HIPAA Compliance & Security Rule Readiness
HIPAA Risk Assessments, Security Rule Compliance & Business Associate Agreement Programs for Healthcare Organizations & Technology Vendors
HIPAA — the Health Insurance Portability and Accountability Act — governs the protection of individually identifiable health information across the United States healthcare ecosystem and the technology vendors who serve it. The compliance environment in 2026 is the most demanding in HIPAA’s 30-year history: OCR’s 2024 enforcement program was the most active since the law’s enactment, with 22 settlements and civil monetary penalties representing a record enforcement year; OCR’s Phase 3 compliance audit initiative — targeting 50 covered entities and business associates simultaneously — commenced in March 2025 and remains active; large healthcare data breaches increased 102% between 2018 and 2023, with over 167 million individuals affected in 2023 alone; and the most significant proposed update to the HIPAA Security Rule since it was first promulgated in 2003 is on the HHS Office for Civil Rights (OCR) regulatory agenda for finalization in May 2026.
The organizations that need to take HIPAA compliance seriously in 2026 are not only hospitals and health plans. Every technology company, managed services provider, cloud vendor, billing organization, and professional services firm whose work involves access to electronic protected health information on behalf of a healthcare organization is a HIPAA Business Associate — directly regulated under HIPAA, subject to OCR enforcement, and liable for breach notification obligations that attach to the health information they handle regardless of who their customer is. OCR’s Phase 3 audit program specifically targets both covered entities and business associates simultaneously — a deliberate signal that technology vendors whose clients are healthcare organizations are now primary enforcement targets, not secondary afterthoughts.
Lionhive provides HIPAA risk assessments, Security Rule compliance programs, Business Associate Agreement review and management, technical safeguard implementation, breach notification readiness, and the ongoing security governance infrastructure that healthcare organizations and their technology vendor partners need to meet both the current HIPAA Security Rule requirements and prepare for the updated rule expected in 2026.
The most dangerous HIPAA compliance belief in 2026 is that your organization is “HIPAA compliant” because it has a policy binder. OCR’s enforcement initiative has specifically and consistently found that the absence of a documented, implemented risk analysis — not the absence of policies — is the deficiency that drives both enforcement actions and breach events. A written information security program that was never tested against actual system configurations is not compliance. It is documentation of the intent to comply, which is a different thing entirely.
Covered Entities vs. Business Associates — The Distinction That Defines Your Obligations
HIPAA’s scope is defined by two categories of regulated entity, and understanding which category applies to your organization determines both what you must do and what your exposure looks like when something goes wrong.
Covered Entities (CEs) are the direct participants in healthcare delivery and payment: healthcare providers that conduct certain standard electronic transactions (hospitals, physician practices, dental offices, pharmacies, labs, imaging centers, behavioral health providers), health plans (commercial insurers, Medicare/Medicaid managed care plans, employer health plans, HMOs), and healthcare clearinghouses that process health information between standard and non-standard formats. Covered entities bear the full weight of all three HIPAA rules — Privacy, Security, and Breach Notification — and are the primary focus of OCR’s audit and enforcement authority.
Business Associates (BAs) are organizations that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity in the course of providing services. The Business Associate category was substantially expanded by the HITECH Act of 2009 and the 2013 Omnibus Rule to include direct regulatory liability — meaning Business Associates are not simply contractually obligated to covered entity clients; they are independently regulated by HHS and subject to OCR enforcement regardless of their contractual arrangements. Business Associates include: managed IT service providers and managed security service providers with access to healthcare client systems; cloud service providers storing or processing ePHI; medical billing and revenue cycle management companies; electronic health records vendors; health information exchanges; healthcare consulting firms; legal practices handling PHI in connection with litigation or regulatory matters; medical transcription services; and any technology vendor whose platform touches, stores, or transmits PHI in the course of delivering services to a covered entity.
