ClickCease
Skip to content Skip to sidebar Skip to footer
Nichols Weitzner Thomas LLP
Nichols Weitzner Thomas LLP
Nichols Weitzner Thomas LLP
Close
Regulatory Compliance & Updates

HIPAA Compliance Checklist for Healthcare Providers in 2026

May 14, 2026

HIPAA compliance in 2026 demands more than a basic privacy notice or annual staff training. Regulators expect healthcare providers to maintain active, verifiable systems that protect patient information, document risk management efforts, and respond quickly to potential breaches. 

This HIPAA compliance checklist gives providers a practical, up-to-date framework for meeting the Privacy Rule, Security Rule, and Breach Notification Rule requirements as they exist today, not past or upcoming iterations, but the standards enforced in 2026.

Use this checklist to evaluate whether your systems, policies, and daily workflows are aligned with HIPAA expectations and common audit findings.

Glossary of Key HIPAA Terms (Quick Reference)

PHI (Protected Health Information): Any identifiable health information in written, verbal, or electronic form.
ePHI: Protected health information stored or transmitted electronically.
OCR: The Office for Civil Rights – the federal agency that enforces HIPAA.
Privacy Rule: Governs how PHI may be used or disclosed.
Security Rule: Sets standards for protecting ePHI.
Breach Notification Rule: Governs what providers must do when a breach occurs.
BAA (Business Associate Agreement): Contract required for vendors who handle PHI.
Minimum Necessary Standard: Providers must use or disclose only the minimum PHI needed for a purpose.
Risk Analysis: A required assessment of how ePHI is created, stored, transmitted, and protected.

1. Privacy Rule: The Foundation of PHI Protection

1.1 Have a current Notice of Privacy Practices (NPP)

Ensure your practice’s NPP is up-to-date, consistently provided to patients, and made easily available (website, sign at front desk, patient-portal). Patients should also sign an acknowledgment that they received your NPP.

1.2 Document patient rights to access, amend and obtain PHI

Patients must have the right to:

  • Inspect and receive a copy of their PHI (including electronic versions) within a specified timeframe
  • Request amendments to their PHI
  • Receive an accounting of disclosures when applicable. According to regulatory updates, the timeframe for access may be reduced from 30 to 15 days in future rulemaking.

Action: Audit your PHI-access process and ensure you can meet tighter deadlines and document compliance.

1.3 Minimum necessary disclosures & workforce training

You need documented policies about limiting PHI disclosures to the minimum necessary for each work role and purpose. Train all employees, contractors and business associates on the Privacy Rule annually and when roles change.

Action: Create or update a training log and role-specific access-guidelines matrix.

1.4 Business associate agreements (BAAs)

If any vendor or subcontractor accesses PHI on your behalf, ensure you have a signed, up-to-date BAA. Review for any recent changes in terms, particularly around breach notification and security safeguards.

Action: Inventory all current BAAs, confirm execution dates, and set reminders for renewals.

1.5 Patient authorizations and special categories

Ensure you have processes for:

  • Authorizations for uses and disclosures not otherwise permitted by HIPAA
  • Handling of psychotherapy notes, substance-use disorder (SUD) treatment records (42 CFR Part 2) where applicable

Action: Review your forms and workflow to ensure proper categorization and safeguards are in place.

2. Security Rule: Protecting Electronic PHI (ePHI)

2.1 Conduct a comprehensive risk analysis

A documented risk analysis is mandatory. It should:

  • Identify where ePHI is created, received, maintained or transmitted
  • Map data flows and inventory assets (hardware, software, media)
  • Evaluate threats and vulnerabilities
     New enforcement focus: A proposed update to the Security Rule in 2025 would eliminate “addressable” standards and make certain safeguards mandatory, such as encryption, multi-factor authentication (MFA), asset inventories and audit logs.

Action: Confirm your risk analysis is current (within past 12 months) and includes asset inventory and data-flow maps.

2.2 Implement technical safeguards

Key controls to review:

  • Unique user IDs and authentication mechanisms (with role-based access)
  • MFA for remote access and privileged users, proposed requirement under future rules.
  • Encryption of ePHI at rest and in transit, even where previously considered “addressable”
  • Audit controls (logs of who accessed ePHI, when, what they did)
  • Automatic log-off from applications/devices when inactive

Action: Audit your IT controls, confirm encryption applied to servers, laptops, mobile devices, and ensure MFA is enabled universally.

2.3 Physical and administrative safeguards

  • Workspace and device controls (locks, access cards, screen privacy)
  • Device/media controls (inventory, disposal, reuse procedures)
  • Contingency planning (data backup, disaster recovery, emergency mode operation)

Action: Review your physical access logs, media reuse/disposal records, and test your contingency plan annually.

2.4 Vendor/Business Associate cybersecurity oversight

You must ensure vendors complying with your BAA meet equivalent security standards. The 2025 trend shows OCR and regulatory bodies shifting from covered‐entity enforcement to Business Associate accountability.

Action: Develop vendor checklist, ask for vendor security reports, and document oversight activities.

2.5 Continuous monitoring and improvements

Security is not “set and forget.” You need:

  • Vulnerability scans (at least semi-annually)
  • Penetration testing (annual)
  • Audit logs review
  • Incident response drills

Many proposed rules make these testing requirements explicit.

Action: Establish calendar for scans/tests, maintain documentation of issues found and remediation steps.

