Related Reading

What HIPAA Requires of Medical Practices

The Health Insurance Portability and Accountability Act (HIPAA) establishes federal standards for protecting the privacy and security of individually identifiable health information, known as Protected Health Information (PHI). For medical practices, compliance is not optional — it is a legal obligation that applies from the moment you transmit any health information electronically for transactions like claims submission, referrals, or eligibility checks.

HIPAA compliance is built on four primary rules:

  • Privacy Rule: Governs how PHI may be used and disclosed, establishes patient rights (access, amendment, accounting of disclosures), and requires a Notice of Privacy Practices (NPP).
  • Security Rule: Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI) against reasonably anticipated threats.
  • Breach Notification Rule: Mandates notification to affected individuals, HHS, and (for breaches affecting 500+ in a state) the media within defined timeframes following a breach of unsecured PHI.
  • Enforcement Rule: Establishes the four-tier civil monetary penalty structure and OCR's authority to investigate complaints and conduct compliance audits.
Who Must Comply: All healthcare providers who transmit PHI electronically — including solo physicians, dentists, chiropractors, mental health providers, and physical therapists — are covered entities. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate and must sign a Business Associate Agreement (BAA) before receiving PHI.

If you are launching or expanding a practice, see our complete guide: Starting a Medical Practice Checklist, which covers HIPAA setup alongside licensing, credentialing, and billing infrastructure.

Critical 2026 HIPAA Updates Every Practice Must Know

Three major regulatory developments require immediate attention from every covered entity in 2026:

1. Part 2 / HIPAA Alignment — Effective February 16, 2026

A Final Rule published February 8, 2024, aligning 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) with HIPAA took full effect on February 16, 2026. Practices that treat or receive records related to substance use disorders must now:

HIPAA Compliance Tools

Staying HIPAA-compliant requires the right technology — from encrypted email and cybersecurity to compliance management platforms. These tools are built for healthcare.

Browse Recommended Partners →
  • Update their Notice of Privacy Practices to explain how substance use disorder records may be used and disclosed for treatment, payment, and healthcare operations.
  • Inform patients that these records generally cannot be used against them in criminal, civil, or administrative proceedings without consent or a court order.
  • Apply HIPAA's Breach Notification Rule requirements to Part 2 records.
  • Align patient notice requirements with the standard HIPAA NPP format.
Action Required Now
If your practice handles any substance use disorder records — including medication-assisted treatment (MAT), counseling referrals, or SUD-related diagnoses — your NPP must already reflect these changes. Dental, primary care, and behavioral health practices are most commonly affected.

2. Proposed HIPAA Security Rule Update — Expected Final Rule May 2026

The HHS Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) on December 27, 2024, proposing the most sweeping Security Rule changes since 2013. The rule is expected to be finalized in May 2026, triggering a 240-day compliance window. Key changes include:

  • Elimination of "addressable" vs. "required" distinction: All implementation specifications become mandatory (with limited documented exceptions), removing the flexibility covered entities previously used to defer controls based on cost or risk.
  • Mandatory encryption: All ePHI at rest and in transit must be encrypted with no opt-out based on risk assessment.
  • Multi-factor authentication (MFA): Required for all access to ePHI-containing systems.
  • Technology asset inventory & network map: Must be maintained and updated annually and upon any significant change.
  • Annual penetration testing and biannual vulnerability scans: Formalized and required rather than risk-discretionary.
  • 72-hour system restoration: Affected systems and ePHI must be restored within 72 hours of a security incident.
  • 1-hour access termination: Workforce access to ePHI systems must be terminated within 1 hour of separation.
  • New-hire training within 30 days: All new workforce members must receive HIPAA security training within 30 days of joining.

3. OCR Audit Program Resuming in 2025–2026

The last HIPAA audit program concluded in 2017. OCR has publicly stated its intention to resume proactive compliance audits. Covered entities and business associates should treat their entire compliance documentation as audit-ready at all times — not just in response to a complaint or breach. Practices offering virtual care should also review our guide to HIPAA telehealth compliance requirements, as telehealth-specific safeguards are an increasingly common audit focus.