The Business Associate Agreement (BAA) — the written contract required between every covered entity and each of its business associates — is not merely a compliance checkbox. It allocates breach notification obligations, specifies permitted uses of PHI, requires the business associate to implement the HIPAA Security Rule’s safeguards for ePHI, and provides the legal foundation for holding both parties accountable when things go wrong. OCR’s enforcement actions have specifically targeted both the failure to execute BAAs and the failure to conduct due diligence on business associate security programs. A covered entity that signs a BAA without verifying that the business associate’s security program can actually meet its obligations has not managed its vendor risk — it has documented that it tried.
The Three HIPAA Rules
The HIPAA Privacy Rule — administered under 45 CFR Part 164, Subparts A and E — establishes national standards for protecting individuals’ medical records and other personally identifiable health information. It defines what constitutes Protected Health Information (PHI), regulates the permitted uses and disclosures of PHI without patient authorization, establishes individual rights (access to records, amendment, accounting of disclosures, restriction requests), and requires covered entities to provide Notices of Privacy Practices explaining how PHI may be used. The Privacy Rule’s key 2026 development is a compliance deadline of February 16, 2026, by which all Notices of Privacy Practices must be updated to reflect the 2024 Privacy Rule amendments regarding sensitive health information categories.
The HIPAA Security Rule — administered under 45 CFR Part 164, Subparts A and C — establishes national standards for protecting electronic Protected Health Information (ePHI). The Security Rule applies specifically to ePHI — health information in electronic form — and requires covered entities and business associates to implement administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of ePHI. The Security Rule has been largely unchanged since 2003. That is about to change significantly — see the 2025 NPRM section below.
The HIPAA Breach Notification Rule — administered under 45 CFR Part 164, Subpart D — requires covered entities to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. Notification to affected individuals must occur within 60 days of discovery of the breach. Notification to HHS must occur within 60 days for breaches affecting 500 or more individuals (with immediate submission to the HHS breach portal); breaches affecting fewer than 500 individuals may be reported annually. Notification to prominent media outlets is required for breaches affecting 500 or more individuals in a state or jurisdiction. Business associates that discover a breach must notify the covered entity without unreasonable delay and no later than 60 days after discovery. The proposed Security Rule update would tighten this to 24 hours for business associate notification to covered entities — a dramatic reduction that MSPs and technology vendors must plan for now even though the rule is not yet final.
The Security Rule’s Three Safeguard Categories
The current HIPAA Security Rule organizes its requirements into three safeguard categories, each containing required and addressable implementation specifications. The distinction between required and addressable specifications — which has historically been misused as a license to defer implementation of “addressable” controls indefinitely — is one of the primary targets of the 2025 proposed update, which would eliminate it entirely and make all specifications required with only specific, limited exceptions.
Administrative Safeguards are the policies, procedures, and processes that manage the implementation of security measures — the governance layer of HIPAA Security Rule compliance. They include: a documented security management process including risk analysis and risk management; designation of a security officer responsible for policy development and implementation; workforce security procedures covering authorization, clearance, and termination; information access management; security awareness training; security incident response procedures; a contingency plan covering data backup, disaster recovery, and emergency mode operation; periodic evaluation of the security program against the Security Rule standards; and written contracts with business associates. OCR’s current enforcement initiative has specifically and repeatedly found inadequate risk analysis to be the single most common Security Rule deficiency — the absence of a documented, current, comprehensive written risk assessment is the failure that drives enforcement settlements and breach events in the healthcare sector more than any technical control failure.
Physical Safeguards govern access to physical facilities and equipment that store or access ePHI — the controls that prevent unauthorized physical access to the systems that hold health information. They include: facility access controls (contingency operations, facility security plans, access control and validation procedures, maintenance records); workstation use policies specifying the proper functions of workstations and the physical attributes of their surroundings; workstation security measures for physically protecting workstations from unauthorized access; and device and media controls governing the receipt and removal of hardware and electronic media containing ePHI, including disposal procedures and media re-use requirements.
