Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 603: HIPAA Security Rule Changes: January 2026 Update and What Practices Need to Know.

 

Liath Dalton 

Ah, yes, another January, another new year, and another discussion of HIPAA Security Rule changes, and a little bit of desire to dispel some of the anxieties that folks have around these proposed and potentially forthcoming changes. So we thought, let’s talk about what’s going on and how this impacts and doesn’t impact you, so that you can be equipped with the peace of mind that you’re covered and doing what you need to be doing, and move forward with that assurance.

 

Liath Dalton 

So essentially, the kind of general context of this conversation is that in January of 2025, on January 6, to be precise, there was a Notice of Proposed Rulemaking, or an NPRM, that was published by the final register, which is where all regulatory, federal regulatory proposed changes are first sort of given notice of. And then there was a extended public comment period.

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

Which generated a massive volume of responses. From solo practitioners, group practices, to large hospital organizations, third party payers, insurance companies, a lot of vendors that serve health care providers and HIPAA covered entities, etc. And then once the public comment period closed. It was crickets.

 

Evan Dumas 

Yeah, we didn’t know what happened at all.

 

Liath Dalton 

Right? There was no further discussion from the OCR, no public facing discussion or news or alerts or anything from the Office of Civil Rights, who are the HIPAA regulators under HHS. And then there, the general consensus was really, that under the new administration at that time, current administration now, and their stance about regulation and tendency towards heavy deregulation, shall we say, that this would be kind of dead in the water. And there was not really expectation that it would get moved forward with.

 

Evan Dumas 

Yeah, that’s what we thought.

 

Liath Dalton 

Yes, that is what we thought.

 

Liath Dalton 

But now, we have new information and a new indicator, which is that, as of now, January 2026, the NPRM, that Notice of Proposed Rulemaking, has not been abandoned, because the OCR has placed that Security Rule update and the final rule update on its regulatory agenda for May.

 

Evan Dumas 

Yeah, we’ll find out then.

 

Liath Dalton 

Yeah. So of course, for folks who saw notice of, of this placement on the May regulatory agenda, this has generated questions of, is this really actually happening? What would change? How does that impact me? Do we need to scramble?

 

Liath Dalton 

So the the way to really, understand that, and think about this and approach it, is that this is moving forward slowly. And, like really slowly, and we’ll talk about how slowly it’s likely to move both sort of minimum and then more more realistically, what’s most likely a little later on. But essentially, this is going to be far less disruptive than it may sound to those of you who are already working with Person Centered Tech, and we’ll talk about why, why that is.

 

Liath Dalton 

But want to provide reassurance that the May agenda date does not mean that the rule is going to take effect in May, or that once the rule takes effect, that practices have to be compliant immediately.

 

Evan Dumas 

Ha! Certainly not.

 

Liath Dalton 

Right? Absolutely not. So basically, this agenda placement is just a signal of intent. It’s not an enforcement deadline. So we we may see a final rule, potentially, as early as mid 2026. But, what’s most likely is that we’ll see further delay and modification. There was so much stakeholder input and feedback that there absolutely will be modifications to the original NPRM.

 

Liath Dalton 

But what we do know now from this placement on the regulatory agenda, is that this is not just being quietly abandoned. And but, you know, part of the context for that, that Evan and I were actually talking about in depth before we started recording this episode, is that there is actually bipartisan, amazingly enough, support for cyber security regulations related to health care information.

 

Liath Dalton 

Because the breaches that have occurred over the last little while, last year, thinking back to like Change Healthcare as well,

 

Evan Dumas 

Oh yeah, oh yeah.

 

Liath Dalton 

were so, so massively impactful and, like, in a very negative and expensive way.

 

Evan Dumas 

Definitely.

 

Liath Dalton 

Not only that, but this is a, the reality of it is that it is a national security consideration as well, right? It creates, if the healthcare infrastructure and health information, technical infrastructure is vulnerable and is actively being exploited, that really does create a major national security threat and is something that that needs to be managed. So that’s kind of the, the why as to this not being dead in the water.

 

Liath Dalton 

And if you go back to our podcast episode talking about the NPRM last, at the beginning of last year, in 2025, we were kind of lamenting the fact that speculation and general consensus at that point was that it was going to be dead in the water, and not really, that nothing was going to come of it, precisely because the the threat landscape is what it is, the exploits of of the vulnerabilities are so consequential, and because all of the components in the NPRM are actually really common sense and best practice. Evan related to that, we have some good news for folks, right?

 

Evan Dumas 

Yeah, you’re already, and we said this last year too, you’re already doing all the good things if you’re following our advice. Because we can move faster than HIPAA, we can see the security risks out there, and our recommendations around encryption, risk management, multi-factor authentication, you’ve been following that. And just keep doing what you’re doing. You know, there’ll be a couple new things, maybe, but otherwise, you’re in good hands.

