AHLA’s Speaking of Health Law | Sponsored by Clearwater
The HIPAA Security Rule NPRM is not final. OCR enforcement is not pausing. In this episode of AHLA's Speaking of Health Law, sponsored by Clearwater, John Howlett sits down with Iliana Peters—Shareholder at Polsinelli and former OCR Deputy Director for Data Privacy and Security—to work through what that means for healthcare organizations navigating compliance obligations right now. Peters brings more than a decade of enforcement-side experience to a regulatory moment that is genuinely unsettled, and her guidance is clear: know what the current rule requires, act on it, and don't get ahead of a final rule that hasn't been written yet.
Key Takeaways
- Hold on NPRM implementation. Until the final rule is published, regulated entities should not attempt to comply with proposed changes. There will be a 180-day minimum compliance window after finalization—use that time for deliberate, accurate implementation.
- OCR is still investigating. Despite significant staffing reductions, OCR issued four ransomware settlements in a single notice in 2026. Enforcement has not stopped—it has slowed down. The regulatory clock is still running.
- Addressable never meant optional. Encryption, MFA, and malware protection are expected by OCR regardless of how they are categorized. Organizations treating addressable specifications as discretionary are exposed.
- Risk management must move, not just document. OCR scrutinizes whether organizations act on identified risks over time. Repeatedly deferring the same control is increasingly indefensible.
- Three persistent gaps: Risk analysis, risk management, and business associate agreement management remain the highest-frequency deficiencies OCR finds—including for AI tools and new technology deployments.
The NPRM: where it stands and why to wait
The HIPAA Security Rule Notice of Proposed Rulemaking—the first substantive update to the Security Rule in over two decades—was published in the Federal Register on January 6, 2025. The public comment period closed in March 2025 and attracted significant negative industry feedback. The rule remains on HHS's regulatory agenda but is not final as of mid-2026.
Iliana Peters is direct on what this means for regulated entities: don't race to implement anticipated changes. The gap between what was proposed and what ultimately gets finalized may be significant, and attempting to comply with a rule that hasn't been written yet wastes resources and goodwill while potentially locking organizations into approaches that will need to be reversed.
"I would caution against anticipating that rule and beginning compliance efforts. Security rule implementation is hard enough. If we start anticipating what the changes might be, we get teams all wound up about making changes that we may have to dial back once we see the final rule."
— Iliana Peters, Shareholder, Polsinelli | Former OCR Deputy Director for Data Privacy & SecurityWhen the final rule does arrive—along with the anticipated privacy rule changes also on the Secretary's calendar—the minimum compliance period is 180 days. That window exists for good reason. Organizations that wait for the final text, then move deliberately, will be better positioned than those who guessed early and guessed wrong.
OCR enforcement: what hasn't changed
OCR's staffing was significantly reduced in early 2026 as a result of federal workforce restructuring. Regional offices are operating with fewer investigators. Data requests are taking longer. Investigations are moving more slowly.
None of this means enforcement has stopped. OCR recently issued four ransomware-related settlements—grouped into a single notice—against four different types of regulated entities. The cases were security-focused, the penalty amounts were material, and the underlying deficiencies were familiar: inadequate risk analysis, insufficient access controls, missing MFA, and inadequate malware protection.
What OCR is looking for in investigations today is the same as it has been for years: risk analysis, risk management, access controls, MFA, encryption, and malware protection. The regulatory requirements in the current Security Rule are live and are being enforced. Organizations waiting for the final NPRM to take compliance seriously are misreading the environment.
Key proposed changes worth understanding now
While the NPRM remains unfinalized, understanding what was proposed—and where the industry pushed back hardest—helps healthcare leaders anticipate where the final rule may land. Peters identifies two areas of particular significance.
More robust security controls across the board
The NPRM would strengthen the requirements already in the Security Rule, particularly around cybersecurity controls. This is broadly directional of where OCR is headed and reflects the enforcement actions it has already been taking. Organizations that have built strong risk analysis, access control, and encryption programs are already on the right trajectory.
