The HIPAA compliance playbook that worked five years ago may not protect your organization today. Enforcement priorities have shifted. Expectations for risk analysis have increased. And if you handle protected health information, size no longer provides cover.

This isn't about fear. It's about understanding how the rules have changed so you can build a security program that meets current expectations.

Enforcement Has Changed

For years, HIPAA enforcement focused on large healthcare systems with obvious violations. Smaller organizations assumed they were too small to attract attention. That's no longer a safe assumption.

OCR has increased enforcement against business associates. This includes labs, billing companies, software vendors, consultants, and any other organization that handles PHI on behalf of a covered entity. The logic is simple: business associates handle massive amounts of patient data but historically received less scrutiny.

Settlement amounts for smaller organizations have increased. Companies with fewer than 100 employees have faced six-figure penalties for common gaps like unencrypted devices, weak access controls, or missing business associate agreements.

The message is clear. If you handle PHI, regulators expect you to have a security program appropriate to your risk level. Your size doesn't change that expectation.

Risk Analysis Is No Longer a Checkbox

The HIPAA Security Rule has always required risk analysis. In practice, many organizations treated it as a one-time exercise. Run a scan, document some findings, check the box.

Current enforcement expects more.

OCR looks for comprehensive risk analysis that covers your entire PHI environment. This includes technical systems, but also physical security, workforce practices, vendor relationships, and how you handle new technology.

Risk analysis needs to be updated regularly. Not just annually, but whenever your environment changes significantly. New locations, new software, new vendors, new workflows. Each change can introduce new risks that need to be assessed.

Most importantly, risk analysis needs to drive decisions. Documenting risks without addressing them, or without formally accepting the residual risk, suggests a paper compliance approach. That won't hold up under investigation.

State Laws Add Complexity

HIPAA isn't the only regulation that matters. State privacy laws now cover health data in ways that exceed federal requirements.

Washington's My Health My Data Act creates obligations for "consumer health data" that HIPAA doesn't cover. This can include health information from research participants, wellness programs, or anyone who isn't technically a patient.

California's privacy laws include specific protections for sensitive personal information, including health data. Organizations operating in California or serving California residents need to account for these requirements.

Other states are following with their own health data laws. The practical impact is that a HIPAA-only compliance strategy may leave gaps where state laws impose additional requirements.

What This Means for Your Organization

If your last serious look at HIPAA compliance was three or more years ago, it's time for a fresh assessment.

Start with your risk analysis. Is it comprehensive? Does it cover your current environment? Has it been updated since your last significant change? If the answer to any of these is no, that's your starting point.

Review your business associate relationships. Do you have signed agreements with everyone who handles your PHI? Do those agreements reflect current requirements? Are you monitoring whether your vendors actually follow through on their security commitments?

Look at your documentation. If OCR showed up tomorrow, could you produce evidence that your security controls actually operate? Policies alone aren't enough. You need logs, records, and evidence that shows your program works in practice.

Consider state law exposure. Where are your patients or research participants located? Which state laws might apply to your data? Do you have obligations beyond HIPAA that you haven't addressed?

Building for Current Expectations

The organizations that handle regulatory scrutiny well share a few characteristics.

They treat compliance as ongoing, not one-time. Security programs need regular assessment, updates, and improvement. Annual reviews at minimum, with additional assessment when things change.

They document as they go. Evidence of security practices is much easier to maintain in real time than to reconstruct when someone asks for it.

They get specific about risks. Generic risk assessments that could apply to any organization don't demonstrate that you've thought carefully about your specific situation.

They stay current on requirements. Regulations change. Enforcement priorities shift. The organizations that stay informed adapt before problems arise.

HIPAA compliance isn't about doing the minimum to avoid penalties. It's about building a security program that actually protects patient data and demonstrates that protection to anyone who asks.

‍