AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field. AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the American health care system.
AHLA's Speaking of Health Law
HIPAA Security Rule Enforcement in 2026: Proposed Changes, Current Expectations, and Risk Management
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
John Howlett, Senior Vice President and Chief Marketing Officer, Clearwater, speaks with Iliana Peters, Shareholder, Polsinelli, about the state of HIPAA Security Rule enforcement in 2026, including the pending Security Rule Notice of Proposed Rulemaking, OCR’s continued enforcement activity, and what health care organizations should be doing now while the regulatory picture remains unsettled. Sponsored by Clearwater.
Watch this episode: https://www.youtube.com/watch?v=KLJbNH1V7-I
Learn more about Clearwater: https://clearwatersecurity.com/
Essential Legal Updates, Now in Audio
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Comprehensive members. Get all your health law news from the major media outlets on this podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Stay At the Forefront of Health Legal Education
Learn more about AHLA and the educational resources available to the health law community at https://www.americanhealthlaw.org/.
This episode of AHLA Speaking of Health Law is sponsored by Clearwater. For more information, visit Clearwatersecurity.com.
SPEAKER_01Welcome to the American Health Law Association's Speaking of Health Law podcasts. I'm John Hollow with Clearwater, and I'll be hosting today's discussion. Today we're examining the current state of HIPAA security rule enforcement, including the pending security rule notice of proposal rulemaking, OCR's continued enforcement activity, and what healthcare organizations should be doing now while the regulatory picture remains unsettled. Joining me is Ileana Peters, attorney with Polsonelli and former OCR Deputy Director, who brings deep experience in advising healthcare organizations on HIPAA, privacy, security, and regulatory compliance matters. Ileana, thanks for joining me. It's great to speak with you again. Before we dive in, please share a little more about yourself and the work you're doing with healthcare organizations in this space.
SPEAKER_02Yeah, absolutely. Thanks, John, for having me. It's always nice to have a discussion with you and the folks at Clearwater. I always like our in-depth discussions. Good stuff. As you mentioned, I'm a shareholder at Pulsanelli, which is almost an AMLA 50 law firm now. We have offices all across the country. I sit in the Washington, D.C. office because, as you also mentioned, until about eight years ago, I worked at HHS. I was at HHS in the Office for Civil Rights for over a decade. And when I left, I was the active deputy director for data privacy and security. So that was mostly HIPAA stuff, but some other things, patient safety, genetic information, crossover, civil rights issues, and that sort of thing. I'm also certified information system security professional. So I have an IT credential because I have a large team at HHS, and that was lawyers and medical records folks, but also IT folks, which is very on point for the discussion we're going to have today and is super helpful when we get all these questions about IT security controls and how they overlap with the HIPAA security role, et cetera, et cetera. So a lot of what I do nowadays in private practice is of course HIPAA work, but also other domestic data privacy and security work, particularly now with complicated IT questions, complicated data sharing projects, more and more AI-related work because of those complicated IT and data sharing questions. So I am very eager to see where we go in the HIPAA space on this stuff too, and happy to talk about it with you today.
SPEAKER_01Well, excellent. Appreciate the opportunity to draw on your experience and expertise here for this conversation. Let's start with the big picture. With that in mind, how should healthcare organizations understand the HIPAA security rule landscape given that the proposed rule is not final but OCR enforcement continues?