Technical Safeguards are the technology and related policies and procedures that protect ePHI and control access to it — the controls that live in systems, software, and network architecture rather than in physical facilities or written policies. They include: access control mechanisms (unique user identification, emergency access procedures, automatic logoff, encryption and decryption); audit controls that record and examine access to systems containing ePHI; integrity controls that protect ePHI from improper alteration or destruction; authentication mechanisms that verify a person or entity seeking access to ePHI is who they claim to be; and transmission security controls including encryption of ePHI in transit across open networks. Under the current rule, encryption is an addressable rather than required specification — meaning organizations can document that encryption is not reasonable and appropriate for their environment and choose not to implement it. The proposed Security Rule update would make encryption a required specification for both ePHI at rest and ePHI in transit, eliminating this flexibility for the organizations that have historically used it to defer encryption implementation.
The 2025 NPRM — The Most Significant Security Rule Update in 20 Years
On January 6, 2025, HHS OCR published a Notice of Proposed Rulemaking (NPRM) to substantially update the HIPAA Security Rule — the first major Security Rule revision since 2003. The proposed rule attracted nearly 5,000 public comments during its 60-day comment period, closed March 7, 2025. Despite significant industry pushback, OCR has kept the rule’s finalization on its regulatory agenda for May 2026, with implementation expected to be effective in July or August 2026 and most provisions required within 180 days — meaning compliance deadlines would fall by the end of 2026 or early 2027.
The proposed changes represent a transformation of the Security Rule from a principles-based framework with significant implementation flexibility to a more prescriptive, specific, and measurable standard. The major proposed changes include:
Elimination of the addressable/required distinction — All current addressable implementation specifications would become required, with only specific limited exceptions. This is the single most consequential structural change — organizations that have documented their rationale for not implementing encryption, automatic logoff, or other addressable specifications will no longer be able to rely on that documentation as a compliance defense.
Mandatory annual compliance audits — Regulated entities would be required to perform and document a formal audit of their compliance with each Security Rule standard and implementation specification at least once every 12 months. This is distinct from the existing risk analysis requirement — it is a separate, documented review of whether every Security Rule requirement is being met.
Technology asset inventory and network map — A specific requirement to develop and maintain a written inventory of all technology assets and electronic information systems, and a network map illustrating how ePHI moves through the entity’s systems, updated at least annually. Organizations that have not systematically mapped their ePHI data flows will need to build this capability before the final rule’s compliance deadline.
Encryption as a required specification — Encryption of ePHI both at rest and in transit would become required rather than addressable — ending the compliance path of documenting that encryption is not reasonable and appropriate. Organizations whose legacy systems cannot support encryption at rest would face either system replacement or documented alternative controls whose adequacy OCR would evaluate under the new standard.
Specific patch management requirements — Written policies and procedures for applying patches with specific timing requirements — likely mirroring the risk-based patching timelines already used in frameworks like the ASD Essential Eight and NIST CSF.
AI and emerging technology governance — A requirement that regulated entities address how artificial intelligence, quantum computing, and virtual and augmented reality technologies affect their privacy and security programs — even for organizations not currently deploying AI in clinical contexts. The AI governance requirement would apply to any organization using AI tools that touch ePHI, including AI-assisted coding, documentation, or administrative workflow tools.
24-hour business associate breach notification — Business associates would be required to notify covered entities within 24 hours of discovering a security incident — down from the current 60-day maximum. For MSPs and technology vendors serving healthcare clients, this requires pre-built incident detection and escalation procedures that can meet a 24-hour threshold, not manual review processes that might take days to identify reportable events.
OCR has signaled that even before the final rule, the proposed changes reflect enforcement priorities already active in its audit and investigation program. Organizations that prepare for the proposed updates now — rather than waiting for finalization — reduce their current enforcement exposure while positioning for the new standard’s compliance deadlines.