3. Breach Notification Rule: What to Do When Things Go Wrong

3.1 Breach definition and documentation

A “breach” is the acquisition, access, use or disclosure of PHI in a manner not permitted that compromises its security or privacy, unless the covered entity or business associate demonstrates low probability of compromise based on a risk assessment.

Action: Ensure your internal breach-determination process is clearly documented and your team knows who must perform the risk assessment and when.

3.2 Notifications to affected individuals, HHS OCR and media

  • Individual notification: within 60 days of discovery, unless delayed by law enforcement
  • HHS notification:
    • If fewer than 500: file within 60 days of year end
    • If 500 or more: file within 60 days of discovery

  • Media notification: required when 500+ individuals affected in a jurisdiction

Action: Insert timeline triggers into your incident response plan and test the workflow annually.

3.3 Business associate notification requirements

Business associates must notify covered entities of breaches or potential breaches as defined in their BAA or within 60 days of discovery.

Action: Review your BAAs to confirm breach-notification timing and make sure your business associates understand their obligation.

3.4 Contingency plan and remediation

Following a breach, you must:

  • Act to mitigate harm and prevent further unauthorized use or disclosure
  • Review and revise policies and procedures where needed
  • Document investigations and corrective actions

According to Reuters, because enforcement agencies are increasingly penalizing delayed response and inadequate remediation (especially in ransomware incidents) you must have incident-response workflows that are both documented and tested.

Action: Include documented “time-to-response” metrics in your incident response plan and perform regular mock breach drills.

4. 2026 Enforcement Priorities Providers Should Know

In 2026, regulators are focused on whether healthcare providers maintain documented, operational safeguards, not just written HIPAA policies. Enforcement has become more frequent, more consistent, and more focused on foundational requirements that providers often overlook.

  • Strengthened cybersecurity regulations: The proposed NPRM for the Security Rule includes mandatory MFA, encryption, asset inventories and audit controls with reduced “addressable” flexibility. ProCern Technology Solutions+1 
  • Heightened regulator enforcement: OCR is emphasizing enforcement in areas like access to records, breach response times and business-associate accountability. The HIPAA Journal 
  • Data access rights & portability: Proposed Privacy Rule updates include shorter timelines for patient access and enhanced rights to direct copies of ePHI to third-party apps. The HIPAA Journal 
  • Interoperability & third-party risk: With more health data flowing into apps and third-party platforms, regulators are scrutinizing how PHI is shared and secured beyond core providers.

AI and ePHI risks: As healthcare systems adopt AI/analytics platforms, the potential for PHI misuse or unauthorized disclosures grows, embedding these technologies into your risk analysis is now essential.

5. Practical Checklist: What You Can Do This Quarter

Area Action Step Owner Deadline
Privacy NPP Review and update your Notice of Privacy Practices to reflect 2026 compliance standards; redistribute digitally and in-clinic. Compliance Lead 30 days
Risk Analysis Complete a full Security Rule risk analysis, including an updated inventory of all ePHI systems and third-party integrations. IT & Compliance 60 days
MFA Deployment Confirm MFA is enabled for all users accessing ePHI; review role-based permissions and disable any outdated accounts. IT Director 90 days
Business Associates Audit all BAAs, confirm they include required breach notification timelines, and verify vendors’ current security safeguards. Legal Counsel 45 days
Incident Response Conduct a mock breach drill and test your internal timing for investigation, documentation, and notification. Operations Lead 90 days
HIPAA Training Run annual HIPAA training for all workforce members and document completion; include role-specific modules for staff handling ePHI. HR Manager Next FY

Strengthening Compliance Before Regulators Come Calling

HIPAA compliance is not a box to check, it’s the backbone of trust between your practice, your patients and the regulatory environment. With enforcement intensifying, cybersecurity threats rising, and regulatory landscapes shifting, being proactive is more important than ever.

Use this checklist as your roadmap to clarity and control: update your policies, test your systems, train your team, and align your documentation with future-proof standards. If you need a partner to make compliance less burdensome and more strategic, you’re ready to engage.

Schedule a Consultation with a Healthcare Compliance Attorney.

This article provides general information only and does not constitute legal advice. For guidance specific to your organization, contact the healthcare attorneys at Nichols Weitzner Thomas LLP.

0Likes

You May Also Like

Health Care Transactions & Business Formation, In the News, Regulatory Compliance & Updates
Nichols Weitzner Thomas LLP Secures Numerous Favorable Reimbursement Dispute Settlements for Healthcare Providers in 2021
Compliance
Regulatory Compliance & Updates
OIG Releases First New Medicare Advantage Compliance Program Guidance Since 1999
Offices

2402 Dunlavy Street, Suite 2000, Houston, Texas 77006

713-405-7090

2901 Bee Caves Road, Suite A, Austin, Texas 78746

512-221-3057

firm@nwtlaw.com

Licensed in Texas* and California
Unless otherwise noted, our lawyers are not certified by the Texas Board of Legal Specialization.

*All attorneys licensed in Texas

Scott Nichols is licensed in Texas and California.

Zach Thomas is licensed in Texas, California, Illinois, Missouri and Oregon.
Get In Touch

The information on this website is for general information purposes only. Nothing on this site should be taken as legal advice for any individual case or situation. This information is not intended to create, and receipt or viewing does not constitute, an attorney-client relationship.  

Nichols Weitzner Thomas LLP © 2026. Designed by REFUGE Marketing. All Rights Reserved.