SPEAKER_02I think it's a really good question. And obviously a question that I'm getting from lots of folks, both clients, but also industry, trade press, reporters, vendors, and consultants like Clearwater that I work with. I think we're all very excited about what may come. But until it does come, I think we are in a holding pattern and should be in a holding pattern. I know that there has been some chatter from at least some vendors in this space that covered entities and business associates should be anticipating that rule and beginning their compliance efforts. I would caution against that because I think there may be significant changes from the notice of proposed rulemaking and what HHS proposed in terms of changes to address cybersecurity in the HIPAA security rule to the final rule. And I just, you know, security rule implementation, as you all know, Don, is hard enough. And if we start anticipating what the changes might be, then you know we get teams all wound up about making changes that we may have to dial back or may have to approach differently once we actually see the final rule and what the final rule contains. The HIPAA rules also have a 180-day minimum compliance period. So any changes to the rules, and just a reminder that there are also privacy rule changes on the Secretary's calendar, too, just for the audience to keep that in mind. Both of those sets of changes, when they are finalized, will have a 180-day compliance period at least after publication of the final rule. So it's not, you know, it's not a year, it's not two years, although it could be if they wanted to give us that amount of time, but it's a good amount of time to get our arms around whatever the final changes might be and how we should move forward with implementation in the correct way, rather than just sort of guessing based on what's in the notice of proposed rulemaking, particularly because, as you also know, there were a lot of negative comments to the proposed rulemaking. So I do think there's going to be changes between the proposal and the final. And I would hate for folks to invest resources, both money, but also time and goodwill in terms of their internal teams to try and implement requirements that aren't final yet. So I think that we are in a holding pattern and we are all, as I said, very excited to see what comes out. But I think we will just need to wait and see at this point.
SPEAKER_01Yeah, thanks for that perspective. Um so, with that said, what obligations remain very real under the current security rule, even while organizations are waiting to see what happens with the NPRM? What do you have to share there?
SPEAKER_02Yeah, I mean, I think um we haven't really seen much change in OCR's um enforcement posture, even though, again, there's been some murmurings about that. I think the only real change is the lack of resources. You know, as we all know, um, OCR was pretty decimated as a result of the Doge efforts. Um, at the beginning of the administration, they're down half of the offices, they're down quite a bit of people who left or were put were put on leave as part of that. So they they have a significantly reduced staff. And as a result, the investigations, while they are occurring, are taking longer. Um, you know, they may be uh more time involved between data requests, et cetera, but they are still happening. Um we also saw very recently four ransomware settlements grouped into one notice from OCR. Um, and that was you know a significant amount of penalty monies against those four different entities that were all very different types of entities as a result of ransomware um incidents that they had. Those um, you know, those issues are all very security focused. And so OCR's approach to this has not changed in terms of what they're looking for. Their data requests have changed slightly, and we could talk about that a little bit more during our discussion, but the underlying requirements remain the same, and they are still focusing on, as we've always discussed, UNI and Clearwater generally, they are still focusing on risk analysis, risk management, things like access controls, uh, particularly MFA, with these ransomware cases. They do ask always about the implementation of protection against malware, um, you know, all of those different requirements that are in the security rule now, and that they are expecting regulated entities, both covered entities and business associates, to implement as part of their compliance program. So I have not seen any approach from OCR that's different in terms of the actual regulatory requirements. Um so I would expect that to continue. Um, and of course, the idea would be after the final rule, those requirements would actually become more robust than they are now. Um, so I think the idea is we are absolutely still on the hook for what's there and particularly what they have been focusing on over the last couple of years, and that's risk analysis, risk management always. Um but then of course, things like access controls, um, MFA, um encryption, malware protection, et cetera. And I only see that increasing with the final rule coming.
SPEAKER_01Thank you. Um looking at the MPRM, again, understanding that, of course, again, it's not final. There's been a lot of feedback provided by the industry, as you noted. Uh, but that's it from your perspective, what are uh some of the most important proposed changes there to the security rule just to note for folks?