Business associate obligations—and the friction they create
Peters identifies the proposed business associate requirements as the most operationally complex piece of the NPRM. The proposed changes would require covered entities to more closely monitor and manage business associate activity, and would impose more onerous requirements on business associates themselves. Managing external vendor relationships—unlike internal controls—involves negotiation, resource-sharing, and organizational dynamics that make compliance significantly harder to execute.
"Any external business relationship-facing exercise is always more difficult and resource intensive. I think that's where we're going to have the most friction in implementation if those requirements are finalized."
— Iliana PetersFor organizations thinking about how to use the time between now and finalization, the business associate program is a productive place to focus. Gaps in business associate agreements—particularly around newer technology and AI tools—are already a current enforcement priority, separate from anything the NPRM proposes.
Why "addressable" was never optional
The NPRM proposes to eliminate the long-standing distinction between "required" and "addressable" implementation specifications—a change driven in part by decades of regulated entities treating addressable as discretionary. Peters offers important nuance on both why the change makes sense and why it may be shortsighted.
The clarification is useful: addressable has always meant implement this or implement and document a reasonable compensating control. It was never a carve-out. Encryption is the canonical example—addressable in the rule, but effectively required in almost every circumstance because no reasonable compensating control exists for it.
Peters's concern with eliminating the addressable category is more forward-looking. As computing methods evolve—particularly with quantum computing introducing controls stronger than current encryption standards—removing the flexibility to substitute a better control for a mandated one could lock the industry into outdated technology. One of the Security Rule's enduring strengths has been its flexibility: implement this, or implement something better and document it. A fully prescribed rule trades that adaptability for clarity.
How HHS resolves that tension in the final rule will be consequential. For now, the practical guidance remains unchanged: implement encryption and document everything.
What a defensible risk management program looks like
OCR doesn't just ask whether risks have been identified—it asks whether organizations have acted on them. The standard for defensible risk management is not documentation. It is evidence that the program is moving.
The asset inventory is the foundation
The most consequential starting point for a HIPAA risk program is knowing where ePHI lives. Peters is clear: if OCR finds that an organization missed an entire category of ePHI in its risk analysis, that is a more serious problem than having a less-than-perfect analysis of a complete asset set. Knowing what you have—every system, facility, vendor, person, and device that touches ePHI—is the prerequisite for everything else.
Documentation can scale to organizational size
A small entity doesn't need a glossy, enterprise-grade deliverable. OCR has accepted a well-structured spreadsheet from small regulated entities. What OCR requires in all cases is that the documentation demonstrates a genuine understanding of the ePHI environment, the risks it faces, and a reasoned approach to addressing those risks. Form follows function. A robust spreadsheet from a small physician practice satisfies OCR; an impressive-looking report that doesn't reflect genuine analysis does not.
Deferred action becomes indefensible over time
The Fifth Circuit case Peters references illustrates the risk of identifying a threat and then failing to act on it. The court ultimately did not require implementation in that specific case—but the litigation took years and significant expense. OCR's enforcement posture is that as time passes without action on an identified risk, the deferral becomes harder to characterize as reasonable. There is no fixed timeline, but the direction is clear: the longer a known risk sits unaddressed, the more exposed the organization becomes.
"To the extent that you have increased risks or the risk continues over time, that looks less and less reasonable and appropriate. It's not a hard and fast rule—it depends on the type of data, the type of systems, the nature of the risk. But the further out you get from the identification of a risk management strategy, the more unreasonable inaction looks."
— Iliana PetersThe evidence OCR actually asks for
OCR investigations involve thousands of pages of documentation. What investigators specifically request varies by office, by investigator, and by the nature of the breach—but Peters identifies the categories organizations should have ready and those they need to be prepared to produce on demand.
Have these ready now
Risk analysis documentation, risk management plans, security policy updates, workforce training records, and phishing simulation logs. These are the documents that can be produced quickly and that signal to investigators that the organization has a functional compliance program. A prompt, organized production of these materials shapes the investigator's impression from the start.
Be ready to produce these on request
Evidence of specific control implementation—encryption methodology documentation, licenses, enterprise dashboard screenshots, MFA walkthroughs (OCR has asked organizations to demonstrate their MFA process live via screen share). The depth of these requests depends on the control at issue and the investigator's technical background. OCR has IT technical experts embedded with regional offices who assist investigators in evaluating technical controls.
