If you’ve signed a business associate agreement with every vendor who touches health information of the people you serve, you’ve probably felt pretty good about that. Reasonable assumption. For years, a signed BAA was more or less the standard way to demonstrate HIPAA compliance on the vendor side. It wasn’t perfect, but it was the baseline.

That baseline is about to change.

The federal government is preparing to release the first major update to the HIPAA Security Rule in more than 20 years. A final rule is expected as early as mid-2026 — the exact timing has shifted and may shift again — but the proposed changes are specific enough that waiting to pay attention doesn’t make much sense. The compliance deadline, whenever it lands, is expected to be around Q1 2027.

The changes affect two groups: organizations that handle protected health information, and the vendors who handle that information on their behalf. If your organization creates, stores, or transmits protected health information — whether you’re a medical practice, a behavioral health center, a nonprofit human services organization, a home health agency, or any other type of covered entity — you’re in the first group. Your billing company, your EHR vendor, your IT provider, your cloud storage service: they’re in the second. This update rewrites the relationship between the two.

What’s Changing for Covered Entities

Here’s the part most compliance summaries are burying: this update doesn’t just raise the bar for your vendors. It makes you responsible for confirming they’ve cleared it.

Under the current rule, a signed business associate agreement has been considered satisfactory evidence that a vendor is complying with HIPAA. The updated rule changes that directly. Covered entities: medical practices, behavioral health organizations, nonprofits that provide health-related services, home health agencies, and others who handle protected health information, will now be required to obtain annual written verification from each business associate confirming that the required technical safeguards are actually in place. That verification has to be signed off by qualified cybersecurity personnel. A signature on an agreement isn’t the same thing.

In plain terms: you need to know, every year, whether your vendors can back it up. And if they can’t, their compliance gap becomes your exposure.

Most organizations don’t think of vendor management as part of their cybersecurity program. You hire a billing company, you sign a BAA, you move on. The updated rule says that’s not enough anymore, and the volume of healthcare data breaches we’ve seen over the past several years suggests it never really was. Business associates have been the source of a large proportion of major healthcare breaches. The update is a direct response to that.

So, what do you actually need to do?

• Start by auditing your vendor list. Identify every business associate: every company that creates, receives, stores, or transmits protected health information on your behalf, and confirm you have a current BAA with each of them.
•  Plan to update those agreements before the compliance deadline, because the existing templates won’t reflect the new verification requirements.
• Start asking harder questions of your vendors. Do they have a documented risk analysis? Do they encrypt health information in transit and at rest? Do they use multi-factor authentication? Do they have a formal incident response plan? These are the things the new rule requires them to have and the things you’ll eventually need written proof of.

One more change worth knowing: if a vendor has a security incident that activates their contingency plan or affects the data of the individuals you serve, they’re now required to notify you within 24 hours. That’s a significant shift from the current 60-day breach notification window. It’s worth asking your vendors now whether they’re set up to do that.

What’s Changing for Business Associates

If you provide services to healthcare organizations, whether billing, IT support, transcription, cloud storage, consulting, any role that involves touching protected health information, you qualify as a business associate. And the updated rule treats you almost identically to the covered entities you serve.

The most sweeping change is the elimination of the “addressable vs. required” distinction that’s been part of the HIPAA Security Rule since it was written. Under the current rule, some security measures were technically optional if a covered entity could justify an equivalent alternative. That flexibility is gone. All implementation specifications will be mandatory, and the list of what’s now required is specific: encryption of all patient data at rest and in transit, multi-factor authentication across all systems, continuous monitoring for suspicious activity, Vulnerability Scanning and Penetration Testing, formal patch management timelines, network segmentation, and annual testing of technical controls.

That’s a real lift for organizations whose current security program is lean.

The risk analysis requirements are also getting a significant upgrade. Right now, a periodic risk assessment that gets updated after major changes is generally considered sufficient. The proposed rule requires a formal, fully documented, repeatable Risk Analysis conducted at least annually. It must cover your entire ePHI ecosystem, including subcontractors, cloud environments, and shared systems, and be grounded in a comprehensive asset inventory. Before you can assess the risk, you have to know exactly where patient data lives across every system and environment you operate.

And the documentation bar is rising across the board. Risk analysis methodology, identified risks, mitigation decisions, residual risks, testing results, access logs — all of it needs to be maintained in detail. Because your covered entity clients will be asking for it. Annual written verification isn’t something you can generate on the spot; it’s the output of a security program that’s been running the way the rule intends.