SPEAKER_02Yeah, I mean, I think um there's there's a lot. So it's hard to just sort of pick a few. I do think that um, you know, from my perspective, there are there are arguably more robust protections, particularly related to security, what's already in the security rule and security rule compliance. Um I think, in my opinion, the additional business associate protections are particularly onerous. Um, and I think that's where we're gonna have to spend a lot of time, not only understanding how to implement them practically, if they are finalized, which I think is a big if, if they are finalized, um, but also the resources that are gonna be involved in more closely keeping track of business associates and business associates, business associate activities, um, if those requirements are finalized and as they move forward. So I think, you know, it's sort of a step up in the other requirements that we're already familiar with, of course, particularly with regard to cybersecurity. But I think the idea of what our business relationships with our business associate vendors or conversely, business associates to covered entities, what that's going to look like moving forward, is my biggest concern. Um, and so I think we're gonna have to sort of spend some more time digging into that if those requirements are finalized. Of course, the security rule compliance will be more efforts as well, but that's more of an internal facing, you know, effort, right? We're gonna have to get the teams together internally and figure out how to move forward with the increased controls that will be implemented or required by the security rule changes. But that that can't be more manageable because it's an internal facing exercise. I think any external business relationship facing exercises are always more difficult and resource intensive. And I think that's where we're going to have the the most um friction in implementation if those are finalized.
SPEAKER_01Yep, that's great insight. Um the proposed rule would eliminate the distinction between required and addressable implementation uh specification. That's been another kind of key area of interest for folks. What does addressable actually mean today and why is it risky for organizations to treat addressable safeguards as optional from your perspective?
SPEAKER_02Yeah, I mean I think it's always been risky, right? Um, because addressable has never meant optional. It it means it means you do that implementation specification or you implement and document a reasonable compensating control. So I think on some level, I I understand the effort by HHS to clarify the fact that addressable specifications were never meant to be optional. Um and I think that's helpful in terms of clarifying for the industry because it's not a substantive change. Um I do think though it may be short-sighted, in my opinion. Um, and you know, as a former policymaker from HHS, the the point of addressable specifications was really that you do this or you do an implementing, you implement a reasonable compensating control and document it. I think in a lot of cases there can be reasonable compensating controls. Um, I think the one where this always comes up is a perfect example, and that is encryption, because encryption is arguably an addressable specification. Um, I think hopefully everybody realizes at this point that it's not optional. Encryption is not optional, um, particularly because in the vast majority of cases, there is no reasonable compensating control for encryption and OCR expects it. So when OCR asks you questions after a particular breach incident, um, they're asking how you implemented encryption, um, because that is essentially the requirement. My worry, however, though, is as we move away from encryption to more sophisticated computing methods, as some of the encryption methodologies become outdated, if encryption is now required, that straps us moving forward. And otherwise, in other words, if we start implementing quantum computing controls that are much stronger than the encryption controls that we have now, um, that can be in some cases broken by threat actors, um, that limits us because now we are required to implement encryption and we don't have the room to make the argument that a different type of control may be more effective in a particular circumstance. So I'm a bit torn about this proposal because I do think it's, in my opinion, one of the beauties of the security rule in that we're always hearing that when the government implements security requirements, they're outdated, they're outdated tomorrow. Whereas if we say they're addressable, then that means you do that or you do the next best thing, or something that's better and you document that. And if we have something that's better, it allows us to implement the better thing. Um, but I guess we'll just sort of have to see how we move forward and HHS decides to update these addressable versus required uh implementation specifications.
SPEAKER_01Yeah, understood. Thanks for your thoughts there. Um You touched on earlier um OCR's uh focus on risk management as a component of security rule enforcement. So I wanted to circle back on that and explore that a little bit further with you. So tell us what does OCR typically look for when determining whether an organization has actually acted on identified risks rather than simply documenting them year after year?
