If you sit in a compliance seat, you already know the uncomfortable truth: HIPAA is no longer being enforced like a “policy and training” regime. HHS OCR is operationalizing HIPAA Security Rule compliance as a demonstrable cybersecurity program, one that must withstand ransomware attacks, effective security audits (not accounting checklists), and post-incident scrutiny with hard evidence, not intent.
This shift is being driven by three concurrent drivers:
a major HIPAA Security Rule NPRM that materially increases prescriptiveness and evidentiary expectations
For small and mid-sized organizations, the practical implication is straightforward: the “minimum defensible” compliance posture has moved upward and OCR is signaling what it expects you to have institutionalized.
On December 27, 2024, OCR issued a Notice of Proposed Rulemaking (NPRM) to modify the HIPAA Security Rule to strengthen cybersecurity protections for ePHI. The proposal is explicit about moving HIPAA from flexible “guidance-like” language into prescriptive, auditable requirements.
The NPRM’s most consequential themes for compliance officers include:
OCR proposes eliminating the operational ambiguity that has historically allowed organizations to treat “addressable” specifications as optional. The intent is to reduce variability and force consistent adoption of baseline safeguards.
Compliance impact: Your risk acceptance rationale will require a higher evidentiary bar, and “compensating controls” must be explicit, documented, and technically credible.
The NPRM emphasizes mandatory written documentation for policies, procedures, plans, and analyses. his is an explicit move toward auditability and away from “we do this informally.”
Compliance impact: Expect OCR to evaluate not only whether a control exists, but whether you can produce artifacts (tickets, scan reports, access review logs, restore test results, configuration baselines) showing the control is operating as designed.
OCR proposes requirements for a technology asset inventory and a network map illustrating the movement of ePHI across information systems, updated at least annually and after relevant changes.
Compliance impact: This collapses the common “small org gap” of unknown assets, informal integrations, and untracked ePHI pathways, into a direct compliance exposure.
The NPRM proposes more explicit expectations around safeguards that most security programs already treat as baseline: encryption (at rest/in transit), MFA, vulnerability scanning, and penetration testing, among others.
Compliance impact: If your compliance narrative still relies heavily on policy language (instead of technical controls + evidence), you should assume that narrative will not hold.
The NPRM was published in the Federal Register on January 6, 2025 (90 FR 898). The Unified Agenda entry lists Final Action targeted for May 2026 (not a guarantee, but an actionable planning marker).
OCR’s 2024–2025 HIPAA Audit Program will review 50 covered entities and business associates for compliance with selected Security Rule provisions most relevant to hacking and ransomware.
Compliance impact: Audits normalize the expectation that regulated entities can produce a coherent, internally consistent security posture on demand with risk analysis, inventories, policies, procedures, testing results, and remediation traceability.
OCR’s ransomware settlement with Comprehensive Neurology is a prototypical example where a small practice impacted by a ransomware event, and lack of OCR's emphasis on the Security Rule’s foundational requirement, an accurate, effective and thorough risk analysis. Inadequate experience in conducting effective and thorough risk analyses leads to false sense of security and ultimately breaches.
Compliance impact: OCR is demonstrating that “small” does not mean “excused.” Size influences what’s “reasonable,” but it does not eliminate core requirements, especially risk analysis and risk management.
OCR’s settlement with Concentra (December 16, 2025) was described as OCR’s 54th Right of Access enforcement action. OCR reiterates the operational expectation: 30 days to provide access (60 with an appropriate extension).
Compliance impact: Many organizations over-invest in “security controls” while under-engineering the operational workflows that protect individual rights such as intake, validation, tracking, timeliness, and documentation.
Separate from the Security Rule NPRM, OCR’s updated model notice guidance indicates that as of February 16, 2026, certain HIPAA covered entities must include required information about SUD patient records regulated under 42 U.S.C. 290dd-2 / 42 CFR Part 2 in their Notice of Privacy Practices (and related patient notices where applicable). This includes HIPAA covered health care providers (and, in some cases, health plans) that operate a federally assisted SUD treatment program (“Part 2 program”) and therefore create/hold Part 2-protected SUD records in their own systems (EHR, clinical documentation, care coordination platforms, etc.)
