All insights
Deep dives mapped to the Privacy, Security, and Breach Notification Rules, written for operators who need plain-English explanations, CFR citations, and practical checklists.
Try: BAA, Security Rule, breach notification, PHI, OCR enforcement
Featured insight
Rule Update
OCR announced new offices focused on religious discrimination and anti-Christian bias on May 19, 2026 — raising serious questions about whether HIPAA breach enforcement will receive less attention as resources shift to administration priorities.
Rule Update
OCR Acting Director Paula Stannard used her HIMSS 2026 address to defend the proposed HIPAA Security Rule update, warning that weak cybersecurity controls have enabled a wave of ransomware attacks that harm patients and that inaction is not a cost-free option.
Rule Update
A HITECH Act provision requires HHS to share HIPAA civil money penalties with individuals harmed by violations. OCR is now seeking comment on how to implement it. Here is what the proposed program would mean for patients, covered entities, and compliance programs.
Rule Update
HHS restructured its Office for Civil Rights, creating three new divisions to handle a 69% increase in complaints. Here is how the new structure works and what it means for HIPAA investigations.
Rule Update
OCR's regulatory agenda listed May 2026 as the target for the HIPAA Security Rule final rule. The month is here and no announcement has been made. Here is where things stand and what covered entities should do right now.
Rule Update
A federal court vacated most of OCR's 2024 reproductive health privacy rule in June 2025, but key Notice of Privacy Practices changes survived and were required by February 16, 2026. Here is exactly what covered entities must do.
Rule Update
A complete guide to all eight patient rights under the HIPAA Privacy Rule — what each right requires, how to respond correctly, and the timelines your practice must meet.
Rule Update
OCR's proposed HIPAA Security Rule overhaul faces fierce industry opposition — including a coalition of over 100 hospital systems calling for its withdrawal. Here is the full picture of what is proposed, who is fighting it, and what covered entities should actually do while the outcome remains uncertain.
Rule Update
The most significant update to the HIPAA Security Rule since 2013 is on the verge of finalization. Here is what the proposed changes require and what every covered entity and business associate must do to prepare.
Rule Update
As of February 16, 2026, OCR began civil enforcement of the updated Part 2 regulations protecting substance use disorder patient records. Behavioral health providers face a new compliance obligation that runs alongside and partially overlaps with HIPAA.
Rule Update
OCR has formally expanded its enforcement initiative beyond risk analysis to include risk management. Here is exactly what changed, what OCR is now looking for, and the specific steps every covered entity and business associate must take.