 

Liath Dalton 

Exactly. Because basically the there’s kind of a core theme to the proposed changes, and those can be distilled down to that they are more explicit around security requirements, so less ambiguity, which is great. A much stronger emphasis on verification. Not accepting a “We have a policy,” but requiring also and a “We know and can document that it’s working.”

 

Evan Dumas 

Yeah.

 

Liath Dalton 

As Evan said, it’s already aligning with modern cyber security realities where multi-factor authentication and encryption and credential management are a core part of that. But there are some sort of high level requirements that we saw, being what generated the most concern or pushback, in terms of the public comments that were were provided during the public comment period. And those were really centered around the requirement, even for solo practitioners, of having a written, thorough, and ongoing risk, security risk analysis process. Having documented, so not just in your, in your head or, or with intention, risk mitigation planning.

 

Liath Dalton 

Another really key component is having an asset inventory. So basically, a map of, or inventory, of all of the systems, devices and people with access to Protected Health Information that’s within your scope as a HIPAA covered entity of responsibility and liability. And then system activity review, which is a, one of the existing standards, but they’re providing more teeth to it, but that’s very much part and parcel of what’s incorporated into the PCT compliance processes and policies and procedures. And then the thing that I think generated the most angst was the requirements around activities like vulnerability scanning and penetration testing.

 

Liath Dalton 

The reassurance I want to provide about these sort of high level changes, or increased specificity around existing requirements is that, as always with HIPAA, these requirements are still scoped to systems you control. And for every PCT client, and the sort of modern mental health practice for solo practitioners and group practices landscape, that means that you are going to be primarily cloud service, HIPAA compliance compatible, cloud service reliant, end based. So you’re using a EHR and maybe Google Workspace, or Microsoft 365 and HIPAA friendly VoIP, voice over internet protocol, phone service and messaging service provider, etc.

 

Liath Dalton 

Those are Software as a Service. And those software service providers are as HIPAA Business Associates, required to do the penetration testing. You don’t have to start doing Red Team penetration tests and trying to hack your EHR or Google that’s for a Software as a Service, or SaaS based practice, that means that the HIPAA Business Associate service providers that you work with are responsible for doing the penetration testing and providing security evidence and validation to you as the covered entity and their their customer.

 

Liath Dalton 

What is applicable to SaaS based practices is something called vulnerability scanning, which really just means configuration identity and device review. Now Evan are, are those familiar things?

 

Evan Dumas 

Yeah, that’s also what you do. Where you look through your services and like our services selection phase, and you say, hey, did I turn on all the right things, and especially device review? And you’re like, wait, are all my devices, especially if they’re BYOD, are they proven to be hardened? Do people know, did they do those steps? Do I trust that they did that? And so these regular reviews, identifying, identifying and making sure things are configured, are already stuff that we recommend you do.

 

Liath Dalton 

Yeah, so you if you were doing things in that way, you are already doing the vulnerability scans, and that’s what’s going to be applicable to folks who aren’t running their own servers, for example. And the, I want to provide some reassurance that this NPRM is is not an expectation from the OCR from the HIPAA regulators that solo practitioners or small group practices behave like hospitals, by any means.

 

Liath Dalton 

You are just expected, and required, to manage the things that you do control. And that’s where the identity, devices, and configuration of systems comes in. Because those are things that your HIPAA Business Associate service providers that are giving you, those, those systems and platforms can’t control. So that’s within your scope of control. So the requirement is just that you apply appropriate and reasonable safeguards. And those safeguards haven’t changed in terms of the categories they fall into, either. They’re still technical, administrative, and physical. So it is not this, like seismic shift that I think some of the concern or chatter occurring at the moment might make it out to be.

 

Evan Dumas 

Not at all.

 

Evan Dumas 

No, no. People, I mean, people make it out to be a seismic shift if they want your attention. It’s called clickbait. So no, come to us for the soothing.

 

Liath Dalton 

Yes, exactly. And speaking of soothing, we want to talk about effective dates versus compliance date, because it’s a super important distinction.

 

Liath Dalton 

Once the final rule is published, there will be an effective date, which often can be around 30 days after publication. However, an effective date is not, and I want to emphasize that, is not a compliance date. Meaning, just because it’s in effect doesn’t mean that there will be enforcement for non-compliance, right? The date that compliance is required, or the compliance date, is generally a minimum of 180 days or six months later, but often much longer when it’s a really substantive change. And that much longer can be like, 24 months, two years later. Especially when it comes to Security Rules, and when it’s going to be in reality, will be a massive lift for the bigger kind of stakeholders. For vendors, for insurance companies, for large hospitals. So there will be a lot of runway. So one good way to think about it is, this is not a cliff. It’s a runway.