OCR Enforcement — The Current Climate
The enforcement environment in 2025-2026 is the most active in HIPAA’s history. OCR’s 2024 enforcement program produced 22 settlements or civil monetary penalties — the highest annual total on record. OCR levied more than $6.6 million in fines in 2025. OCR’s risk analysis enforcement initiative — launched in 2023 and specifically targeting the failure to conduct comprehensive, documented Security Rule risk analyses — remains active and has produced multiple financial penalties specifically for risk analysis deficiencies, independent of whether those deficiencies contributed to a breach. OCR’s Phase 3 compliance audit program, commenced March 2025, is simultaneously auditing 50 covered entities and business associates — the first time OCR has conducted simultaneous audits of both regulated entity types at this scale.
Current civil monetary penalty tiers for HIPAA violations range from $141 per violation for violations where the entity did not know and could not have reasonably known of the violation, up to $2.1 million per violation category per year for violations due to willful neglect that are not corrected. The same violation category — failure to conduct a risk analysis, failure to implement access controls, failure to execute BAAs — repeated across thousands of patient records creates per-violation exposure that can reach the $2.1 million annual ceiling rapidly. State attorneys general can pursue additional civil penalties under state law for HIPAA violations affecting state residents — expanding the financial exposure beyond federal penalties alone.
The categories most frequently cited in OCR enforcement actions include: failure to conduct a comprehensive, documented risk analysis; failure to implement security risk management plans to reduce identified risks to a reasonable and appropriate level; failure to implement technical access controls; failure to enter into HIPAA-compliant BAAs with business associates; impermissible disclosures of PHI; and failures of the right of access — OCR’s most active recent enforcement area, with dozens of settlements for failing to provide patients timely access to their medical records.
Business Associates — The Technology Company’s HIPAA Exposure
The most consequential misunderstanding in healthcare technology is the belief that HIPAA compliance is the covered entity’s problem. Business Associates — the managed IT providers, SaaS vendors, cloud platforms, billing services, and consulting organizations serving healthcare clients — face direct OCR enforcement liability under HIPAA. The HITECH Act made business associates directly liable for compliance with the HIPAA Security Rule. OCR’s Phase 3 audit program audits business associates alongside covered entities for the first time at scale — a structural signal that technology vendors in the healthcare supply chain are now primary enforcement targets.
For technology companies and managed service providers serving healthcare organizations, the practical compliance requirements are the same as for covered entities under the Security Rule: a documented, comprehensive risk analysis of the threats and vulnerabilities to ePHI in the systems the company manages on behalf of its healthcare clients; a written risk management plan implementing security measures sufficient to reduce identified risks; administrative safeguards including workforce training, security officer designation, and access management; physical safeguards for the equipment and facilities housing ePHI; technical safeguards including access controls, audit logging, integrity controls, and transmission encryption; and executed BAAs with all covered entity clients before ePHI is accessed. The Security Rule compliance program of an MSP serving a hospital system is functionally equivalent to the Security Rule compliance program required of the hospital itself — and OCR evaluates it on the same standard.
For business associates, the BAA is not merely a contract. It is the document that defines the scope of ePHI access, the permitted uses, the security obligations, the breach notification timeline, and the indemnification arrangements that govern the relationship when something goes wrong. BAAs that are out of date, that fail to include required provisions, or that are executed after ePHI access has already occurred rather than before are findings in both OCR audits and covered entity vendor management reviews. Lionhive reviews and updates BAA portfolios for both covered entities managing their vendor relationships and business associates seeking to ensure their client agreements meet current OCR requirements — including the 24-hour breach notification provision that the proposed Security Rule update would require.
