If you run a medical clinic in Miami Dade or Broward, HIPAA compliance has stopped being a paperwork exercise. The HHS Office for Civil Rights closed 2025 with the highest enforcement volume in the agency’s history, and the 2026 enforcement priorities make it clear that small and mid-size clinics are squarely in scope.
We onboard new clinic clients every month, and the same compliance gaps show up in nearly every assessment. This article walks through the 90-day plan we run — the same plan that has carried our clients through OCR audit requests, cyber liability renewals, and ransomware near-misses without a single reportable breach.
The #1 Cited Deficiency: A Real Risk Analysis
Of every HIPAA enforcement action OCR closed last year, the top cited deficiency was the same: failure to perform a thorough, accurate risk analysis. Most clinics we audit have something labeled “risk analysis” — but it’s a checklist their previous IT vendor filled out once, three years ago.
Key insight
A HIPAA risk analysis is a living document. If yours hasn’t been updated since you added a new EHR, hired remote staff, or changed cloud providers — it’s already out of date.
The 90-Day Plan
Here’s the cadence we run with every new clinic client. By day 90, you have audit-ready documentation, every BAA in order, encryption verified, and a workforce trained on the threats that actually target healthcare.
Days 1–30: Inventory and risk analysis
- Asset inventory. Every device, every user, every system that touches ePHI.
- Data flow mapping. Where does ePHI live, where does it move, who has access?
- Threat modeling. Mapped to NIST SP 800-30 — the methodology OCR explicitly references.
- Gap analysis. Documented against the HIPAA Security Rule’s required and addressable specifications.
Days 31–60: Remediation and controls
This is the work most IT vendors skip. The risk analysis identified the gaps; now we close them. Multi-factor authentication on every system that touches ePHI. Endpoint encryption verified, not just enabled. Email security tuned for healthcare-targeted phishing. Backup tested by actually performing a restore.
Days 61–90: Documentation and training
Every control we deployed gets documented in your security policy binder. Workforce HIPAA training delivered, completion tracked, signatures collected. Incident response plan rehearsed with a tabletop exercise. BAA register reviewed and updated.
What the binder contains
Risk analysis, written policies, BAA register, training logs, audit logs, incident response plan, and the contact details OCR will ask for if they call.
What Happens If You Skip This?
The realistic consequence isn’t a $50,000 fine on day one. It’s the cyber liability renewal that gets denied because you can’t produce documentation. It’s the ransomware incident that turns into a reportable breach. The good news is that 90 days of focused work gets you to a defensible position.