Top actions for healthcare organizations today
Peters's priority list hasn't changed in years—and she acknowledges some surprise at that. The same gaps that organizations were struggling with at the beginning of her private practice career are still the most common deficiencies she sees. For 2026, three areas remain the highest priority regardless of where the NPRM lands.
1. Risk analysis
Conduct a comprehensive, asset-based risk analysis that covers every system, location, vendor, and person that creates, receives, maintains, or transmits ePHI. Newer technology—including AI tools of all types—must be included. OCR does not accept risk analyses that address last decade's technology environment.
2. Risk management
A risk analysis that identifies threats without a documented plan to address them is incomplete compliance. Organizations must demonstrate that identified risks are being prioritized, treated, monitored, and closed—not simply catalogued year after year.
3. Business associate agreement management
Business associate agreements remain a persistent gap, particularly for newer vendor relationships. AI tools and technology platforms that process ePHI require appropriate agreements. Peters is direct: organizations are not addressing these new relationships adequately, and OCR is paying attention.
About the speakers
John Howlett
Senior Vice President & Chief Marketing Officer, Clearwater
John leads Clearwater's marketing organization and brings deep experience communicating the intersection of healthcare cybersecurity, HIPAA compliance, and organizational risk. He hosts Clearwater's thought leadership programming and has engaged extensively with healthcare security leaders on OCR enforcement trends and risk program development.
Iliana Peters
Shareholder, Polsinelli | Former OCR Deputy Director for Data Privacy & Security
Iliana Peters spent over a decade at HHS Office for Civil Rights, departing as Acting Deputy Director for Data Privacy and Security. She is a Certified Information Systems Security Professional (CISSP) and advises healthcare organizations across HIPAA, domestic data privacy and security, and AI governance in private practice at Polsinelli. Her enforcement-side experience gives her perspective on HIPAA compliance that few practitioners can match.
Frequently asked questions
Should healthcare organizations begin implementing the HIPAA Security Rule NPRM changes now?
No. Iliana Peters cautions against implementing anticipated changes before the final rule is published. There may be significant differences between the NPRM and the final rule, and the minimum 180-day compliance period after finalization gives organizations adequate time to implement correctly.
Is OCR still actively enforcing the current HIPAA Security Rule?
Yes. Despite a significantly reduced workforce, OCR investigations are continuing. In 2026, OCR issued four ransomware settlements in a single notice. Investigations are taking longer—but they are happening, and penalties are real.
What does OCR focus on in Security Rule investigations?
Risk analysis, risk management, and access controls—particularly MFA, encryption, and malware protection—are consistent focal points. OCR also scrutinizes whether organizations have acted on identified risks over time, not just documented them.
What does "addressable" mean in the current HIPAA Security Rule?
Addressable means implement this specification or implement and document a reasonable compensating control. It has never meant optional. Encryption, for example, is addressable but effectively required in virtually all circumstances because no reasonable compensating control exists for it in most environments.
What are the highest-priority HIPAA compliance actions for 2026?
Risk analysis—including for AI tools and newer technology deployments—risk management program implementation, and business associate agreement management. These are the three areas where OCR is most consistently finding deficiencies, and where organizations should focus regardless of where the NPRM lands.
How should small or resource-constrained organizations approach risk analysis?
OCR has accepted well-structured spreadsheets from smaller entities. The critical elements are completeness—knowing where all ePHI lives—and documented reasoning about threats, vulnerabilities, and control decisions. The format is less important than the substance. Clearwater works with organizations across every size and resource level to build right-sized, defensible programs.
The regulatory picture is unsettled. Your compliance obligations are not.
OCR's enforcement posture under the current Security Rule is active—and the gap between where most organizations are and where OCR expects them to be is real. If your risk analysis, risk management program, or business associate agreements wouldn't hold up to an inquiry today, that's the conversation to have now, not when the NPRM is finalized. A Clearwater advisor will assess where you stand against current OCR expectations and give you a clear path forward, scaled to your organization's size and resources.
Talk to a Clearwater advisor