Administrative Safeguards Checklist

Administrative safeguards are the policies, procedures, and workforce management processes that form the governance backbone of your HIPAA compliance program. OCR considers these the foundation — and the absence of any item below has been cited as the basis for enforcement action.

Security Management & Governance

Designated Privacy Officer and Security Officer. Identify one or more individuals responsible for developing and implementing HIPAA privacy and security policies. In small practices this can be the same person (often the practice manager or physician owner).
Completed Security Risk Analysis (SRA). Conduct a thorough, accurate, and documented assessment of risks and vulnerabilities to all ePHI your practice creates, receives, maintains, or transmits. This is the single most cited deficiency in OCR enforcement actions — required by 45 CFR §164.308(a)(1).
Risk Management Plan. After completing the SRA, document a written risk management plan that addresses each identified risk, assigns responsibility, and establishes timelines for remediation.
Sanction Policy. Maintain a written policy specifying disciplinary consequences for workforce members who violate HIPAA policies — up to and including termination.
Information System Activity Review. Implement procedures to regularly review records of information system activity — audit logs, access reports, and security incident tracking reports. Failure to do so was cited in the $4.75 million Montefiore settlement (2024).

Workforce Training & Access Management

Annual HIPAA Training for All Workforce. Train every employee, contractor, and volunteer who has access to PHI annually. Document completion with dates and signatures. Under the proposed Security Rule, new hires must be trained within 30 days.
Role-Based Access Controls (Minimum Necessary). Limit workforce access to PHI to the minimum necessary to perform job functions. Document access levels by role and review them annually or upon job changes.
Workforce Clearance Procedures. Establish processes for authorizing access to ePHI when hiring, changing roles, or onboarding contractors. Background screening policies should align with access level.
Termination Procedures — Access Revocation. Revoke all ePHI system access upon workforce separation. Under the proposed 2026 Security Rule, this must happen within 1 hour of separation. Currently, immediate revocation is considered best practice and is required by policy.
Password Management Policy. Document password complexity, rotation requirements, and prohibition on sharing credentials. Unique user IDs for every employee are required — shared logins are a HIPAA violation.

Business Associate Agreements (BAAs)

BAA with every vendor touching PHI. Execute a signed BAA before sharing PHI with any business associate. Common BA categories: EHR vendors, billing companies, clearinghouses, cloud storage providers, IT support firms, answering services, transcription services, and shredding companies.
BAA Inventory and Expiration Tracking. Maintain a current list of all executed BAAs with vendor name, PHI scope, and review/renewal dates. Review annually.
BAA Content Requirements. Ensure each BAA specifies permitted uses and disclosures, requires the BA to implement safeguards, requires the BA to report breaches, and allows termination if the BA violates the agreement.
Annual BA Compliance Verification (Proposed 2026). Under the proposed Security Rule, annual written verification of technical safeguards from all business associates will be required. Begin requesting this documentation now to normalize the process.

📋 HIPAA-Compliant Communication & Forms

For communication, HIPAA Link bundles video visits, messaging, patient portal, and document sharing into one BAA-covered platform. For HIPAA-compliant intake, consent, and authorization forms, Jotform HIPAA provides drag-and-drop form builders with signed BAAs. Affiliate partners — commission earned at no cost to you.

Contingency Planning & Policies

Data Backup Plan. Implement procedures to create and maintain retrievable exact copies of ePHI. This was cited in the USR Holdings 2024 settlement ($337,750).
Disaster Recovery Plan. Document procedures to restore access to ePHI after a natural or man-made emergency. Heritage Valley Health System's $950,000 settlement in 2024 cited a lack of emergency response policies.
Emergency Mode Operation Plan. Establish procedures that enable continuation of critical business processes while operating in emergency mode to protect ePHI.
Annual HIPAA Policy Review. Policies must be reviewed and updated annually or in response to operational, legal, or environmental changes. Document the review date and any revisions.
6-Year Documentation Retention. Maintain all HIPAA-related policies, procedures, training records, BAAs, and risk analyses for a minimum of 6 years from creation or last effective date.

Physical Safeguards Checklist

Physical safeguards govern the physical access to your facilities and the devices used to create, store, and transmit ePHI. These requirements apply to your office space, servers, workstations, mobile devices, and any off-site locations where PHI is used or stored.

