HIPAA News: Latest Rule Changes, Enforcement Actions, and Compliance Updates

HIPAA Security Rule Updates

What’s proposed

HHS/OCR issued a Security Rule Notice of Proposed Rulemaking (NPRM) on December 27, 2024. The proposal would modernize the HIPAA Security Rule by, among other changes, requiring encryption of ePHI at rest and in transit, multi-factor authentication, asset inventories and network maps, vulnerability scanning at least every six months, annual penetration testing, network segmentation, 24-hour workforce-access change notifications, 72-hour restoration procedures for critical systems, annual compliance audits, and making all implementation specifications required (with limited exceptions). While under consideration, the current Security Rule remains in effect.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

What to do now

Even before a final rule, you should align controls with the NPRM’s direction: validate risk analysis scope, document policies and incident response, strengthen access controls (including MFA), maintain up-to-date inventories and segmentation, and test backups and recovery. Demonstrating recognized security practices for at least 12 months can mitigate OCR enforcement outcomes during investigations or compliance reviews.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html))

HIPAA Privacy Rule Updates

Reproductive health privacy rule status

On June 18, 2025, a federal district court vacated most of OCR’s April 26, 2024 Final Rule aimed at reproductive health care privacy. The court left intact certain Notice of Privacy Practices (NPP) modifications; compliance with the remaining NPP changes is required by February 16, 2026. Covered entities should review which NPP elements still apply following the decision and plan updates accordingly.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Part 2 alignment and Privacy Rule modifications

HHS finalized changes to 42 CFR Part 2 on February 8, 2024 to align confidentiality protections for substance use disorder (SUD) records with HIPAA. Entities subject to HIPAA and handling Part 2 records must meet the Part 2 final rule by February 16, 2026, including updating their NPPs and revising internal policies, consents, and training to reflect these Privacy Rule-related modifications.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Enforcement Actions Overview

Recent patterns

OCR’s enforcement focus continues to span cybersecurity and patient access. In 2025, OCR imposed a $1,500,000 civil money penalty on Warby Parker for Security Rule violations stemming from credential-stuffing attacks and cited failures in risk analysis, risk management, and activity review.

([hhs.gov](https://www.hhs.gov/about/news/2025/02/20/hhs-imposes-1500000-penalty-against-warby-parker-hipaa-hacking.html))

OCR also advanced its Right of Access initiative, settling with Concentra, Inc. on December 16, 2025 for $112,500 after determining the provider failed to furnish records within HIPAA’s 30-day timeframe. These actions underscore that both cybersecurity preparedness and timely patient access remain top priorities.

([hhs.gov](https://www.hhs.gov/press-room/ocr-settles-with-concentra.html))

Risk Analysis Initiative

Risk analysis enforcement remains central. OCR settlements and corrective action plans repeatedly require a thorough, enterprise-wide risk analysis and risk management under 45 C.F.R. § 164.308(a)(1). For example, a 2025 resolution with Northeast Radiology tied payment and a multi‑year corrective plan to performing a complete risk analysis and implementing structured remediation, illustrating how OCR uses compliance reviews to drive sustainable fixes.

([hhs.gov](https://www.hhs.gov/sites/default/files/ocr-hipaa-settlement-nerad.pdf))

Compliance Deadlines

• February 16, 2026: Deadline to comply with the 42 CFR Part 2 final rule and to implement surviving NPP modifications that remain in effect after the June 18, 2025 court decision.
• July 29, 2024: FTC Health Breach Notification Rule (HBNR) amendments took effect; vendors of personal health records (including most health apps) must follow new breach-notice provisions.
• HIPAA Breach Notification (HHS): Breaches affecting fewer than 500 individuals discovered in 2025 must be reported to HHS no later than 60 days after year-end (by March 1, 2026); 500+ individual breaches require notice without unreasonable delay and no later than 60 days from discovery.

As of February 19, 2026, these are the operative dates and obligations for most entities handling PHI and Part 2 records, alongside the HBNR effective date and HIPAA breach-reporting timelines.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Health Breach Notification Rule Updates

Scope and timing

The FTC’s 2024 amendments clarify that the Health Breach Notification Rule applies to most health apps and similar technologies. Amendments took effect July 29, 2024, and violations can trigger civil penalties up to $51,744 per violation. If a breach affects 500+ people, notify consumers and the FTC without unreasonable delay and within 60 days; for fewer than 500, submit your annual FTC notice within 60 days after year-end while still notifying individuals within 60 days of discovery.

([ftc.gov](https://www.ftc.gov/business-guidance/resources/health-breach-notification-rule-basics-business))

Enforcement Penalties

HIPAA penalty tiers (2026, inflation‑adjusted)

• Tier 1 (Did Not Know): $145–$73,011 per violation; annual cap $2,190,294.
• Tier 2 (Reasonable Cause): $1,461–$73,011 per violation; annual cap $2,190,294.
• Tier 3 (Willful Neglect, corrected): $14,602–$73,011 per violation; annual cap $2,190,294.
• Tier 4 (Willful Neglect, not corrected): $73,011–$2,190,294 per violation; annual cap $2,190,294.

These official amounts reflect HHS’s January 28, 2026 civil monetary penalty adjustment. Note that OCR continues to apply a 2019 enforcement discretion that lowers annual caps for Tiers 1–3 (approximately $36,506; $146,053; and $365,052 in 2026), while Tier 4’s cap remains at $2,190,294; OCR may revise this approach in future rulemaking.

([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2026/01/28/2026-01688.html))

FAQs.

What are the latest updates to the HIPAA Security Rule?

HHS proposed substantial Security Rule changes on December 27, 2024, including mandatory encryption of ePHI at rest and in transit, MFA, asset inventories and network maps, routine vulnerability scanning and annual penetration tests, segmentation, 24-hour access-change notifications, 72-hour restoration objectives, and annual compliance audits. These are proposals; the existing Security Rule remains in force until a final rule is published.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet))

How is the OCR enforcing HIPAA compliance?

OCR continues active enforcement through investigations and compliance reviews, emphasizing cybersecurity controls and the Right of Access. Recent actions include a $1.5M CMP for Security Rule violations (Warby Parker, Feb 20, 2025) and a $112,500 Right of Access settlement (Concentra, Dec 16, 2025), reflecting sustained attention to risk analysis, risk management, activity review, and timely patient access.

([hhs.gov](https://www.hhs.gov/about/news/2025/02/20/hhs-imposes-1500000-penalty-against-warby-parker-hipaa-hacking.html))

When must covered entities update their Notice of Privacy Practices?

By February 16, 2026. That date applies to covered entities handling 42 CFR Part 2 records under the 2024 final rule, and to the remaining HIPAA NPP modifications that survived the June 18, 2025 court decision on the reproductive health privacy rule. Review your operations to determine which NPP elements apply and finalize updates before the deadline.

([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What are the new penalty ranges for HIPAA violations?

As of January 28, 2026, the inflation‑adjusted ranges are: Tier 1 $145–$73,011; Tier 2 $1,461–$73,011; Tier 3 $14,602–$73,011; Tier 4 $73,011–$2,190,294 per violation, with annual caps of $2,190,294. OCR also applies a 2019 enforcement discretion with lower annual caps for Tiers 1–3 (about $36,506; $146,053; $365,052 respectively); Tier 4’s cap remains $2,190,294.

([regulations.justia.com](https://regulations.justia.com/regulations/fedreg/2026/01/28/2026-01688.html))