The headlines are stark: in April 2026 alone, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced four settlements involving ransomware breaches that exposed over 427,000 individuals’ data, with penalties totaling
1.165million.Includingthosefour,OCRhasresolved∗∗sixHIPAAinvestigations∗∗withfinancialpenaltiesin2026,collecting∗∗
1.165million.Includingthosefour,OCRhasresolved∗∗sixHIPAAinvestigations∗∗withfinancialpenaltiesin2026,collecting∗∗1,278,000** in penalties.
If you think your small practice flies under the radar, think again. OCR Director Paula M. Stannard emphasized: “Proactively implementing the HIPAA Security Rule before a breach or an OCR investigation not only is the law but also is a regulated entity’s best opportunity to prevent or mitigate the harmful effects of a successful cyberattack”.
This checklist covers the most critical 2026 requirements for medical practices — what you must have in place right now, even if the major February deadline has passed.
How to Use This Checklist
This guide is organized into four priority areas based on recent OCR enforcement actions and 2026 regulatory updates. Work through each section, check off completed items, and document gaps with remediation plans. Keep all evidence — OCR requires documentation for up to six years of audit trails.
For deeper understanding of related compliance topics, see our guides on Medical Billing Compliance: A Complete Guide and Upcoding in Medical Billing: Risks, Examples & Prevention.
✅ Priority 1: Documentation & Notice of Privacy Practices
February 16, 2026 Deadline — Did You Update Your NPP?
The most significant HIPAA change in over a decade took effect February 16, 2026. The 42 CFR Part 2 Final Rule aligns substance use disorder (SUD) record confidentiality with HIPAA, but also imposes stricter limitations on these records than other PHI.
Every HIPAA-covered entity that creates, receives, or maintains Part 2 records — including practices that receive SUD information through referrals, care coordination, or health information exchanges — was required to update their Notice of Privacy Practices (NPP) by February 16, 2026.
Even if you don’t treat SUD patients, you may receive SUD records from other providers during care coordination. This requirement applies broadly.
If you missed the deadline, you are currently out of compliance. Update your NPP immediately, including these required elements:
- A statement that SUD records are subject to special protections and are not used/disclosed for treatment, payment, or healthcare operations without the patient’s written consent
- A statement that SUD records cannot be used in civil, criminal, administrative, or legislative proceedings against the individual unless the patient consents or a court orders after notice/hearing
- An opt-out notice if SUD records may be used for fundraising
Distribution requirements:
- If your organization maintains a website, post the updated NPP online (required by February 16)
- Distribute the revised notice or a summary of material changes to patients within 60 days of the effective date
- Provide updated NPP to new patients and anyone who requests a copy
Reproductive Health Privacy (2024 Final Rule — Mostly Vacated)
On June 18, 2025, a federal court vacated most of the 2024 reproductive health privacy amendments nationwide. Your organization should revert to baseline HIPAA Privacy Rule standards and applicable state laws when handling reproductive health PHI. The attestation requirement and related prohibitions are no longer in effect. However, document minimum necessary determinations and state-law analyses when disclosing PHI related to reproductive care.
Action Items:
- Is your NPP updated with Part 2 SUD disclosures? (✅/⬜)
- Is your NPP posted on your website (if applicable)? (✅/⬜)
- Have you reverted reproductive health policies to baseline HIPAA? (✅/⬜)
✅ Priority 2: Business Associate Agreements
You MUST have a signed Business Associate Agreement (BAA) with every vendor or person that “touches” PHI. This is not just for your EHR and clearinghouse — it includes:
- Cloud storage providers
- Email systems (if patient info is sent via email)
- Outside billers and collectors
- Any vendor that handles, processes, or stores PHI
Why this matters now — Gulf Coast Pain Consultants Case: In 2026, a medical practice was hit with a $1,190,000 civil monetary penalty because a former contractor accessed their EMR system and used patient records for downstream healthcare fraud, affecting ~34,310 individuals. The compromised PHI included names, Social Security numbers, chart numbers, and insurance information.
2026 BAA requirements:
- BAAs must specify permissible PHI uses limited to treatment, payment, or operations (minimum necessary standards)
- Include safeguards matching the Security Rule
- Mandate breach notification within 60 days
- Cover subcontractor management and audit cooperation
- Termination clauses with PHI return/destruction
Vendor oversight evidence you must maintain: executed BAAs, risk assessments of vendors, audit rights documentation, and remediation tracking for gaps — retained for six years per OCR protocol.
Action Items:
- Document an accurate, up-to-date asset inventory identifying all devices, software, and systems containing ePHI (required for risk analysis)
- Have you identified all vendor BAAs? Signatures? (✅/⬜)
- Are you performing annual reviews (quarterly for high-risk vendors)? (✅/⬜)
✅ Priority 3: The Security Rule — Prepare for the Proposed 2026 Update
The proposed HIPAA Security Rule update is expected to be finalized in May 2026 and it makes big changes that will affect almost every medical practice.
Key changes coming:
- Mandatory multi-factor authentication (MFA) for all access to ePHI
- Encryption of ePHI at-rest AND in-transit
- Stricter risk analysis and incident response protocols
- Requirement to restore critical systems within defined timeframes (e.g., 72 hours)
- Annual compliance audits became mandatory
- Formal data inventories and mapping of ePHI flows required
Enforcement Priority: Risk Analysis Failures
The biggest takeaway from 2026 settlements: OCR is making the risk analysis provision an enforcement priority.