Facility Access Controls

Facility Access Policies. Document who is authorized to access areas where ePHI is stored or processed — including server rooms, medical records storage, and reception desks with PHI-visible screens.
Physical Access Controls. Implement locks, key cards, or PINs to restrict access to ePHI areas. Maintain access logs for restricted areas.
Visitor and Vendor Management. Require sign-in for all visitors to clinical or administrative areas. Escort vendors in restricted areas. Revoke physical access immediately upon termination.
Maintenance Records. Document all repairs and modifications to physical components of systems containing ePHI (walls, doors, locks, servers).

Workstation & Device Security

Workstation Use Policy. Document the proper functions for each type of workstation and the physical attributes of the workstation environment. This includes positioning screens away from windows and public view (privacy screens where necessary).
Automatic Screen Lock. Configure all workstations to lock automatically after no more than 5–10 minutes of inactivity. Employees should manually lock screens when leaving the workstation.
Mobile Device Management (MDM). If ePHI is accessed on mobile devices (tablets, phones, laptops), implement an MDM solution that enables remote wipe, enforces encryption, and tracks device inventory.
Media Disposal Procedures. Establish documented procedures for the disposal of hardware and electronic media — including hard drives, USB drives, and old workstations — that contained ePHI. Certified destruction required.
Media Re-Use Policy. Document procedures for removing ePHI from electronic media before reuse. Degaussing or certified wipe software is required before reassignment.

Technical Safeguards Checklist

Technical safeguards are the technology controls that protect ePHI from unauthorized access, alteration, or destruction. These requirements have been substantially expanded by the proposed 2025 Security Rule NPRM, making several previously "addressable" controls mandatory for the first time.

Access Controls & Authentication

Unique User Identification. Assign each user a unique name or identifier for tracking access to ePHI. Shared logins are a direct HIPAA violation and will be cited in any audit or breach investigation.
Emergency Access Procedure. Establish a procedure to obtain necessary ePHI during an emergency in which normal access methods are unavailable — including who is authorized and how access is documented.
Automatic Logoff. Configure EHR and other ePHI-containing systems to automatically log off after a defined period of inactivity. This is currently "addressable" and will become required under the 2026 rule.
Multi-Factor Authentication (MFA). Implement MFA for all access to ePHI-containing systems. This will be mandatory under the proposed 2026 Security Rule. Most modern EHR platforms support MFA — enable it now. Limited exceptions for clinically necessary workflows must be documented.
Role-Based Access Controls (RBAC). Configure systems to provide minimum necessary access based on job role. Audit user permissions against current job roles at least annually.

Encryption & Transmission Security

Encryption of ePHI at Rest. Encrypt all stored ePHI — on servers, workstations, laptops, backup media, and mobile devices. The proposed 2026 Security Rule makes this mandatory with no risk-based exception. AES-256 encryption is the current standard.
Encryption of ePHI in Transit. All electronic transmission of PHI must use encrypted channels — TLS 1.2 or higher for email and API communications. Unencrypted email transmission of PHI is a reportable breach if the transmission is intercepted.
Encryption Key Management. Document your encryption key management procedures, including how keys are stored, rotated, and protected. Hardware security modules (HSMs) or cloud key management services are best practice.
Secure Messaging Platform. Use a HIPAA-compliant secure messaging solution for communicating PHI internally and with patients. Standard SMS text messages are not HIPAA-compliant for PHI transmission.

Audit Controls & Integrity

Audit Logging Enabled. Enable and maintain audit logs for all systems containing ePHI. Logs should capture user ID, date/time, resource accessed, and action taken. Regular review of audit logs is required.
Log Review Process. Establish a documented schedule and process for reviewing audit logs — at minimum quarterly, more frequently for high-risk systems. Failure to review system activity logs was cited in the BayCare Health System $800,000 settlement (2025).
ePHI Integrity Controls. Implement controls to ensure ePHI is not improperly altered or destroyed — including checksums, digital signatures, and database integrity monitoring.
Vulnerability Scans (every 6 months). Under the proposed 2026 Security Rule, biannual vulnerability scanning of all systems containing ePHI will be required. Schedule these now through your IT vendor or HIPAA compliance platform.
Annual Penetration Testing. Annual penetration testing (pen testing) of ePHI-containing systems will be required under the 2026 Security Rule. This is currently addressed in many larger organizations' risk management programs and should be added to small practice compliance plans.
Technology Asset Inventory & Network Map. Maintain a written, current inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map of ePHI data flows. Under the 2026 proposed rule, this must be updated annually and upon significant changes.

