The proposed 2026 HIPAA Security Rule update would eliminate the "addressable" safeguard category — making controls like MFA and encryption mandatory. It is a proposed rule, contested, and not yet final; we prepare practices for the direction with work that holds regardless. We deliver the full Security Risk Analysis (required under the Security Rule today), the policy suite, the BAA inventory, and the evidence to satisfy an OCR audit. BAA signed before any work begins. Starting at $7,500.
Since 1996, the HIPAA Security Rule has split safeguards into two categories: required (no choice) and addressable (implement, adopt an equivalent, or document why neither applies). The 2026 update eliminates that distinction. Every listed safeguard becomes mandatory — encryption, audit logs, workforce training, contingency planning, sanction policies, and the rest.
For most small practices, "addressable" was a quiet escape hatch. Encryption at rest on workstations? Addressable. Documented sanction policy for workforce violations? Addressable. Annual workforce training? Addressable. None of that survives the update. The day the rule takes effect, every safeguard you've been treating as optional becomes a finding on an OCR audit and a question your malpractice insurer will ask before renewal.
The good news: the underlying work is finite. A clean Security Risk Analysis, a policy suite mapped to the new rule, a BAA review, and the evidence binder to back it all up. We've productized exactly that engagement.
Most small healthcare practices have something they call a Security Risk Analysis. It's usually a downloaded template, partially filled out, last updated when the EHR rolled in. OCR doesn't accept that. Underwriters don't accept that. And neither does the malpractice carrier when the questions get specific.
HHS Office for Civil Rights has steadily increased enforcement actions year over year. Small practices used to be below the radar. They aren't anymore — random audits and complaint-driven investigations both find them. The SRA is the first document OCR asks for.
Healthcare practice insurance — malpractice, general liability, cyber — increasingly requires HIPAA evidence on the application. "Do you have a current Security Risk Analysis?" isn't a yes/no anymore. Underwriters want to see the document.
EHRs handle ePHI inside their walls. They don't audit your workstations, your printers, your back office, your terminated workforce, your business associates, or your physical access controls. The SRA covers your whole environment — not just the parts the EHR sees.
The HIPAA Security Rule organizes safeguards into three categories: administrative, physical, and technical. The proposed 2026 update would make currently-addressable safeguards mandatory; we assess against the rule as it exists today and prepare for the proposed direction. Below is what we examine in each category — and what an OCR auditor will ask to see.
Risk analysis (the SRA itself), risk management plan, sanction policy, information system activity review.
Authorization and supervision, workforce clearance, termination procedures, access authorization, access establishment and modification.
Security reminders, malware protection, log-in monitoring, password management. Training cadence and completion evidence.
Incident response procedures, data backup plan, disaster recovery plan, emergency mode operation plan, testing and revision.
BAA inventory across all business associates, contractual cyber requirements, ongoing posture verification, remediation language.
Contingency operations, facility security plan, access control and validation, maintenance records, workstation siting.
Workstation use policy, workstation security controls, device and media controls (disposal, re-use, accountability, backup).
Unique user identification, emergency access procedure, automatic logoff, encryption and decryption, audit log review.
Mechanisms to authenticate ePHI integrity, person or entity authentication, integrity controls and encryption in transit.
The mandatory document under 45 CFR §164.308(a)(1). Most templates floating around are checklists masquerading as analyses. Ours is the document an OCR auditor opens, reads, and accepts — methodology declared, scope documented, every safeguard rated on impact and likelihood, every finding paired with the evidence that proves the control is real.
Predictable rhythm, scoped before kickoff. Signed BAA precedes any access. You know what we're doing, what we need from your team, and what you'll hold at the close — plus the verify pass once remediation is done.
Signed BAA before any access. A 30-minute intake call to confirm scope: practice profile, workforce count, EHR vendor, locations, business associates, current SRA status (if any), and the deadline driving the engagement.
We walk the three safeguard categories with your team. Workforce interviews where needed, document review, policy assessment, technical configuration capture, walk-through of physical controls, BAA inventory and review.
Findings packaged into the SRA: scope statement, threat identification, safeguard-by-safeguard analysis, risk rating matrix, evidence appendix, and the Risk Management Plan that accompanies it.
Live review with practice leadership. We translate findings into plain English, prioritize the remediation roadmap by impact, and confirm the three remediation paths — we do the work, we lead your IT or EHR vendor through it, or we coordinate an outside firm.
After remediation closes, we re-audit against the same standard and produce a delta report — what moved, what improved, what's still open. Optional add-on or bundled with Compliance Care.
The 2026 update raises specific questions. Below are the ones we hear most often from dental, optometry, chiropractic, PT, behavioral health, and small primary care practices. Email [email protected] if yours isn't here.
Fixed fee, scoped before kickoff. Starting at $7,500 for small single-location practices (up to 10 workforce). Group practices and multi-site environments are quoted after a 30-minute discovery call. No hourly billing — productized work is fixed-price, full stop.
3–4 weeks for typical single-location practices. We need a few hours of practice manager and clinical lead time across the engagement — most working sessions are 60-minute blocks. Group and multi-site practices run 4–6 weeks.
Yes. A signed BAA precedes any work, any access to ePHI, and any examination of systems that touch it. We provide our standard BAA; we'll also review and execute your preferred BAA if your practice has one. The signed BAA is filed with your engagement record and referenced in the SRA itself.
Depends on the SRA. If it's a downloaded template partially filled out, last updated when the EHR rolled in, with no risk rating matrix and no evidence appendix — yes, you need a real one before the 2026 update. If you have a current, defensible SRA from a qualified party, we'll review what you have and tell you honestly whether it survives the new rule or needs refresh work.
In most cases, yes. Healthcare insurance applications increasingly ask "do you have a current Security Risk Analysis?" and a defensible SRA + Risk Management Plan answers that affirmatively. We can also extend the engagement to include cyber-insurance-specific evidence packaging if you carry separate cyber liability coverage.
Two paths. Best case: the SRA satisfies the documentation requirement and the inquiry closes. More common: OCR asks for additional evidence on specific safeguards, and the Evidence Appendix you already have answers those questions without scrambling. We'll guide you through the back-and-forth at no additional cost during the active engagement and as part of Compliance Care if you carry the retainer.
You should not have to wire a five-figure fee to a firm on faith and hope the Security Risk Analysis holds up when it matters. So we structure the engagement so the risk sits with us.
If an OCR auditor rejects the Security Risk Analysis as insufficient for the requirement it addresses, we revise it free until it is accepted — or we refund the engagement fee in full.
Half to start, half only when the SRA and Risk Management Plan are in your hands and you have reviewed them. You see the work before the second invoice.
A signed BAA precedes any access to ePHI. The delivery date is set in the proposal before kickoff for a standard single-location practice — not a moving target.
The practice manager and clinical lead give us a few interview hours across the engagement. We handle the document review, configuration capture, and the SRA writeup. It does not become your front desk's second job.
A 30-minute conversation with a senior consultant. Bring the deadline (renewal, OCR notice, audit timeline, or just calendar urgency) and a quick read of what's currently in place. You'll leave with a clearer picture of what the 2026 update changes for your practice — and a fixed-fee proposal if it makes sense to engage.