The Lionhive HIPAA Compliance Process
Phase 1 — Risk Analysis
The documented, comprehensive Security Rule risk analysis is the foundational compliance requirement — and OCR’s enforcement initiative has made it the first thing any auditor or investigator examines. Lionhive conducts Security Rule risk analyses aligned with the NIST Security Risk Assessment methodology endorsed by HHS guidance — identifying all ePHI, cataloguing all systems and assets that store, process, or transmit ePHI, identifying threats and vulnerabilities, assessing current controls, and documenting residual risk levels that determine the risk management priorities. The risk analysis produces a written report that would survive OCR examination — not a survey tool output or vendor-generated questionnaire response. Under the proposed Security Rule update, the risk analysis methodology will become more specific and the technology asset inventory and network map will become independent deliverables; Lionhive builds these components into every risk analysis engagement to ensure organizations are positioned for the updated standard before its compliance deadline.
Phase 2 — Risk Management Plan & Gap Remediation
The risk management plan documents the security measures to be implemented to reduce identified risks to a reasonable and appropriate level — the written plan that the Security Rule requires and that OCR audits for implementation. Lionhive develops the risk management plan from the risk analysis findings, sequences the remediation priorities, and implements the technical, administrative, and physical safeguard gaps identified. Technical implementations include access controls and unique user identification through Microsoft Entra ID, multi-factor authentication, encryption at rest and in transit across ePHI systems, audit logging for all ePHI access, automatic session timeout, and endpoint management through Microsoft Intune. Administrative implementations include security officer function documentation, workforce training program establishment, access management procedures, sanction policy development, and BAA inventory and remediation.
Phase 3 — Policy & Procedure Suite
The Security Rule requires written policies and procedures for each of its standards and implementation specifications — and OCR audits for their existence, currency, and workforce awareness. Lionhive develops a comprehensive HIPAA policy suite covering every Security Rule requirement: information security policy, access control policy, password policy, encryption policy, audit logging and review policy, workstation use and security policy, device and media control policy, facility access policy, security awareness training policy, security incident response procedure, contingency plan (backup, disaster recovery, emergency mode operation), BAA management procedure, and sanction policy. For the proposed Security Rule update, Lionhive additionally develops the technology asset inventory procedure and annual compliance audit procedure that the proposed rule would require.
Phase 4 — Technical Safeguard Implementation
Policies without technical implementation are the specific failure pattern that OCR’s enforcement initiative has targeted. Lionhive implements the technical safeguards that ePHI systems require: encryption at rest for all systems storing ePHI (including workstations, servers, databases, and backup media), encryption in transit for all ePHI transmitted across networks, access controls and audit logging for EHR systems through Epic, athenahealth, and other practice management platforms, network segmentation isolating clinical systems from guest and administrative networks, endpoint detection and response through CrowdStrike or SentinelOne, and 24/7 monitoring through Lionhive’s Managed SOC for ePHI system availability and security events.
Phase 5 — Breach Response Readiness
HIPAA’s Breach Notification Rule creates notification obligations with defined timelines that cannot be met by organizations building their response procedures after discovering a breach. Lionhive develops and tests breach notification procedures — including the breach risk assessment (the four-factor test that determines whether an impermissible disclosure constitutes a reportable breach under the Breach Notification Rule), the notification drafting process for affected individuals, the HHS notification procedure, and the notification workflows that meet the current 60-day timeline and will need to meet the proposed 24-hour business associate notification requirement under the updated rule. Breach notification procedures are validated through tabletop exercises that simulate the specific breach scenarios healthcare organizations and their technology vendors actually face — ransomware attacks on EHR systems, unauthorized access by workforce members, lost or stolen devices containing ePHI, and third-party vendor breaches affecting covered entity data.
Phase 6 — Annual Review & Ongoing Compliance
HIPAA compliance is not a one-time project. The Security Rule requires periodic evaluation of the security program — and the proposed update would mandate a formal annual compliance audit of every Security Rule requirement. Lionhive maintains ongoing HIPAA compliance through annual risk analysis updates, policy and procedure reviews triggered by significant environmental changes (new ePHI systems, new vendors, workforce changes, system migrations), workforce training program management, BAA portfolio maintenance, and vulnerability assessment and penetration testing programs that satisfy the proposed update’s testing requirements.
