The U.S. Department of Health and Human Services (HHS) has updated key parts of HIPAA’s regulatory framework, with an emphasis on security protections for electronic protected health information (ePHI) and operational compliance expectations for covered entities and business associates.
Key Changes You Need to Know
1. Strengthened Privacy Notices & Part 2 Alignment
Covered entities must update their Notice of Privacy Practices (NPP) by February 16, 2026, to reflect new rules around disclosure and protections, especially for sensitive categories like Substance Use Disorder (Part 2) records.
2. Security Rule Updates on the Horizon
HHS’s Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time in more than a decade, shifting toward modern cybersecurity standards designed to better protect against today’s threats.
While the final rule’s full text and effective date for all provisions may still be subject to the administrative process, the industry expects compliance timelines to align with February 16, 2026, or shortly thereafter.
The NPRM’s proposed updates would:
- Eliminate the old “addressable” vs. “required” implementation distinction, meaning all safeguards become mandatory.
- Require written documentation, tested and reviewed regularly.
- Strengthen access control rules like timely removal of terminated user accounts and multi-factor authentication (MFA).
- Mandate security assessments and audits on a scheduled basis.
Why This Matters Now
HIPAA enforcement continues to focus heavily on the Security Risk Analysis — which even under the current rule is required and one of the most commonly cited areas of non-compliance.
A robust risk analysis and risk management program is the foundation of HIPAA Security Rule compliance and is expected to become more detailed and prescriptive under the updated rule.
Failure to comply with HIPAA requirements — including timely risk assessments and documentation — can expose covered entities and their business associates to financial penalties and corrective action agreements.
Practical Next Steps — What Offices Should Do Now
1. Update Your Notice of Privacy Practices (NPP)
Ensure your NPP reflects the latest required privacy protections — especially for sensitive treatment records (e.g., substance use disorder). Begin the review now so that updates are complete, approved, and published before the deadline.
2. Conduct a HIPAA Security Risk Assessment
This must be documented and comprehensive, covering:
- All ePHI assets
- Reasonably anticipated threats
- Vulnerabilities and existing controls
- Risk ratings and mitigation plans
3. Document Policies & Procedures in Writing
Policies must be:
- Written
- Approved by leadership
- Reviewed at least annually
- Updated when systems or risks change
4. Schedule Regular Security Audits
Annual compliance audits and at least semi-annual vulnerability scans should be part of your ongoing plan; these will align with updated rule expectations.
5. Train Staff on Updated Requirements
Training should cover:
- The updated privacy practices
- New cybersecurity controls
- Incident reporting protocols
- Sanction policies for non-compliance
6. Update Business Associate Agreements (BAAs)
Ensure BAAs reflect any new security and reporting timelines, particularly if more stringent breach/incident reporting becomes final.
Even as certain details of the final Security Rule update may evolve through the regulatory process, the trend toward stronger cybersecurity requirements and fewer “addressable” options is clear. Healthcare organizations that proactively update their policies, strengthen their safeguards, and document risk-based decisions will be best positioned to comply by the February 16, 2026 deadline.
Wondering where your office compliance stands? Take our quick dental compliance quiz.
