HIPAA Security Rule Update — Proposed encryption, MFA, and technical safeguards. Get ahead of the rule.
Blog
Expert guidance on HIPAA compliance, healthcare security, and regulatory updates.
HIPAA asset management and termination requirements: Device and Media Controls (45 CFR 164.310(d)) and termination procedures (164.308(a)(3)(ii)(C)). Why an asset inventory underpins your risk analysis and how to ensure device recovery.
HIPAA audit log requirements explained: Audit Controls (45 CFR 164.312(b)) and Information System Activity Review (164.308(a)(1)(ii)(D)) both required. Why keeping logs isn't enough and what continuous monitoring changes.
HIPAA documentation and e-signature requirements: documentation and 6-year retention (45 CFR 164.316(b)), training (164.308(a)(5)) and sanctions (164.308(a)(1)(ii)(C)). Why electronic signatures (ESIGN Act, 15 U.S.C. 7001) satisfy HIPAA and turn acknowledgments into evidence.
A HIPAA security risk assessment questionnaire is not a risk analysis. What 45 CFR 164.308(a)(1)(ii)(A) requires, why it's the #1 OCR finding, and the difference a technical scan and remediation make.
HIPAA vendor due diligence explained: the 'satisfactory assurances' requirement (45 CFR 164.308(b)(1), 164.502(e)(1)(i)). Why a signed BAA isn't enough and how to verify and document vendor safeguards.
Is email HIPAA compliant? Standard email is not. What the HIPAA Security Rule requires for email (45 CFR 164.312), why 'addressable' isn't optional, and the breach safe harbor most practices miss.
An OCR enforcement lesson: a $450,000 ransomware settlement over a missing HIPAA risk analysis. What OCR actually cited (45 CFR 164.308), why employer health plans are covered entities, and how to close the gap before a breach.
What HIPAA compliance actually costs in 2026 — broken down by component, organization size, and approach, with the hidden fees to watch for and how to budget realistically.
The definitive 2026 ranked review of HIPAA compliance software — Live Compliance, Compliancy Group, Drata, Vanta and more — with honest pros, cons, and pricing.
Your 2026 HIPAA compliance guide to the Privacy, Security, and Breach Notification Rules — plus the most aggressive OCR enforcement era in the law's history.
These five common HIPAA compliance failures account for the majority of OCR enforcement actions and settlement agreements. Here's how to identify and fix them before your next audit.
The first proposed major update to the HIPAA Security Rule since 2013 was published January 6, 2025 and is still pending. Here's what would change, what it would cost, and how to prepare your organization before any final rule takes effect.
Who qualifies as a business associate, what a HIPAA business associate agreement must contain, and the real penalties for handling PHI without one in place.
HIPAA compliance software ranges from policy templates to full platforms with risk automation and SIEM. What features matter and which questions to ask vendors.
HIPAA penalties range from $145 per violation to a $2.19 million annual cap per identical provision, but the financial damage extends far beyond fines. When you factor in breach response costs, legal fees, lost revenue, and reputational harm, a single compliance failure can cost a healthcare organization millions more than the penalty itself.
A step-by-step HIPAA risk assessment guide: how to scope your environment, document findings, and meet exactly what OCR expects when they come knocking.