📋 Practice Security Stack for Technical Safeguards

A typical small-practice stack that satisfies HIPAA technical safeguards: Bitdefender GravityZone for endpoint protection, EDR, and patch management; NordVPN Teams for encrypted remote access when clinicians work from home; and NordPass Business for enforced unique passwords and shared vault access management. Affiliate partners — commission earned at no cost to you.

Breach Notification Rule Checklist

The HIPAA Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media, following a breach of unsecured PHI. Timing failures have been the basis for substantial fines — American Medical Response paid $115,200 in 2024 for providing medical records 370 days after a request, and timely notification failures compound almost every enforcement action.

Breach Response Procedures

Breach Definition & Recognition Policy. Train staff on what constitutes a breach vs. an impermissible use — and on the four-factor low probability of compromise test used to determine if a breach notification is required.
Incident Response Plan. Maintain a documented breach response plan that identifies who is notified internally (security officer, leadership, legal counsel), how the breach is contained, and who is responsible for notifications. Under the 2026 Security Rule, system restoration is required within 72 hours.
Individual Notification — Within 60 Days. Notify all affected individuals by first-class mail (or email if the individual has agreed) within 60 days of discovering a breach. Notification must include: description of the breach, types of PHI involved, steps individuals should take, steps you are taking, and contact information.
HHS Notification. Report all breaches to HHS via the OCR breach reporting portal. Breaches affecting 500 or more individuals must be reported within 60 days of discovery. Breaches affecting fewer than 500 individuals may be logged and reported annually (by March 1 of the following calendar year).
Media Notification (500+ in a State). If a breach affects 500 or more residents of a single state or jurisdiction, notify prominent media outlets serving that area within 60 days.
Business Associate Breach Notification to Covered Entity. BAAs must require your business associates to notify you of a breach without unreasonable delay and no later than 60 days after discovery. Under the proposed 2026 Security Rule, BAs must notify CEs within 24 hours of activating a contingency plan.
Breach Documentation Log. Maintain a log of all breaches (including those below the reporting threshold) with discovery date, PHI involved, individuals affected, notifications sent, and remediation steps. Retain for 6 years.

HIPAA Fine Amounts & Recent Enforcement Examples

HIPAA civil monetary penalties are assessed per violation, tiered by the level of culpability. Amounts are adjusted annually for inflation. The following table reflects the penalty structure effective for cases assessed on or after August 8, 2024.

Tier Culpability Level Min Per Violation Max Per Violation Annual Cap
Tier 1 Reasonable efforts / Lack of knowledge $141 $71,162 $2,134,831
Tier 2 Lack of oversight / Reasonable cause $1,424 $71,162 $2,134,831
Tier 3 Willful neglect — corrected within 30 days $14,232 $71,162 $2,134,831
Tier 4 Willful neglect — not corrected $71,162 $2,134,831 $2,134,831

Source: HIPAA Journal — HIPAA Violation Fines (updated 2025) and Accountable HQ — HIPAA Fine Amounts 2025.

