 04
    Tested Encrypted Backup
    3-2-1 backup strategy (3 copies, 2 different media types, 1 off-site) with immutable cloud target. Quarterly restore drills that actually verify recoverability — not just “backup ran” reports.
  5. 05
    Patch & Vulnerability Management
    Windows, macOS, browsers, third-party applications patched on a controlled schedule. Most ransomware exploits patches that were available weeks or months earlier.
  6. 06
    Security Awareness Training
    Annual training plus periodic phishing simulations. Documented completion records. Sanctions policy for repeat clickers.
  7. 07
    Written Incident Response Plan
    A 1-2 page document the practice administrator can find during an active incident. Names, phone numbers, role assignments, the first-60-minute playbook.
  8. 08
    Vendor Inventory + BAA Tracking
    A current list of every Business Associate, every signed BAA, and the renewal/expiration cadence. Underwriters increasingly ask for this on renewal applications.
  9. 09
    Network Segmentation
    Separation of clinical-workstation network from guest WiFi, from medical-device networks, and (where applicable) from imaging modalities. Limits the blast radius of a single compromised endpoint.
  10. 10
    Privileged Account Management
    Domain admin / global admin / EHR admin accounts treated differently from regular user accounts. Separate credentials, monitored activity, MFA-required, never used for daily email.

Practices that have all ten in place at renewal time consistently see smaller premium increases, higher coverage limits, and fewer carrier-imposed exclusions. The same posture makes the practice audit-defensible if HHS OCR or a state agency comes calling.

// 04

MICROSOFT 365 BAA ACTIVATION: THE #1 DOCUMENTATION GAP WE FIND.

Microsoft 365 — Business Basic, Business Standard, Business Premium, Enterprise E3/E5 — is HIPAA-eligible. Microsoft includes a Business Associate Agreement in its standard Online Services Terms. But here's what most Florida medical practices don't know: the BAA is not automatically in effect. It has to be activated in the Microsoft 365 admin console.

In our experience auditing Florida medical practices, this is by far the most common HIPAA compliance gap. Practices buy Microsoft 365 from a reseller or directly from Microsoft, deploy email and Teams, store patient communications, and never activate the BAA. The practice is technically a covered entity using a non-BAA email service for PHI — exactly the kind of finding that becomes a settlement headline.

// FIX THIS TODAY

Log into the Microsoft 365 admin center → Settings → Org Settings → Services → search for “Business Associate Agreement” or check the Microsoft Online Services Terms attestation. If it's not active for your tenant, contact your IT provider or Microsoft directly to activate it. There is no cost — only the documentation step.

Once the BAA is activated, the practice should also configure the technical safeguards Microsoft ships disabled by default: MFA enforcement on every user, Conditional Access policies (in Premium), Defender for Business (Premium), Intune device management (Premium), audit logging at the appropriate retention, and Information Protection labels for PHI documents. Simply IT configures these as part of standard onboarding for every Florida medical client.

// 05

EHR VENDOR SECURITY: WHAT YOUR BAA DOESN'T COVER.

Your EHR vendor — Athenahealth, eClinicalWorks, NextGen, AdvancedMD, Practice Fusion, DrChrono, Kareo — has signed a BAA with you and maintains the security of the EHR application itself. What the BAA does not cover is everything between the EHR and the practice workforce: the workstations clinicians use, the network those workstations sit on, the email system patient communication flows through, and the authentication layer that lets staff log in.

This is where most real-world HIPAA incidents originate. A staff member's credentials get phished, the attacker logs into the EHR via the staff member's account (the EHR's security worked exactly as designed — it just authenticated a legitimate-looking session), and pulls patient records. The EHR vendor will tell the practice (correctly) that the EHR wasn't breached. The breach happened upstream, in the practice's IT environment, on systems the BAA covered for the EHR vendor but the IT side was the practice's responsibility.

The fix: MFA on every EHR user account (enforced at the practice's identity provider — typically Microsoft 365 Entra ID), separate credentials for clinical and admin staff, automated alerts on after-hours or geographically anomalous logins, and quarterly review of who has access to what within the EHR. Most EHR platforms support all of these — most practices have implemented none of them.

// 06

FLORIDA-SPECIFIC REQUIREMENTS: FIPA & AHCA LAYERS.

HIPAA is federal. Florida adds two state-level layers most practices treat as if they didn't exist. The first is the Florida Information Protection Act (FIPA), F.S. 501.171. FIPA requires notification to affected Florida residents and to the Florida Department of Legal Affairs within 30 days of discovering a data breach affecting 500+ Florida residents — significantly faster than HIPAA's 60-day federal timeline. If your practice has more than 500 active Florida patients (almost any practice does), FIPA notification timing is the binding constraint.