In each of the four ransomware settlements announced in April 2026, OCR identified risk analysis failures. The risk analysis must identify all locations within the organization where ePHI is located — including how ePHI enters, flows through, and leaves your information systems. An accurate and up-to-date asset inventory is essential first.
OCR’s investigation also found failure in the example of Regional Women’s Health Group: the organization failed to conduct an accurate and thorough risk analysis to determine potential risks and vulnerabilities to ePHI.
Action Items:
- Have you conducted a complete facility-wide Security Risk Assessment (SRA) in the last 12 months? (✅/⬜)
- Have you identified everywhere ePHI lives in your practice? (✅/⬜)
- Have you implemented MFA and data encryption? (✅/⬜)
- Is your ePHI asset inventory up to date, and does it document how ePHI enters, flows through, and leaves your systems? (✅/⬜)
✅ Priority 4: Breach Response — Minimum Requirements
A Breach Response SOP (Standard Operating Procedure) and Incident Log are not optional — they are required under the Breach Notification Rule. Maintaining a clear written process shows OCR you can respond quickly and meet notification deadlines.
Minimum Breach Response Requirements
If PHI is exposed — even accidentally — your Breach Response SOP must enable:
- Impermissible use/disclosure detection: documentation requirements outlined in 45 CFR § 164.410
- Risk assessment to determine breach probability (per 45 CFR § 164.402)
- Breach notification deadlines:
- 60 days from discovery (HHS OCR)
- 60 days to affected individuals
- If a breach affects 500+ residents in your state, must notify prominent media serving the state
- Business associate breach reporting: must report breaches to covered entities within 60 days
- State law reporting: Check your state; both CA and NY have shortened breach reporting from 60 days to 30 days; in CA, if a breach impacts more than 500 residents you must also notify the CA Attorney General
Action Items:
- Does your practice have a Breach Response SOP? (✅/⬜)
- Did you update your Breach Response SOP to include Part 2 breach reporting (Part 2 records must now follow the HIPAA Breach Notification Rule, effective from February 16, 2026)? (✅/⬜)
- Is your Incident Log current and complete? (✅/⬜)
Quick Reference: 2026 Compliance Summary Table
| Compliance Area | Core Requirement | 2026 Status |
| Notice of Privacy Practices (Part 2) | Update NPP with 42 CFR Part 2 SUD disclosures | February 16, 2026 deadline passed — action required |
| Business Associate Agreements | Signed BAA with ALL vendors touching PHI | Mandatory — now with strengthened 2026 clauses |
| Security Rule | Risk analysis, risk management, MFA, encryption | Proposed rule finalizing May 2026 — prepare now |
| Breach Response | Written SOP + Incident Log with Part 2 reporting | Mandatory — OCR enforcement on this now |
| Employee Training | Documented initial AND refresher HIPAA training | Mandatory — including Part 2 and new reproductive health status |
| State Law Compliance | Check state-specific breach reporting requirements | Check CA (30 days, AG notification) and NY (30 days) |
Final Words: Compliance Preparedness Is Your Only Defense
OCR enforcement is aggressive and unrelenting in 2026. The combined message from 2026 enforcement actions is crystal clear: annual risk analyses, timely NPP updates, and third-party BAA oversight are not optional. Even small, single-provider practices are expected to demonstrate the same foundational safeguards as large hospital systems.
Hacking and ransomware are now the most frequent types of large breaches reported to OCR. Maintaining complete documentation — including your Breach Response SOP, Incident Log, calendar of training dates, and BAA inventory — protects you.
Looking for more compliance and revenue cycle insights? Subscribe to the Med Revenue Hub newsletter for expert guidance on medical billing, coding, and HIPAA compliance.
Frequently Asked Questions (FAQs)
1. What is the most important HIPAA deadline my practice may have missed in 2026?
The February 16, 2026, deadline for updating your Notice of Privacy Practices (NPP) to address 42 CFR Part 2 substance use disorder (SUD) record protections — even if you do not treat SUD patients, you may receive such records from other providers during care coordination.
2. What exactly must my updated Notice of Privacy Practices (NPP) say about Part 2 records?
It must state: that SUD records are subject to special protections; that they generally cannot be used for treatment, payment, or healthcare operations without patient consent; that they cannot be used in legal proceedings against the individual without consent or court order; and an opt-out notice if SUD records may be used for fundraising.
3. Do I need a Business Associate Agreement (BAA) with every vendor?
Yes. Not just your EHR — also for cloud storage, email systems, outside billers, collections agencies, and any vendor that touches PHI. 2026 BAA clauses must now include breach notification within 60 days, subcontractor management, audit cooperation, and termination with PHI return/destruction.
4. Are the reproductive health HIPAA Privacy Rule changes still in effect?
No. On June 18, 2025, a federal court vacated most of the 2024 reproductive health privacy amendments nationwide. You should revert to baseline HIPAA Privacy Rule standards and applicable state laws.
5. Is the HIPAA Security Rule going to change in 2026?
Yes, the proposed HIPAA Security Rule update is expected by May 2026. Major changes include mandatory multi-factor authentication (MFA) for all ePHI access; encryption of ePHI; stricter risk analysis and management; and possible 72-hour system restoration requirements.
6. What is the deadline for the new HIPAA Security Rule when it’s finalized?
The final rule is expected in May 2026. Smaller providers often have the largest implementation gaps and should start planning and resourcing now.
Looking for more compliance and billing insights? Subscribe to the Med Revenue Hub newsletter for expert guidance on medical billing, coding, and practice management.