Notable 2024–2026 Enforcement Actions

Montefiore Medical Center — 2024
$4,750,000 Settlement
Employee stole and sold patient data for six months, affecting 12,517 patients. Cited: failure to conduct comprehensive risk analysis, failure to review audit logs, failure to monitor information system activity.
Solara Medical Supplies — 2024
$3,000,000 Settlement
Phishing campaign compromised 8 employee mailboxes, exposing ePHI for 114,007 individuals. Cited: risk analysis failure, risk management failure, breach notification failure.
Heritage Valley Health System — 2024
$950,000 Settlement
Failure to conduct a risk analysis, no emergency response policies, and no technical policies restricting ePHI access.
Warby Parker — 2025
$1,500,000 Civil Monetary Penalty
Credential stuffing attacks compromised ~200,000 accounts across multiple incidents (2018-2022). Cited: risk analysis, risk management, and monitoring of ePHI system activity.
BayCare Health System — 2025
$800,000 Civil Monetary Penalty
Violations of minimum necessary standard, risk management failures, and failure to conduct information system activity review.
MMG Fusion, LLC — March 2026
$10,000 Settlement
PHI of 15 million individuals exposed on the dark web. Cited: risk analysis failure, impermissible disclosure, failure to notify covered entities of breach. Low settlement because the company went out of business — a cautionary example that cooperation and financial condition affect fine amounts.
Key Insight: The majority of enforcement actions — whether they result in $10,000 or $4.75 million fines — share one common denominator: failure to conduct or document an adequate security risk analysis. This single control is the linchpin of HIPAA compliance. If you do nothing else today, schedule your annual SRA.

Most Common HIPAA Violations (Ranked by Frequency)

Based on OCR enforcement data from 2023–2025 and complaint patterns, these are the violations medical practices are most frequently cited for:

1
Failure to Conduct a Security Risk Analysis Cited in 70%+ of all OCR civil monetary penalties and settlements. Required annually under current rules; expected to become more prescriptive under the 2026 Security Rule with mandatory linkage to an asset inventory.
2
Impermissible Use or Disclosure of PHI Includes unauthorized employee access (curiosity browsing), social media posts containing patient information, misdirected faxes or emails, and disclosures to family members without proper authorization. Cadia Healthcare's $182,000 settlement in 2025 involved social media disclosure.
3
Failure to Provide Patients Timely Access to Records HIPAA requires responding to record requests within 30 days. Multiple enforcement actions annually target this violation — American Medical Response paid $115,200 for a 370-day delay; Rio Hondo paid $100,000 for a 7-month delay.
4
Lack of or Inadequate Business Associate Agreements Missing, expired, or non-compliant BAAs are discovered in nearly every OCR investigation that involves a vendor. Providence Medical Institute paid $240,000 in 2024 partly due to a missing BAA.
5
Insufficient Technical Access Controls Lack of audit logs, shared login credentials, no automatic logoff, and missing encryption are common technical findings. These will become mandatory (not addressable) under the proposed 2026 Security Rule.
6
Inadequate Workforce Training Children's Hospital Colorado was fined $548,265 in 2024 for failing to provide HIPAA training to 6,666 workforce members. Annual training with documented completion records is non-negotiable.
7
Breach Notification Failures Failing to report breaches to individuals and HHS within 60 days, or failing to report at all (as MMG Fusion did with its 15-million-person breach), consistently produces enforcement action even when combined with other violations.

HIPAA Risk Assessment Framework

The Security Risk Analysis (SRA) is the most critical and most frequently deficient element of HIPAA compliance. OCR requires it to be "thorough and accurate" — not a checkbox exercise. The following framework aligns with OCR's published guidance and the proposed 2026 Security Rule requirements.

6-Step HIPAA Risk Analysis Framework

1
Define Scope: Identify All ePHI List every location where ePHI exists in your practice — EHR database, billing software, email system, cloud storage, backup drives, laptops, tablets, medical devices, and fax servers. Under the 2026 proposed rule, this scope definition must be maintained as a formal technology asset inventory with a network map.
2
Identify Threats and Vulnerabilities For each ePHI location, identify reasonably anticipated threats (ransomware, phishing, unauthorized access, hardware theft, natural disasters) and existing vulnerabilities (unpatched software, weak passwords, unlocked workstations, missing MFA). Be specific — generic threat lists do not satisfy OCR's "thorough and accurate" standard.
3
Assess Current Controls Document what controls are already in place — technical (encryption, MFA, firewalls), administrative (policies, training records), and physical (locks, badge access). Assess the effectiveness of each control. Gaps between threats and existing controls define your risk.
4
Determine Likelihood and Impact For each threat/vulnerability pair, assess the probability of occurrence (High/Medium/Low) and the potential impact on PHI confidentiality, integrity, and availability (High/Medium/Low). Calculate a risk score. This prioritization is what allows you to allocate compliance resources rationally.
5
Document Findings and Risk Level Compile findings into a formal written risk analysis document. This document must be retained for 6 years. OCR expects to see the analysis itself, not just a summary. Assign an overall risk rating to each finding (Critical/High/Medium/Low) to guide remediation prioritization.
6
Develop and Implement a Risk Management Plan For every identified risk, document: the remediation action, responsible party, target completion date, and status. Review and update the plan quarterly. The risk management plan — not just the analysis — is what OCR looks for when a risk analysis is completed but violations still occur.