 

Liath Dalton 

So a little bit of forecasting, kind of earliest case scenario is that mid to late 2026, we’ll get the final rule, and then the compliance dates deadlines are likely to be at the very, very earliest, end of 2026 but more likely end of 2027, or sometime in 2028, especially for for small entities. So take a deep breath.

 

Liath Dalton 

And part of why we’re talking about this is also wanting to inform folks so that you can be proactive, rather than reactive. And because we have such a long timeframe, there is the ability to be proactive rather than reactive. If you respond to all, all of the sort of clickbaity stuff like Evan was talking about, that that’s intending to generate fear, because they want to make you buy something. Then it’s making it seem like it’s much shorter and you have to be reactive right now, that the deadlines already passed for being proactive. That is absolutely not the case.

 

Evan Dumas 

Not at all.

 

Liath Dalton 

So like, like we said, if you’re working with PCT and have done the HIPAA compliance program, you’re already really well positioned, because you’ve done the real security work, not just performative compliance, and so the NPRM as it stands now, would not really change anything. There is the potential that we might add a little bit more explicit, like specific content around vulnerability scans, depending on what the final rule specifies about that. But from every other aspect, you’re already covered, and very likely are with with regards to the vulnerability scanning as well.

 

Liath Dalton 

Because PCT has built our policies and procedures and risk analysis and the in-practice compliance oriented resources all around the NIST framework, and NIST based security thinking. And I should say what that acronym is. NIST is the National Institute for Security Technology, and it’s kind of the gold standard for cyber security frameworks, and that’s really what the NPRM is primarily based off of, and and validating. So thankfully for us too, not just for all of you, this means PCT isn’t scrambling to rewrite all the policies and procedures or completely change have to change the resources and support that we offer you.

 

Liath Dalton 

All right, all that said, what do you do now and what do you not do now? So don’t panic. Don’t buy tools you don’t understand.

 

Evan Dumas 

Oh no.

 

Liath Dalton 

Also, though, don’t assume that, because there’s been this period of silence basically since the public comment period ended last spring, and now, that the rule is dead and nothing’s going to come from it. But again, that’s a good thing, truly.

 

Liath Dalton 

So what you do want to do is stay informed, which is where we come in, because we will continue to talk about this in our office hours. We’ll do podcast episodes as appropriate to keep you updated, include mentions of this in the newsletter and article posts. We will sort of triage the information and tell you what what is real and what you need to know as it applies to you and your practice.

 

Liath Dalton 

And then, as always, focus on real, in-practice, security and what safeguards client information and your practice, not fear. And that’s something that can be really easy to lose sight of in the context of regulatory requirements, right, that they are imposed and technical and filled with legalese and and can seem disconnected from the rest of what you do in in your practice and as a business owner, but they are not at odds with and actually are supportive of client care, because safeguarding client info is part of client care.

 

Liath Dalton 

So just trying to always be recentering things on to how do I, am I really doing everything that’s reasonable and appropriate and within my control to safeguard client info? If yes, fantastic. If there are some areas that that provide opportunity for improvement or making things more robust? Great, then you can work on those incrementally.

 

Liath Dalton 

Two kind of specific things that we do know are going to be important, though, in terms of being proactive and where they’re really focusing concerns and enforcement actions are making sure that you do, in fact, have a documented, thorough and accurate risk analysis and risk mitigation plan, and that that’s current. That you’ve updated it, if there have been any systems changes or practice context changes, like you added a new physical location, or especially if you changed from a solo practice to a group, or maybe you changed from contractors to employees, that sort of thing. If there have been changes that impact what you would be looking at in a risk analysis, then you want to update that, that risk analysis and make sure it’s current.

 

Liath Dalton 

And then the other piece that’s really important is ensuring that you have really implemented and operationalized in practice, written HIPAA security policies and procedures that address the existing standards. We don’t want to just have things be living in our in our brains or and not codified, or addressed only in passing conversations with team members or just sort of a general expectation or thinking that folks know how to apply these pieces. We want to have it specified and not just written down and filed away, but really followed.

 

Liath Dalton 

So that’s, that’s the name of the game as, as always.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

So, I hope this has provided some reassurance, and also, you know, made you think I’m actually doing a lot really well, and I’m in a good position for this and and don’t have to to be worried. So take a breath, pat yourself on the back, and as we already said, we’ll continue to track this closely, translate what actually matters, and make sure that you’re supported and resourced for whatever comes down the pipeline.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

All right, folks, thanks so much for joining us. We hope you found this helpful, and we will talk to you next week.

 

Evan Dumas 

Talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast or click podcast on the menu bar.