Back to Blog
2026-07-0710 min read
Compliance

HIPAA Compliance in 2026: What's Changed and What It Means for You

An updated guide to HIPAA compliance for healthcare leaders, covering recent regulatory changes, enforcement trends, and practical steps for maintaining compliance.

Sean P. Conroy

HIPAA compliance isn't static. The regulatory landscape continues to evolve, enforcement priorities shift, and the threat environment changes how covered entities must think about protecting patient information.

For healthcare leaders, staying current with HIPAA requirements isn't just about avoiding penalties. It's about maintaining the trust that patients place in your organization when they share their most sensitive information.

Key insight: HIPAA enforcement has shifted from focusing on obvious violations to examining whether organizations have risk-based security programs. Regulators increasingly expect documented risk assessments, security investments proportionate to risk, and evidence of continuous improvement.

Recent Regulatory Developments

The past year has brought several important changes to the HIPAA landscape.

1Enhanced Security Requirements

  • Stronger expectations for encryption
  • Multi-factor authentication increasingly expected
  • More rigorous business associate oversight
  • Enhanced access control requirements

2Enforcement Focus Areas

  • Risk analysis failures remain top citation
  • Right of access enforcement increasing
  • Business associate breaches drawing scrutiny
  • Ransomware response and reporting

3Telehealth Considerations

  • Pandemic flexibilities evolving
  • Permanent telehealth guidance emerging
  • Platform security requirements clarifying
  • Patient consent and privacy updates

4State Law Interplay

  • State privacy laws adding requirements
  • State breach notification variations
  • Some states exceeding HIPAA standards
  • Need for jurisdiction-aware compliance

Risk Analysis: Still the Foundation

The risk analysis requirement remains the most frequently cited HIPAA violation. And the most misunderstood.

Key insight: A risk analysis isn't a one-time checkbox. It's an ongoing process that must be updated when your environment changes. If your last risk analysis was more than a year ago, or if significant changes have occurred since, you're likely out of compliance.

Risk Analysis Requirements

A compliant risk analysis must:

Identify all PHI, including where it's stored and how it flows

Identify and assess threats and vulnerabilities

Evaluate current security measures

Determine likelihood and impact of potential risks

Assign risk levels and prioritize mitigation

Document findings and remediation plans

Common Risk Analysis Failures

Using a Checklist Instead of Analysis

Checking boxes doesn't satisfy the risk analysis requirement. You must actually assess risks specific to your organization's environment, size, and operations.

Missing Assets and Data Flows

If you don't know everywhere PHI exists, you can't assess risks to it. Shadow IT, cloud storage, and personal devices often contain PHI that isn't included in risk analysis.

No Follow-Through

A risk analysis without remediation is incomplete. Regulators expect to see that identified risks were addressed or formally accepted with documented justification.

Business Associate Management

Your security is only as strong as your weakest business associate.

BAA Requirements

  • Written agreement in place before PHI access
  • Specific permitted uses defined
  • Security requirements specified
  • Breach notification obligations clear
  • Subcontractor provisions included

Ongoing Oversight

  • Periodic security assessments
  • Review of SOC 2 or equivalent reports
  • Monitoring of breach history
  • Contract renewal security review
  • Termination procedures documented

Data point: Business associate breaches now account for a significant percentage of reported healthcare breaches. OCR expects covered entities to demonstrate ongoing oversight, not just signed agreements. -HHS OCR Breach Portal

Breach Notification Updates

The 60-day notification clock starts when you discover a breach, not when investigation is complete.

1

Individual Notice

Within 60 days to affected individuals by first-class mail

2

HHS Notification

Within 60 days for 500+ affected; annually for smaller breaches

3

Media Notice

For breaches affecting 500+ in a state; prominent media required

Preparing for an OCR Investigation

If a breach occurs or a complaint is filed, be prepared for OCR to ask for:

Documentation OCR will request:

Current risk analysis and management plan

Security policies and procedures

Training records and materials

Business associate agreements and oversight records

Incident response procedures

Audit logs and access controls documentation

"OCR investigators look for evidence of a security program, not perfection. Organizations that can demonstrate ongoing attention to security, documented risk management, and good-faith compliance efforts fare better than those scrambling to create documentation after the fact."

— Sean P. Conroy, author of Cybersecurity for CEOs

Key Takeaways

  • Risk analysis is foundational, It remains the most cited violation; keep it current
  • Enforcement is intensifying, OCR expects evidence of ongoing security programs
  • Business associates need oversight, BAAs aren't enough; demonstrate monitoring
  • Breach notification is time-sensitive, The 60-day clock starts at discovery
  • Documentation is your defense, If it's not documented, it didn't happen
  • State laws may add requirements, Know what applies beyond federal HIPAA

Stay Ahead of Compliance

HIPAA compliance requires ongoing attention as regulations and enforcement evolve. For a complete framework on building security programs that satisfy regulatory requirements, Cybersecurity for CEOs provides the strategic guidance you need.

"HIPAA compliance isn't a destination. It's a continuous journey of assessing risks, implementing safeguards, and demonstrating that patient trust is your priority."

Questions about HIPAA compliance? Get in touch or connect with me on LinkedIn. I help healthcare leaders build compliance programs that protect patients and satisfy regulators.

Ready to Take Cybersecurity Leadership to the Next Level?

Get exclusive access to the first chapter of Cybersecurity for CEOs — plus monthly insights on protecting your business delivered straight to your inbox.

Newsletter subscribers get:

  • Free download of Chapter 1: “Why Cybersecurity Is Now a CEO Problem”
  • Monthly cybersecurity insights written for business leaders (not IT teams)
  • Exclusive discounts on the full book and future resources
  • Quick-win security tips you can implement immediately

No spam, ever. Unsubscribe anytime. We respect your privacy.