Many practices now use HIPAA compliance software platforms to structure and document their SRA. Our HIPAA compliance self-assessment tool can help you identify gaps before investing in a full platform. The HHS Office of the National Coordinator for Health Information Technology (ONC) also provides a free Security Risk Assessment Tool (SRA Tool) downloadable from HealthIT.gov. For practices choosing a compliance service partner, verify that their SRA process produces an OCR-compatible output document.

HIPAA Compliance Software Comparison

The HIPAA compliance software market spans simple policy template tools to enterprise governance platforms. The comparison below focuses on solutions relevant to independent medical practices and small-to-mid-size group practices.

Platform Best For Starting Price Key Features Limitations Tier
Compliancy Group
compliancy-group.com		 Practices wanting white-glove, full-service support $300+/month Dedicated compliance coach; HIPAA Seal of Compliance; guided SRA; policy library; BAA templates; OSHA add-on available Expensive for solo practitioners; annual commitment typically required; documentation-heavy Full Service
Abyde
abyde.com		 Small practices wanting automated policy generation ~$118/month Automated policy & procedure generation; staff training modules; SRA tool; vendor management; incident response planning; live support Limited policy customization; no real-time security monitoring; training modules are somewhat generic Mid-Market
AccountableHQ
accountablehq.com		 Multi-location practices or those needing to scale $149–$749/month Multi-location support; role-based access controls; integrated training management; vendor risk management; automated compliance tracking Overkill for solo practitioners; pricing increases with staff count; steeper learning curve Mid-Market
Total HIPAA
totalhipaa.com		 DIY-focused practices comfortable with documentation $139/month Extensive policy & procedure template library; SRA tools; training materials; vendor management; breach response planning Heavy documentation burden; requires significant time investment; limited guidance on prioritization; no real-time monitoring Mid-Market
HIPAA Secure Now
hipaasecurenow.com		 SMBs and healthcare practices focused on cybersecurity training Contact for pricing HIPAA compliance and cybersecurity training platform; designed for SMB healthcare providers; policy and procedure support; focused on workforce security awareness Pricing not publicly listed; less self-service automation than competitors Mid-Market
Drata / Vanta
drata.com / vanta.com		 Digital health startups needing SOC 2 + HIPAA $500–$2,000+/month Multi-framework compliance (SOC 2, ISO 27001, HIPAA); automated evidence collection; continuous monitoring; dev tool integrations Designed for tech companies, not medical practices; extremely expensive; overkill complexity for HIPAA-only needs Enterprise

Pricing data sourced from Patient Protect HIPAA Software Comparison (2025) and vendor websites as of March 2026. Pricing may vary by practice size and contract length.

How to Choose: Decision Framework by Practice Type

Practice Profile Budget Range Recommended Approach
Solo practitioner (1 provider, <5 staff) $39–$150/month Abyde or a simpler SRA-focused tool; supplement with HHS's free ONC SRA Tool
Small practice (2–10 staff, 1–2 locations) $100–$300/month Abyde, AccountableHQ entry tier, or Compliancy Group Foundation plan
Group practice (10–50 staff, multi-location) $300–$750/month Compliancy Group, AccountableHQ mid-tier, or a HIPAA consulting firm for annual assessment
Large practice / health system $750+/month or consulting retainer Enterprise platform or dedicated compliance consultant; formal annual third-party audit

For a curated list of verified HIPAA compliance partners serving medical practices, browse our Compliance & Regulatory category. If you're still in the practice formation phase, our guide on starting a medical practice walks through how to build your compliance program from day one.

Frequently Asked Questions

What are the HIPAA compliance requirements for small medical practices in 2026?

