DEV Community

Joe Gellatly
Joe Gellatly

Posted on • Originally published at medcurity.com

HIPAA Security Risk Analysis at 90 Days: What the 2026 Rule Actually Changed in Practice

It has been 90 days since the 2026 HIPAA Security Rule update took effect. Long enough for the initial "wait, does this apply to us?" panic to settle, short enough that most healthcare orgs haven't finished their first post-rule Security Risk Analysis (SRA).

I've spent the last quarter watching how small and mid-market healthcare organizations — FQHCs, critical access hospitals, multi-location dental groups, specialty practices, a handful of telehealth startups — actually implement the new SRA requirements in the wild. Here is what's changed in practice, separated cleanly from what hasn't.

The SRA itself: still the cornerstone, but the evidence bar moved

The 2026 update didn't invent the Security Risk Analysis. HIPAA has required one since 2005. What changed is the evidence standard. Under the old rule, a one-page risk summary signed by a compliance officer was, in practice, defensible against an OCR audit if nothing bad happened. Under the 2026 rule, OCR investigators now routinely ask for four specific artifacts:

  1. A current asset inventory with PHI touch-points marked explicitly
  2. A threat model that references the specific EHR, communication stack, and backup vendors the org actually uses
  3. A vulnerability treatment plan with remediation dates, owners, and evidence of execution
  4. A documented risk-acceptance log for anything left unremediated, signed by a named executive

If you can't produce all four during an audit, your SRA is treated as incomplete. This is the biggest real-world delta from the pre-2026 posture.

MFA and encryption: finally mandatory, with exceptions that are narrower than people think

The 2026 rule moved multi-factor authentication and encryption for PHI at rest from "addressable" to effectively required. The headlines all covered this. What the headlines missed: the exception window is narrower than practitioners assume.

The narrow path to claiming an exception still requires:

  • A documented reason the safeguard is not reasonable or appropriate
  • A documented alternative safeguard that achieves equivalent protection
  • A documented review cycle (at minimum annually) for when the condition changes

In practice, most small practices and FQHCs I've worked with discovered during their Q1 SRA that their existing IT stack already supports MFA and disk encryption — they just hadn't turned it on. The 2026 rule effectively closed the "we can't afford it" argument for anyone on a modern EHR or Microsoft 365 deployment.

Business Associate Agreements got teeth

The old BAA review pattern was: collect the signed agreement at vendor onboarding, put it in a folder, never look at it again. The 2026 rule adds an annual BAA verification step — you have to confirm the Business Associate is still meeting its obligations, not just that the contract exists.

The clean way to satisfy this: an annual questionnaire to each BA that captures (a) any security incidents in the past 12 months, (b) changes to their subcontractor list, (c) changes to their breach notification process, (d) confirmation that their own SRA is current. Any BA that refuses to respond — or responds with "no changes" to everything for multiple years — is a risk signal that the annual review is supposed to surface.

Most small practices have between 15 and 40 Business Associates once you count telehealth platforms, billing services, cloud backup, EHR hosting, messaging vendors, and ancillary service providers. That's 15–40 annual verifications, which is not zero work but is also not impossible to systematize.

Contingency plan testing: OCR asks for the run log now

The pre-2026 requirement was that you have a contingency plan. The 2026 update requires you to test it annually AND retain the run log. In practice this means a yearly tabletop exercise with:

  • A documented scenario (ransomware hitting the EHR, for example)
  • A roster of who participated
  • A log of what decisions got made during the simulated incident
  • A list of what broke or was unclear
  • A revision of the plan based on what was learned

An untested contingency plan that looks great on paper is, post-2026, treated roughly the same as not having one at all.

What didn't change: the SRA is still annual + after significant change

A persistent myth is that the 2026 rule changed the SRA cadence. It didn't. The cadence is still: at least annually, AND after any significant change in operations, technology, staff, or threat environment. "Significant change" includes EHR migrations, new service lines, acquisitions, ransomware incidents in your sector, and — per OCR's latest guidance — major workforce turnover in privacy or security roles.

What also didn't change: there is no OCR-blessed SRA template that works for every org. The rule still describes an approach; each covered entity is still responsible for tailoring it to its own risk posture.

What small practices and FQHCs are getting wrong 90 days in

Three recurring failure patterns I've seen during Q1 post-2026 SRAs:

  1. Copying someone else's asset inventory. The asset inventory is where most orgs try to cut corners, reusing a list from a peer org or from an old NIST CSF assessment. OCR investigators notice when the asset list doesn't match the EHR+stack the org actually operates. Build the inventory from scratch.

  2. Treating MFA as purely an admin-user requirement. The 2026 rule effectively applies MFA to any account that can access PHI, not just admin accounts. That includes clinicians, nurses, billing staff, and — critically — vendor accounts used by BAs to connect into your systems. Most orgs miss the vendor-account leg.

  3. Skipping the risk-acceptance log. If a finding from the SRA isn't remediated, the 2026 rule requires a documented decision that someone with authority accepts the residual risk. A finding left in the "open" column of a spreadsheet without an acceptance memo is not the same thing.

The upshot

If you did a solid SRA under the pre-2026 rule, you're 70 percent of the way to a solid SRA under the 2026 rule — plus the four artifacts, plus MFA closure, plus the BAA annual verification, plus the contingency-plan run log. That's a week of work for most small practices and a month for mid-sized FQHCs with more BAs and more complex stacks.

If you haven't started, start with the asset inventory. Every other artifact depends on it.

Medcurity builds HIPAA compliance software for small and mid-market healthcare organizations that need the artifacts the 2026 rule requires, without the enterprise-tier sticker shock. If you're scoping your first post-2026 SRA, our pillar on the best HIPAA SRA software for 2026 is the next read.

Top comments (0)