Compliance impact: This is not a “future NPRM.” It is an operational requirement with a fixed date. Treat it as a governed deliverable: legal review, revision control, distribution, accessibility/language workflows, and staff scripting.
The following provide insights are on how to align with OCR’s direction into a control program that a compliance officer can defend.
Risk analysis is not satisfied by a one-time questionnaire. A defensible program includes:
enterprise-wide (all systems creating/receiving/maintaining/transmitting ePHI)
repeatable (defined scoring model, consistent taxonomy)
traceable (risk register → risk treatment plans → closure evidence)
reviewed on change (vendor swap, new interface, new cloud storage, new remote access path)
What OCR will look for in practice: a risk analysis with clear scope boundaries, asset mapping, threat/vulnerability identification, likelihood/impact scoring, and a risk management plan with owners and target dates.
Your system of record would be able to answer “where is ePHI and how does it move”. Otherwise, you cannot credibly claim you’re safeguarding it.
Minimum artifacts that hold up:
an asset inventory with ownership, function, location, criticality, patchability, and ePHI exposure
a network/dataflow map showing data movement between EHR, portals, scanning/OCR tools, cloud storage, billing systems, MSP tooling, remote access, and interfaces
documented “edge cases” (exports, email workflows, shared drives, local caching, mobile capture)
OCR’s January 2026 guidance focuses on system hardening and reduce attack surface through patching, disabling unnecessary services/software and strengthening baseline configuration.
For compliance purposes, the key is not just implementation but rather control evidence:
patch SLAs + exception process + proof of execution
hardened baseline standard + configuration validation artifacts
endpoint protection/EDR deployment coverage reports
privileged access controls and MFA enforcement logs
vulnerability scan outputs + remediation tickets + rescans
pen test summary + remediation validation
A compliance-grade posture includes:
segmentation strategy (or a documented alternative architecture with equivalent containment intent)
offline/immutable backups + separation of backup administration
restore tests that demonstrate recovery time objectives are achievable
incident response procedures tied to decision authority, communications, and evidence preservation
An important element of effective incident response is how and how-often you evaluate your incident response plan. For example, many small/medium healthcare organizations have never performed a ransomware emulation to test their incident response capabilities.
OCR’s direction implies stronger expectations for BA security posture visibility. Your BA program should include:
A defensible Right of Access program includes:
single intake funnel (or unified tracking regardless of intake channel)
clock starts tracked consistently; extensions documented properly
identity/authority validation standardized
format/fee compliance and escalation rules embedded
audit trail: request → actions → response → timing
OCR’s emphasis on timely access and enforcement history, means this is not “administrative.” It is a compliance control.
OCR’s Security Rule guidance highlights that OCR must consider whether recognized security practices were in place for the prior 12 months in certain enforcement/audit activities. OCR also points regulated entities to resources like NIST publications and a NIST CSF-to-HIPAA crosswalk.
Compliance strategy: pick a defensible baseline (often NIST-aligned), map it to HIPAA safeguard standards, and preserve at least 12 months of evidence that it is operating properly.
The following is an outline of artifacts in preparing a response to an audit letter or investigation without chaos, assemble and maintain:
current risk analysis + risk management plan + remediation status
asset inventory + ePHI dataflow/network map
security policies/procedures with review cadence + proof of training
access control governance: joiner/mover/leaver, privileged access, MFA evidence
vulnerability management artifacts: scans, patch reports, exceptions, retest results
incident response plan + tabletop/lessons learned + incident log
backup/restore evidence: restore tests, RTO/RPO targets, backup access segregation
BA governance: BAAs, risk tiering, security evidence, offboarding
privacy operations controls: Right of Access tracker metrics and NPP compliance artifacts (including the February 16, 2026 updates where applicable)
Palindrome helps SMB healthcare organizations build a defensible HIPAA compliance program that aligns to OCR’s current enforcement posture: inventory-backed risk analysis, traceable risk management, and technical safeguards that are validated with evidence, not asserted in narratives. This means evaluating effectively your implemented controls which OCR is emphasizing (hardening, access governance, vulnerability management, ransomware resilience, and recovery validation), how to operationalize BA oversight, and engineer privacy workflows (Right of Access and NPP obligations) so they function as measurable, auditable processes. The outcome is simple and compliance-grade, where you can produce artifacts, metrics, and control traceability, coherently and confidently.