All covered entities — including solo practitioners and small group practices — must comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Core 2026 requirements include: conducting and documenting an annual security risk analysis, implementing administrative and physical safeguards, training all workforce members on HIPAA policies, executing Business Associate Agreements (BAAs) with every vendor that touches PHI, and notifying affected individuals and HHS within 60 days of a breach. The proposed 2025 HIPAA Security Rule update (expected to finalize May 2026) adds mandatory encryption, multi-factor authentication, and biannual vulnerability scanning — giving practices 240 days from finalization to comply.

How much are HIPAA fines in 2026?

HIPAA fines are assessed on a four-tier structure based on culpability. For cases assessed on or after August 8, 2024: Tier 1 (reasonable efforts / lack of knowledge) runs $141–$71,162 per violation; Tier 2 (lack of oversight / reasonable cause) runs $1,424–$71,162; Tier 3 (willful neglect corrected within 30 days) runs $14,232–$71,162; and Tier 4 (willful neglect not corrected) runs $71,162–$2,134,831 per violation, with an annual cap of $2,134,831 for identical violations. Real-world 2024–2025 settlements range from $10,000 (small operators that cooperate and self-report) to $4.75 million (Montefiore Medical Center).

How often must a HIPAA risk analysis be performed?

Current HIPAA rules require a risk analysis to be performed initially and then updated when there are significant operational, environmental, or technological changes. OCR strongly recommends — and the proposed 2025 Security Rule would mandate — annual risk analyses tied to a current technology asset inventory and network map. The single most common cited violation in OCR enforcement actions from 2024–2025 was failure to conduct an adequate risk analysis, appearing in more than 70% of all civil monetary penalties and settlements.

What is a Business Associate Agreement (BAA) and who needs one?

A Business Associate Agreement (BAA) is a written contract that must be executed with any vendor, contractor, or subcontractor that creates, receives, maintains, or transmits Protected Health Information (PHI) on your behalf. Common business associates requiring BAAs include: EHR/practice management software vendors, medical billing companies, cloud storage providers, answering services, shredding companies, and IT support firms. There is no minimum size threshold — even a solo practice must have signed BAAs in place before sharing PHI with any third party. Failure to have a BAA was the basis for Providence Medical Institute's $240,000 settlement in 2024.

What changed in HIPAA in 2026 that practices need to know about?

Three significant HIPAA developments affect practices in 2026: (1) The 42 CFR Part 2 final rule, effective February 16, 2026, requires all HIPAA-covered practices to update their Notice of Privacy Practices (NPP) to describe how substance use disorder records may be used and disclosed. (2) The proposed HIPAA Security Rule NPRM (published January 6, 2025) is expected to be finalized in May 2026, introducing mandatory encryption, MFA, annual penetration testing, biannual vulnerability scans, 72-hour incident restoration, and 1-hour access termination timelines — a 240-day compliance window follows finalization. (3) OCR enforcement remained aggressive throughout 2025 with 14+ announced settlements, and OCR's first HIPAA audit program since 2017 is expected to launch in 2025–2026.

What are the most common HIPAA violations?

Based on OCR enforcement data from 2023–2025, the most frequent HIPAA violations are: (1) Failure to conduct or document a security risk analysis — cited in over 70% of enforcement actions; (2) Impermissible disclosure or use of PHI, including social media posts, misdirected communications, and unauthorized employee access; (3) Lack of or inadequate Business Associate Agreements; (4) Failure to provide patients timely access to their medical records (the 30-day deadline); (5) Insufficient technical safeguards such as lack of access controls, audit logs, or encryption; (6) Inadequate workforce training; and (7) Breach notification failures — reporting late or not at all to HHS and affected individuals.

Do I need HIPAA compliance software, or can I manage it manually?

Technically, HIPAA does not require you to use any specific software — you can manage compliance through paper policies, manual training logs, and spreadsheets. However, the administrative burden of tracking risk assessments, training completions, BAA execution, and incident logs manually is substantial and error-prone. For most practices, HIPAA compliance software costing $39–$300/month is far more cost-effective than the time investment of manual management or the risk of a fine that starts at $141 per violation and can reach $2.1 million annually. Practices should evaluate Abyde (~$118/month), AccountableHQ ($149–$749/month), or Compliancy Group ($300+/month) based on practice size and budget.