SPEAKER_02Yeah, I mean, I think we have a pretty important enforcement case on this exact question, right? We have a case where a particular entity um identified a risk, um, arguably did not implement the control that they had identified and the control that was recommended as part of their risk management plan over a series of years. They had a breach that was on point, and OCR um uh attempted to find that for that lack of implementation of controls. Now the Fifth Circuit disagreed um and did not necessarily require implementation of those uh controls that the entity had identified in their risk management plan, but it took a long time and a lot of money to get there to get that opinion. So I think it's very clear from OCR's enforcement approach that they do expect, as required by the security rule, a reasonable and appropriate approach to implementation of risk management. In other words, it may be reasonable to defer risk, uh, to transfer risk or to not implement controls in a certain period of time. But to the extent that you have increased risks or the risk continues over time, that looks less and less reasonable and appropriate. And so I think the question always is, and the question that I do get from clients now is how do we justify if we can't implement a control tomorrow or next week or two months from now, how do we justify and when do we need to implement that control? And I think that's a really good question because again, it's about when does it become unreasonable to not implement the control that's been identified as part of your risk management process? And it's different for every entity, it's not it's not a hard and fast rule, um, you know, and so I think it really depends on the type of data. It depends on, you know, are you a business associate? Are you a covered entity? What kind of systems are we talking about? What's the risk that we're talking about? Is the risk going to increase over time? Is it going to decrease over time? These are all questions that we have to look at as part of that process. But I do think, in terms of a sort of bright line rule, the further out you get from the implementation of an identified risk management strategy, the more it looks unreasonable. So I think, you know, in the end, we have to be able to document moving out from that over time if we don't implement those compensating controls.
SPEAKER_01So building on that point, uh, can you share some insight on the kinds of evidence uh that healthcare organizations should be prepared to produce to show that security measures have been implemented, validated, and monitored? Uh what's what's been your experience there?
SPEAKER_02Yeah, I mean, I think it varies from OCR investigator to OCR investigator and office to office. Um you, I think you know, John, and the Clearwater folks are very plugged into this. Um, but OCR has IT technical experts that assist the regional offices and the investigators in looking at that evidence. Um and has for a long time. When I was there, um those folks sat only in the DC office and reported to the DC headquarters team. They were my my staff, the enforcement director staff or the deputy director's staff. Um over time, those folks have now been placed in certain regional offices as well. Um, and so they're sort of more integrated with the regional teams and the investigators. Um, and and so it does vary sort of office to office, investigator to investigator, but um it always ends up being thousands of pages, to be honest. Um, and so what those pages are really differs depending on the control they're looking at, right? Again, if they're asking about encryption, then they're going to want to see evidence of the encryption methodology. So licenses, um, screenshots, uh, enterprise uh sort of dashboards on how your encryption is implemented. Similarly with MFA, they're gonna ask you for licenses, screenshots, um, you know, examples. I've had more than one investigator ask us to walk us through the entity's MFA process, sort of in a webinar screen share kind of situation. So the evidence can vary significantly. And um, you know, so when I have these conversations with clients about, okay, what can we do now when we have a breach, or even if we're just trying to be really proactive about our compliance program, is there are a lot of things that you can have ready to go, your risk, your risk analysis, your risk management plan, your training documents, your training logs, your security updates, your phishing training. You know, there are a lot of things that you can have ready to go. And then there are a lot of things that you're going to just have to wait and see what the investigator asks for and be ready to produce robust documentation about that, depending on how that investigator asks that question. Sometimes if you produce those things that are ready to be produced in a quick manner, like your risk analysis, your risk management plan, your training, your updates, you know, those things that are ready to go, it makes the investigator see that enterprise as, you know, prepared and compliant so that you can sort of dial down those other requests. Sometimes you can't. Sometimes you have to produce everything. So it's hard to say exactly what's going to satisfy an investigator in any particular situation. And those investigations and investigators vary. So, you know, I sort of try and school my clients on preparing for the worst and hoping for the best. Um, and then we just see what happens and what the investigator asks for.
SPEAKER_01Very good. Um so what does a continuous defensible hypocrite real risk management program look like in practice? Uh, can you share some perspective there, especially maybe for organizations with limited resources? Um resources can be a challenge, certainly in this area for a number of number of healthcare organizations. So uh what would be your your comment there?
