HIPAA Security
Rule Compliance

A practical security audit for covered entities and business associates. Assess your current program and prepare for the 2026 proposed Security Rule changes.

HIPAA Security Compliance

Overview

HIPAA's Security Rule requires covered entities and their business associates to protect electronic protected health information (ePHI) with administrative, physical, and technical safeguards. The requirement isn't just to have policies. It's to demonstrate that your security program is actively managed, documented, and effective. We conduct security audits that give you an honest assessment of where your program stands and what it takes to get it where it needs to be.

A healthcare software vendor came to us because a hospital prospect asked for evidence of their HIPAA compliance before signing. They had a BAA template and a few IT policies, but no formal security assessment and no documented risk analysis. Without that foundation, the deal stalled, and it kept stalling until the work was done.

Security Risk Analysis

HIPAA requires a documented risk analysis. We conduct a thorough assessment of potential threats to ePHI across your environment, document findings in the format regulators expect, and produce a risk register you can actually maintain year over year.

Safeguards Review

We assess your administrative (policies, training, access controls), physical (facility controls, device management), and technical safeguards (encryption, audit controls, transmission security) against Security Rule requirements, and document where each stands.

Documentation & Policy Alignment

We review and help align your policies, procedures, and workforce training programs to HIPAA requirements, ensuring your documentation supports your program and would hold up under a compliance review or OCR investigation.

OCR audits and breach investigations both begin with the same question: can you show your security risk analysis? If the answer isn't yes, that's the first thing to fix.

What You Can Expect

  • Documented security risk analysis meeting HIPAA requirements
  • Safeguard gap assessment across administrative, physical, and technical controls
  • Policy and procedure review against Security Rule standards
  • Workforce training program evaluation
  • Gap analysis against the 2026 proposed Security Rule requirements (MFA, encryption, patch timelines, network segmentation, asset inventory)
  • Executive-ready summary suitable for leadership reporting or business associate due diligence

The 2026 Proposed Security Rule: What's Coming

HHS published a Notice of Proposed Rulemaking on January 6, 2025, proposing the most significant overhaul of the HIPAA Security Rule since 2003. The comment period closed March 7, 2025 with over 4,000 comments received. A final rule is expected in 2026, with a compliance deadline approximately 180 days after publication.

The single largest structural change is the elimination of the "addressable" vs. "required" distinction. For 20 years, covered entities could document a risk-based reason to skip certain controls. Under the proposed rule, that flexibility disappears. Everything becomes mandatory.

Key proposed requirements that directly affect audit scope:

  • Multi-factor authentication required for all access to any system containing ePHI, with access revocation within 1 hour of workforce termination
  • Encryption at rest (AES-256 minimum) and in transit (TLS 1.2 minimum) become mandatory, not addressable
  • Vulnerability scanning every 6 months (internal and external); penetration testing annually, with social engineering required as a component
  • Network segmentation becomes mandatory to limit lateral movement during an attack
  • Technology asset inventory and network map required in writing, updated annually
  • Patch management timelines: critical patches within 15 days, high-severity patches within 30 days
  • Recovery time objective of 72 hours for critical ePHI systems; backup restoration testing required
  • Business associate annual verification: BAs must provide written certification that required technical safeguards are deployed; covered entities must validate through an independent cybersecurity subject matter expert

Organizations that complete a HIPAA security audit now will have a clear picture of where they stand against both the current rule and what is proposed. That means remediation can be planned and budgeted before the compliance clock starts.

Need policies to go with the audit? Our Policy & Procedure Development service can build or update the documentation your HIPAA program depends on.

Engagement Fee

Engagement fees for HIPAA Security Audits are based on the size of your organization and the volume of ePHI you handle. Contact us for a specific quote.

Add-on Service - HIPAA

Control Mapping - Additional Compliance Requirement

$999*
Requires main package purchase
  • Evaluation for one (1) additional compliance requirement
  • Mapping of existing controls to additional framework criteria
  • Gap identification against the additional standard

* Following initial discovery call, agreement, and deposit.

Who This Is For

  • Healthcare providers, health plans, and clearinghouses (covered entities) that need a documented security risk analysis to satisfy HIPAA requirements
  • Software vendors, billing companies, IT service providers, and other organizations that handle ePHI as business associates
  • Organizations that have never conducted a formal HIPAA security risk analysis, or whose last one is more than a year old
  • Companies that received a finding from OCR or a compliance review and need to remediate and document corrective action
  • Healthcare technology startups whose hospital or health system prospects require evidence of HIPAA compliance before signing a Business Associate Agreement

Common Questions

What is required in a HIPAA security risk analysis?

The HIPAA Security Rule (45 CFR § 164.308(a)(1)) requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI they hold. That means identifying where ePHI exists across your environment, evaluating current controls, assessing the likelihood and impact of potential threats, and documenting findings in a format that can be reviewed by auditors or OCR investigators. A risk analysis that is not documented is treated as one that was never performed.

What is the difference between a covered entity and a business associate under HIPAA?

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that handles protected health information (PHI) directly as part of its core function. A business associate is any organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity (including IT vendors, billing companies, EHR platforms, cloud storage providers, and consultants). Both are subject to the HIPAA Security Rule, and both are required to have a documented security risk analysis. The covered entity / business associate distinction determines how HIPAA obligations flow through contracts (via Business Associate Agreements).

What happens if we fail an OCR audit or compliance investigation?

OCR (the HHS Office for Civil Rights) enforces HIPAA through complaint investigations and periodic audits. Findings can result in corrective action plans and civil monetary penalties. Effective January 28, 2026, penalties range from $145 per violation (Tier 1, unaware) up to $2,190,294 per violation (Tier 4, willful neglect not corrected). Criminal referral is possible in cases involving intentional misuse of PHI. The most common finding in OCR investigations is a missing or inadequate security risk analysis. Organizations that can demonstrate a documented, current risk analysis and evidence of ongoing risk management are significantly better positioned, even when an incident has occurred.

What is HHS proposing to change in the HIPAA Security Rule?

HHS published a Notice of Proposed Rulemaking on January 6, 2025, proposing the most significant overhaul of the Security Rule since 2003. The comment period closed March 7, 2025. A final rule is expected in 2026, with a compliance deadline approximately 180 days after publication. The most sweeping structural change is the elimination of the "addressable" vs. "required" distinction: every implementation specification becomes mandatory. Specific proposed requirements include mandatory MFA for all ePHI access, encryption at rest (AES-256 minimum) and in transit (TLS 1.2 minimum), biannual vulnerability scanning, annual penetration testing with social engineering, mandatory network segmentation, a written technology asset inventory updated annually, critical patch deployment within 15 days, and a 72-hour recovery time objective for critical systems. Business associates would also be required to provide annual written verification of their technical safeguard deployment, with covered entities responsible for independent validation.

Ask A Question Book a Discovery Call