HIPAA is unusual among compliance regimes in that its substantive requirements have changed very little since the Security Rule took effect in 2005, while the enforcement environment has changed substantially. The Office for Civil Rights has shifted from a complaint-driven posture to a more proactive enforcement model, the settlement amounts have grown materially, and the technical sophistication of OCR's expectations has caught up with the actual threat environment that healthcare organisations face. Programmes that satisfied a 2010 view of HIPAA do not necessarily satisfy a 2026 enforcement action.
The Risk Analysis That OCR Actually Looks For
The Security Rule requires a risk analysis as a foundational administrative safeguard. In OCR settlements, risk analysis deficiencies appear as a finding in a striking percentage of enforcement actions — frequently the headline finding. The risk analysis that OCR looks for is comprehensive (covering all ePHI across all systems and locations, not a sample), specific (identifying threats and vulnerabilities to specific ePHI assets, not generic statements), and current (reflecting the actual environment, not a snapshot from years earlier). The risk analyses that get cited in settlements typically failed one of these tests — frequently covering only some systems, or being last updated long before the breach.
Access Controls That Reflect Operational Reality
HIPAA requires unique user identification, automatic logoff, encryption and decryption (addressable), audit controls, and access management on a need-to-know basis. The technical implementation in modern EHRs and clinical systems generally provides the capability; the operational use of the capability is where settlements get generated. Provisioning that does not implement role-based access. Terminations that leave dormant accounts. Audit logs that are generated and never reviewed. Shared accounts in clinical workflows because individual login is operationally inconvenient. OCR investigators consistently surface this gap between technical capability and operational reality during breach investigations.
Business Associates and the Chain Beyond
A meaningful fraction of healthcare breaches now involve Business Associates — vendors with access to ePHI under a Business Associate Agreement. The covered entity's obligation to manage BA risk includes due diligence on the BA's security posture before granting access, ensuring a compliant BAA is in place, and exercising appropriate oversight throughout the relationship. The settlements increasingly cite covered entities for inadequate BA management, not just for the BA's breach itself. The BAA is the contractual foundation; the operational management of BA risk is the substantive work, and it generally requires a defined BA management programme rather than ad-hoc oversight by individual departments.
A pattern in HIPAA settlements: a covered entity had a BAA in place with the vendor that suffered the breach, and OCR's investigation found no evidence that the covered entity had conducted reasonable due diligence on the vendor's security posture before granting access, no documentation of ongoing oversight, and no record of how the covered entity satisfied itself that the BAA terms were being followed. The BAA was paper compliance; the BA management was absent. The settlement cited both.
The Notification Clock When Breaches Happen
The Breach Notification Rule requires notification to affected individuals without unreasonable delay and no later than 60 days from discovery, notification to HHS for breaches affecting 500 or more individuals within the same window, and prominent media notification for breaches affecting 500 or more individuals in a state or jurisdiction. The clock starts at discovery — and OCR will scrutinise when discovery actually occurred, not when the covered entity chose to characterise the incident as a breach. The notification process should be rehearsed, the templates pre-drafted, and the decision authority clear before the incident that requires it.
A HIPAA Programme That Holds Up to OCR Review
- Comprehensive, specific, and current risk analysis covering all ePHI across all systems and locations
- Risk management plan that addresses identified risks with documented mitigation decisions
- Access management that implements role-based access in clinical and administrative systems with timely provisioning and termination
- Audit log generation paired with operational log review and incident escalation
- BA management programme covering due diligence, BAA execution, and ongoing oversight
- Workforce training that is role-relevant and refreshed rather than annual compliance theatre
- Incident response and breach notification capability that has been rehearsed against the 60-day clock
- Documented Security Rule policies and procedures that match operational reality rather than aspirational state
The Operational Discipline
HIPAA-regulated entities that produce strong programmes treat HIPAA compliance as a continuous operational discipline integrated with broader security and privacy practice, not as a periodic compliance exercise. The risk analysis is refreshed against material environmental change, not annually for its own sake. Access reviews happen on a defined cadence with documented outcomes. BA management is owned by a function with the authority to enforce it. Workforce training is differentiated by role. Incident response is rehearsed. The programme survives OCR review because it reflects operational reality, and it produces better patient privacy outcomes because the operational reality matches what the Rule asks for.