The 24-hour emergency notification requirement applies here too. If you have an incident that affects a covered entity’s data or activates your contingency plan, you have 24 hours to notify them. That’s a very different operational posture than most business associates are running today.

A Word on Timing

The final rule isn’t released yet, and the timeline has already shifted once. Although certain requirements could still soften, most of the core changes, especially around risk analysis, documentation, and vendor verification, are expected to hold. The volume of healthcare data breaches being reported makes a strong case that something needs to change, regardless of politics.

What we’d say to both audiences is the same: the direction is clear enough to act on. Performing a gap assessment to understand where your current security program stands against the proposed requirements puts you in a much better position whenever the final rule drops and the compliance clock officially starts. You shouldn’t need a firm deadline to start closing gaps that are already costing the industry.

We’re Here to Help

Whether you’re a healthcare organization trying to get your arms around your vendor relationships, or a business associate figuring out what the new requirements actually mean for your security program, we can help. 

If you are an OrbitalFire customer and would like help understanding your requirements or aligning your cybersecurity program with the new regulations, please contact your Customer Success Specialist or reach out to su*****@*********re.com.

If you believe you will be impacted by the changes and not yet a customer, contact us at sa***@*********re.com or Connect with Us Here

 

Frequently asked questions

Does my organization need to comply with HIPAA if we’re not a medical practice?

HIPAA applies to any organization that creates, receives, stores, or transmits protected health information in the course of providing health-related services — not just medical practices. Behavioral health organizations, nonprofit human services providers, home health agencies, hospices, and community health programs are all examples of covered entities that fall under HIPAA regardless of whether they look like a traditional practice. If your organization handles health information about the individuals you serve, the HIPAA Security Rule applies to you.

What is a business associate under HIPAA?

A business associate is any company or individual that handles protected health information on behalf of a covered entity as part of providing a service. Billing companies, EHR vendors, IT providers, cloud storage services, transcription services, consultants, and legal firms are common examples. If a vendor touches your organization’s health data — even incidentally — they likely qualify as a business associate and are required to have a signed business associate agreement with you.

Is a signed business associate agreement enough to prove vendor compliance?

Under the current HIPAA Security Rule, a signed BAA has generally been considered satisfactory evidence that a vendor is complying with HIPAA requirements. The proposed update changes this. Covered entities will be required to obtain annual written verification — signed off by qualified cybersecurity personnel — confirming that each business associate has actually implemented the required technical safeguards. A signature on a contract is no longer sufficient on its own.

What’s actually changing in the new HIPAA Security Rule?

The most significant changes are the elimination of the “addressable vs. required” distinction (all implementation specifications will now be mandatory), substantially upgraded risk analysis requirements, new obligations around encryption, multi-factor authentication, continuous monitoring, vulnerability scanning, and network segmentation, and new vendor oversight requirements for covered entities. Business associates will also be required to notify covered entities within 24 hours of a security incident — down from the current 60-day breach notification window. It’s the first major update to the rule in more than 20 years.

When does the updated HIPAA Security Rule take effect?

A final rule is expected as early as mid-2026, with a compliance deadline likely around Q1 2027 — approximately 240 days after the rule is formally released. The timeline has already shifted once and may shift again. The proposed rule was published in January 2025; OCR is still reviewing public feedback. Organizations that begin gap assessments now will be better positioned to meet the compliance deadline whenever it’s confirmed.

What should covered entities start asking their vendors right now?

Start by confirming you have a current, signed BAA with every vendor that touches protected health information. From there, the most important questions are: Do you conduct a formal, documented risk analysis? Do you encrypt health information at rest and in transit? Do you require multi-factor authentication across your systems? Do you have a documented incident response plan, and can you notify us within 24 hours of an emergency? These are the safeguards the new rule will require vendors to verify in writing — so it’s worth understanding where each of your vendors stands before that expectation is formal.

What happens if my business associate isn’t compliant under the new rule?

If a business associate fails to meet the new requirements and a breach or compliance issue occurs, the covered entity can face liability if they knew, or should have known, about the vendor’s compliance gaps. The updated rule makes that connection more direct by requiring annual verification rather than allowing a signed agreement to serve as sufficient assurance. Covered entities that can document active, ongoing oversight of their vendors will be in a stronger position with regulators than those who relied on paperwork alone.