SPEAKER_02Yeah, I mean, I think, you know, John, you could talk to this all day too. Um, I mean, I think the idea is really that the the most important piece of that exercise is identifying where the EPHI is, because that is really where um OCR pokes and prods, right? If they if they say if they see a piece missing, that's where they're going to focus their inquiry. If if you get everything, if you get all the data, but you don't get the enterprise risk assessment or risk analysis quite right for whatever reason, they're less likely to be upset about they're not upset, but less likely to focus on that than if you missed a whole chunk of ePHI. That's going to make them much more involved in that investigation than if you got all the PHI and you just somehow didn't get the risk analysis quite right from their perspective. If you have a robust inventory, you know. Where your EPHI is, you know where your assets systems, facilities, people, vendors are that process your EPHI, that shows OCR that you have at least a good handle on that piece, even if the risk analysis piece isn't as robust as it should be. But obviously, if you have that inventory and then you have a really good robust documentation process about what those risks look like. And you know, it varies. I mean, Clearwater has a really, really thorough and in-depth um process to help entities identify that and to produce the deliverables that OCR is looking for. If you have a really small entity, you might just have a robust spreadsheet. And OCR has been accepting of that, particularly if you're a small entity. So there are a lot of ways you can go about this, depending on the size and type of entity you are and the type of EPHI you hold. And so it's not, it's not like you have to have, you know, a super glossy set of deliverables with a PowerPoint presentation. Um, OCR isn't going to penalize you if you don't have that. Um, they do want robust documentation though, whatever your documentation is. Um, and so they really want to see that you understand where the EPHI is and that you thought through what those risks actually look like so you can identify them. They may disagree with you about the level of risk and have, or about what you've done to implement controls to address that risk and have. Um, but at least you're starting from kind of the same starting point in the conversation.
SPEAKER_01Uh lastly, if you were advising a healthy organization today, you know, what are the top actions you would recommend while the security rule MPRM remains unresolved?
SPEAKER_02Yeah, I mean, I think right now, and I'm you know, I'm surprised I'm still having this conversation with you, John. How many years are we into this now? A lot of years into this. Um risk analysis, obviously, risk analysis and risk management, um, and business associate agreements. I did not think I'd be spending this much time on those three things at this point in my career, but I am, because they're still, you know, there's still big holes, um, particularly given the new types of tools we're using in enterprises, um, including AI tools of a variety of types. Um, I don't see those risks analyzed appropriately in risk analysis or risk management, and I don't see them addressed properly in business associate agreements either. Um, and so I think that continues to be where I'm focusing my efforts on trying to educate regulated entities. Um, and then of course we have all the other things like encryption and MFA and malware protection and you know, all those important tools as well. But I think, you know, our IT teams are much more plugged into what that looks like um these days than I think they used to be. And I think that's great. It's it's it's very encouraging to see. Um but I think where we're still seeing gaps is risk analysis, risk management, and business associate management, those vendor contracting um issues. Um and so I I really continue to just encourage regulated entities to look more closely at those pieces.
SPEAKER_01Well, Ileana, thank you for an insightful and timely discussion. Um, a few key themes stand out. Uh, first, while the HIPAA security rule changes are not final, OCR's expectations under the current security rule remain active and increasingly focused on whether organizations are managing risks, not just identifying it. Uh, second, documentation matters, but uh documentation alone is not enough. Organizations need evidence that risks are being prioritized, controls are being implemented, and remediation is actually happening where appropriate. And finally, healthcare organizations should focus on building continuous defensible risk management programs grounded in clear methodology, current asset knowledge, executive oversight, and recognized cybersecurity frameworks. On behalf of the American Health Law Association, thank you for joining us for this episode of Speaking of Health Law. I'm John Hall of Clearwater, and we look forward to continuing the conversation.
SPEAKER_00If you enjoyed this episode, be sure to subscribe to AHLA Speaking of Health Law wherever you get your podcasts. For more information about AHLA and the educational resources available to the health law community, visit AmericanHealth Law.org and stay updated on breaking healthcare industry news from the major media outlets with AHLA's Health Law Daily Podcast, exclusively for AHLA comprehensive members. To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org slash daily podcast.