HIPAA & Related Frameworks
HIPAA compliance does not exist in isolation from the broader security and compliance landscape that healthcare organizations and their technology vendors navigate simultaneously. Lionhive integrates HIPAA compliance programs with the frameworks that Lionhive client organizations require alongside their HIPAA obligations:
SOC 2 Type II — The most commonly combined framework with HIPAA for healthcare technology companies. A SOC 2 + HIPAA examination allows a single audit to produce both a SOC 2 Type II report satisfying commercial enterprise client procurement requirements and a HIPAA compliance mapping satisfying healthcare client vendor due diligence requirements. The Security Rule’s technical safeguard requirements and the SOC 2 Security criterion’s Common Criteria overlap substantially — organizations building HIPAA-compliant technical controls are simultaneously building the SOC 2 Common Criteria control environment.
NIST CSF 2.0 — HHS guidance explicitly references NIST frameworks for Security Rule risk analysis methodology. Organizations that align their security programs with NIST CSF 2.0 — whose five functions of Identify, Protect, Detect, Respond, and Recover map directly to Security Rule administrative, physical, and technical safeguard categories — produce more defensible risk analysis documentation than organizations whose security programs are built solely against HIPAA’s less prescriptive standard.
HITRUST CSF — The HITRUST Common Security Framework is a healthcare-specific security framework that incorporates HIPAA Security Rule requirements alongside NIST, ISO 27001, and other control frameworks into a unified, certifiable standard. HITRUST CSF certification, conducted by a HITRUST-authorized assessor, is accepted by many large health systems and health plans as a substitute for individual vendor security questionnaire assessments — making it commercially valuable for technology vendors seeking to streamline their healthcare client sales process. Lionhive advises on the HITRUST readiness pathway for organizations whose healthcare client base makes CSF certification commercially warranted.
Who Needs HIPAA Compliance Programs
The organizations that need current, documented, tested HIPAA compliance programs in 2026 include every entity within the definition of covered entity or business associate — which, given the breadth of the business associate definition, encompasses a much larger commercial universe than most organizations initially recognize. Healthcare providers at every scale; health plans and managed care organizations; healthcare technology companies whose platforms touch ePHI; managed IT and managed security service providers serving healthcare clients; medical billing and revenue cycle management organizations; EHR vendors and health information technology platforms; legal practices with healthcare litigation or regulatory practices; accounting and financial advisory practices with healthcare clients; and consulting organizations supporting healthcare administration or clinical operations. If your organization’s services require access to, or result in the creation, receipt, maintenance, or transmission of PHI on behalf of a covered entity — you are a business associate subject to direct OCR enforcement under the HIPAA Security Rule.
📞 Start Your HIPAA Compliance Program
The HIPAA Security Rule update expected in May 2026 is not a future problem — the organizations that will meet its compliance deadlines without operational disruption are the ones building their compliance programs now, against both the current rule and the proposed updates. Whether you are a covered entity whose last risk analysis predates OCR’s enforcement initiative, a business associate who has never completed a Security Rule risk analysis, a healthcare technology company whose BAA portfolio needs review, or a managed services provider whose healthcare clients are increasingly demanding HIPAA compliance documentation as a condition of contract renewal — Lionhive provides the risk analysis, technical safeguard implementation, policy development, and ongoing compliance infrastructure that meets the standard OCR is actually enforcing. Contact us directly or book a strategy session to discuss your HIPAA compliance requirements.
👉 Book a HIPAA Strategy Session
📞 +1 469 364 9010
Part of Lionhive’s Cybersecurity & Compliance practice — see also SOC 2 Type II, NIST CSF 2.0, Zero Trust Architecture, Identity & Access Management, and Managed SOC.