The 2026 updates are mostly focused on making sure clinics have real, documented systems to protect patient information, (cybersecurity). Even solo-practitioners don’t fly under the radar as far as HIPAA is concerned. EVERY provider is responsible for safeguarding PHI. Here are the four major items you should make sure you are doing:
1. Notice of Privacy Practices (NPP)
This document is MANDATORY and outlines how PHI will be used and disclosed and what rights patients have. HHS has not issued a new template, but they are encouraging plain, simple language. Furthermore the new requirements state the NPP must comply with all federal nondiscrimination laws. This means you should provide the NPP in the patient’s language, for non-English speakers.The updates must be completed by February 16, 2026.
2. Updated Business Associate Agreement
You MUST have a signed Business Associate Agreement (BAA). Not just for your EHR, or your clearing house but if you have cloud storage, email systems, outside billers and collectors – ANY vendor or person that touches PHI -You must have a BAA agreement from ALL.
3. Complete an Annual Security Risk Assessment
A documented SRA proves you understand where PHI lives in your clinic (devices, software, backups,cloud storage) and what your risks (lost laptops, hacked email) and what safeguards you’ve implemented.
4. Maintain a Breach Response SOP and Incident Log
If PHI is exposed, even accidentally, you need a clear written response process. Having standard operating procedures and a log shows you can respond quickly, documenting decisions and notification requirements.
You also need to check state laws, as both California and New York have shortened breach reporting from 60 days to 30 days. Furthermore in California if a breach impacts more that 500 residents you must also notify the CA Attorney General, where previously this was not required.
New Tool Coming!
We are putting the finishing touches on updated NPP form, Acknowledgement and BAA agreements in both English and Spanish templates for our members to use and members will be notified when we upload to the resources file on our site.