The second is the Florida Agency for Health Care Administration (AHCA) licensing layer. AHCA licenses many provider types in Florida and imposes its own administrative requirements, some of which intersect with IT systems (electronic record retention requirements, specific security postures for AHCA-licensed home health agencies and ALFs, and AHCA-mandated incident reporting in some cases). Most outpatient practices are not AHCA-licensed directly, but specialty practices, home health, hospice, and ALF settings are.

The third Florida-specific layer most providers forget: Florida is one of the few states that does not have a unified medical-record retention law — retention timelines vary by license type and by specialty. Your IT backup retention policy needs to align with whichever specific record-retention rule applies to your practice. We see practices over-retaining (decade+ of backups, expanding ransomware blast radius) and under-retaining (Florida specialty-specific records destroyed too early) in roughly equal measure.

// 07

THE HIPAA SECURITY RISK ANALYSIS: ANNUAL CADENCE + WHAT IT SHOULD DOCUMENT.

The HIPAA Security Risk Analysis is required under 45 CFR 164.308(a)(1)(ii)(A). HHS publishes the Security Risk Assessment Tool free for download. The Tool is genuinely useful — it walks the practice through the safeguard inventory and produces a document an OCR investigator would recognize as a good-faith risk analysis. Most practices we work with had never heard of it before onboarding.

What the risk analysis should document, at minimum: inventory of systems and devices that store, process, or transmit PHI; a list of reasonably anticipated threats to those systems (ransomware, lost laptop, employee error, vendor compromise, natural disaster); the controls currently in place against each threat; the gaps; the remediation plan with named owners and dates. The output is the document. Doing it correctly takes a few hours of focused effort once a year.

The single most-cited OCR enforcement finding is “failure to conduct an accurate and thorough risk analysis.” Practices that have never documented one are pre-cooked for an enforcement action whether or not anything else has gone wrong. We strongly recommend the practice's Security Officer schedule the annual risk analysis on the calendar — first quarter is typical — and treat it as non-negotiable, like a tax filing.

// 08

BREACH RESPONSE: THE FIRST 60 MINUTES.

The first hour after a suspected breach determines most of the practice's outcome. Three actions, in order, before anything else:

  1. Call the cyber insurance hotline FIRST. Before calling your IT provider, before calling the EHR vendor, before talking to staff about what happened. The carrier's breach coach (a contracted law firm) preserves attorney-client privilege over the investigation. Anything you do or document before the breach coach engages may be discoverable later.
  2. Disconnect — do not power down. Unplug affected workstations and servers from the network (ethernet cable, WiFi disable). Do not power them off — RAM contains forensic evidence that's lost on shutdown. Document timestamps as you go.
  3. Document and resist cleanup. Take photos of screens, write down what you observed, note who was where and when. Resist the urge to “just delete the bad files” or “just reinstall Windows” — that destroys the evidence the breach coach's forensic team needs.

From there, the breach coach takes over: they engage forensics, they handle the legal-privilege wrap, they coordinate with the practice's IT provider on containment and recovery, and they manage the regulatory notification timeline. The practice administrator's job is to follow the breach coach's instructions and keep the practice operational.

This is why a written incident response plan (Control #7 in Section 3) matters operationally — when the practice administrator is in a fog of adrenaline at 3pm on a Tuesday, the IR plan tells them which phone number to call first. We provide a one-page IR plan template as part of standard onboarding for every Florida healthcare client.

// 09

THE PRACTICAL HIPAA-ALIGNED IT STACK.

What does a HIPAA-aligned IT environment actually look like at a 10-person Florida medical practice in 2026? Here's the stack Simply IT deploys at every new healthcare client during onboarding. It satisfies all ten cyber insurance controls (Section 3), supports the Security Rule technical safeguards (Section 1), and gives the practice audit-ready documentation.

  • Identity: Microsoft 365 Business Premium (BAA activated), Entra ID with Conditional Access policies, MFA enforced on every user, separate global admin accounts for IT only.
  • Endpoint: Defender for Business EDR on every workstation, BitLocker disk encryption on every laptop, automated patching via Intune (or RMM).
  • Email: Exchange Online with Defender for Office 365 (Plan 1 or 2), DMARC enforcement on the practice domain, attachment sandboxing, user phishing reporter add-in.
  • Network: Business-grade firewall with site-to-site VPN if multi-location, VLAN segmentation between clinical workstations and guest WiFi, separate VLAN for medical devices where applicable.
  • Backup: Image-based backup of every server, cloud sync for SharePoint and OneDrive document libraries, immutable retention for ransomware resilience, quarterly tested restores.
  • Monitoring: 24/7 SOC monitoring of identity events, endpoint EDR alerts, after-hours login anomalies, and DLP triggers for PHI movement.
  • Training: Annual security awareness training (KnowBe4 or equivalent), monthly phishing simulations, documented completion records, sanctions policy.
  • Documentation: Annual security risk analysis (HHS Tool output), BAA portfolio with renewal tracking, written IR plan, current vendor inventory with PHI access mapping.

Pricing: this full stack at Simply IT is $150 per user per month on the Simply Compliant tier, with no long-term contracts. A 10-person practice invests $1,500/month — versus the $254,000 average ransomware recovery cost for a healthcare practice. The math is not subtle.

// 10

TEN COMMON HIPAA CYBERSECURITY MISTAKES (AND HOW TO FIX THEM).

  1. Microsoft 365 BAA never activated. Fix: log into admin center, activate today. (Section 4.)
  2. No documented security risk analysis. Fix: download the free HHS Security Risk Assessment Tool, schedule a half-day on the practice manager's calendar, complete it. (Section 7.)
  3. MFA not enforced on email or admin accounts. Fix: enforce MFA on 100% of accounts. Microsoft has confirmed MFA blocks 99.9% of automated credential attacks.
  4. Shared workstation logins (multiple staff using “FrontDeskUser”). Fix: every workforce member has a unique account, period. Audit logging is meaningless without unique IDs.
  5. BAA portfolio not maintained. Fix: inventory every vendor with PHI access, confirm BAA is signed and current, track renewals on the practice administrator's calendar.
  6. No tested backup recovery. Fix: quarterly restore drills that prove backups actually recover. A backup that has never been tested is not a backup.
  7. No security awareness training. Fix: KnowBe4 or equivalent, annual at minimum, with monthly phishing simulations and documented completion records.
  8. Personal devices accessing PHI without governance. Fix: bring-your-own-device policy with Intune (or equivalent MDM) for any personal device that accesses email or EHR.
  9. No written incident response plan. Fix: one page, cyber insurance hotline at the top, named role assignments. Posted where the practice administrator can find it under stress.
  10. “HIPAA-certified” vendor claims taken at face value. Fix: HIPAA has no certification body. Read the vendor's BAA. Ask for their SOC 2 report. Don't accept marketing language as compliance evidence.

If your practice has more than two of these uncorrected, you have a real HIPAA exposure that's worth a few hours of focused fix work — well before an OCR letter or a breach forces the issue under emergency conditions.

// 11

FREQUENTLY ASKED QUESTIONS.

Is HIPAA enforced against small medical practices?+
Yes. HHS Office for Civil Rights (OCR) regularly enforces HIPAA against small practices — including solo and 2-5 provider offices. Settlement amounts have ranged from $25,000 to several hundred thousand dollars for documentation and Security Rule violations at small practices. The myth that ‘OCR only goes after hospitals’ is exactly that: a myth. Most enforcement actions cite missing security risk analysis, missing BAAs, or inadequate technical safeguards — all things small practices can and should maintain.
Do I need a Business Associate Agreement with my IT provider?+
Yes, if your IT provider has any access — direct or potential — to systems containing protected health information (PHI). That includes practice management software, EHR, email systems handling patient communication, network storage with patient records, or any cloud service holding PHI. The BAA is legally required under 45 CFR 164.308(b) and 164.314(a). If your current IT provider has not signed one, this is the highest-priority compliance gap to close.
Is Microsoft 365 HIPAA-compliant out of the box?+
Not automatically. Microsoft 365 Business Basic, Standard, and Premium are eligible for HIPAA use through Microsoft's standard Online Services Terms — but only when the Business Associate Agreement is explicitly activated in the admin console. Most practices that bought Microsoft 365 directly from a reseller never had the BAA activated. This is the single most common HIPAA documentation gap we find at Florida medical practices.
What's the difference between HIPAA-compliant and HIPAA-aligned?+
‘HIPAA-compliant’ isn't a binary certification — HIPAA has no certification body. ‘HIPAA-aligned’ is the more honest term: meaning the practice and its vendors have implemented the administrative, physical, and technical safeguards the Security Rule requires, with documented evidence to defend the program if HHS OCR investigates. Any vendor or provider claiming to make you ‘HIPAA certified’ or ‘HIPAA compliant’ in absolute terms is overselling the concept.
How often should a HIPAA security risk analysis be conducted?+
Annually, at minimum, and after any significant change to the practice's information systems (new EHR, major office move, merger, new clinical workflow involving PHI). The risk analysis is required under 45 CFR 164.308(a)(1)(ii)(A) and is one of the most-cited OCR enforcement points — practices that have never documented one are exposed even if every other safeguard is in place.
What should I do in the first hour after suspecting a breach?+
Three things, in order: (1) Engage your cyber insurance breach coach via the carrier hotline before doing anything else — this preserves attorney-client privilege over the investigation. (2) Disconnect affected systems from the network (do not power down — preserves forensic evidence in RAM). (3) Document everything you observe, including timestamps, while it's fresh. Resist the urge to ‘clean up’ before forensics arrives — that destroys evidence and complicates the investigation.
How long do we have to report a breach under HIPAA?+
Under the HIPAA Breach Notification Rule (45 CFR 164.400-414): affected individuals must be notified within 60 days of breach discovery. HHS must also be notified — within 60 days for breaches affecting 500+ individuals, or annually (by March 1 of the following year) for breaches affecting fewer than 500. Florida adds its own layer via the Florida Information Protection Act (FIPA, F.S. 501.171) requiring notification of affected residents and the Florida Department of Legal Affairs within 30 days for incidents affecting 500+ Floridians.
What is the FTC's role in healthcare data breaches?+
The FTC has historically had jurisdiction over consumer protection in healthcare data breaches that fall outside HIPAA's scope (e.g., direct-to-consumer health apps not covered as HIPAA Business Associates). Since 2023, the FTC has aggressively expanded its enforcement of the Health Breach Notification Rule — meaning some breaches that would have been HIPAA-only now also trigger FTC notification obligations. Your incident response plan should account for both.
Is cyber insurance required for HIPAA compliance?+
Not legally required by HIPAA itself, but practically required: most malpractice insurance policies now have specific cybersecurity riders or exclusions, hospital network credentialing increasingly requires cyber insurance attestations, and any breach without coverage typically costs the practice 2-5x more than the breach itself in legal and notification expenses. Most Florida medical practices we work with carry cyber insurance with $1M-$3M limits.
What does HIPAA-aligned managed IT cost for a Florida medical practice?+
Most Florida medical practices we work with invest $125-$150 per user per month for compliance-aligned managed IT (Simply IT's Simply Secure or Simply Compliant tiers). A typical 10-person practice (4 providers + 6 support staff) invests $1,250-$1,500 per month, which covers monitoring, patching, EDR, email security, MFA enforcement, encrypted backup, security awareness training, and the BAA + documentation maintenance described in this guide. There's a No long-term contracts.
How is Simply IT different from a generic IT provider on HIPAA?+
Simply IT signs a BAA with every healthcare client as a standard part of onboarding (not as an extra), conducts and documents annual HIPAA security risk analyses, activates the Microsoft 365 BAA in every healthcare tenant, and maintains audit-ready evidence of the administrative and technical safeguards 45 CFR 164.308 requires. The same flat monthly fee covers all of this for a 5-person solo practice and a 25-person multi-provider clinic. We're veteran-owned, headquartered in Ocala FL, and 45 minutes from The Villages, 40 minutes from Gainesville, and an hour from Jacksonville and Daytona.
Where can I read the actual HIPAA Security Rule?+
The HIPAA Security Rule is codified at 45 CFR Part 164, Subpart C (sections 164.302 through 164.318). The full text is freely available at the eCFR (Electronic Code of Federal Regulations) site under HHS jurisdiction. HHS OCR also publishes guidance documents, audit protocols, and the Security Risk Assessment Tool at hhs.gov/hipaa — all free. We strongly recommend that the practice's designated Security Officer read the Rule itself at least once; it's under 50 pages and more navigable than its reputation suggests.
// Related Resources

CONTINUE READING.

Industry
Medical Practice IT →
Interactive Tool
HIPAA Checklist Tool →
Solution
Cybersecurity Services →
Solution
Microsoft 365 Setup →
Reference
IT Glossary →
FAQ Hub
Frequently Asked Questions →
Get Started
Free HIPAA Assessment →
READY FOR HIPAA-ALIGNED IT AT YOUR FLORIDA PRACTICE?

Get a free HIPAA technology assessment from a veteran-owned managed IT provider headquartered in Ocala, FL. We'll review your BAA portfolio, Microsoft 365 BAA activation status, EHR integration security, and the 10 cyber-insurance controls — and give you an honest written gap-and-fix report with no obligation.

By submitting you consent to be contacted by Simply IT via phone, email, or SMS. Reply STOP to opt out of SMS at any time. Privacy Policy

Or call us directly: 352-723-5003