The Twelve Days of HIPAA

By Rachel V. Rose, JD, MBA Rachel V. Rose - Attorney at Law, PLLC |

Security

Date Posted: Tuesday, December 02, 2025

Download Audio:

The holidays and new year are a great time to assess HIPAA compliance, emerging threats, and upcoming obligations in 2026. It is with the “spirit of the season” that I have compiled twelve items for covered entities and business associates alike to consider.

Throughout my legal career, I have been fortunate to conduct HIPAA risk analyses for both large and small covered entities and business associates, represent persons when they receive notices of investigations from government agencies, and represent whistleblowers, including the first False Claims Act case where the government intervened as part of its Civil Cyber Fraud Initiative.

With that, the twelve days of HIPAA:

Day 1: Mark your calendar for February 16, 2026, to update your Notice of Privacy Practices to integrate 42 CFR Part 2 items.

Day 2: Consider the legitimacy of your third-party HIPAA risk analysis auditor. For example, are they asking if the list of truncated HHS-OCR 50 questions as part of its own audit program is sufficient, or are they relying on the actual Security Rule and Privacy Rule CFR requirements for a comprehensive audit? Having represented companies before government agencies, the truncated version is not sufficient for covered entities and business associates.

Day 3: Are state law requirements, including data breach reporting and the timeframes for providing medical records to patients, included? Many state requirements differ from federal HIPAA.

Day 4: Is training up to date?

Day 5: Is data encrypted both at rest and in transit?

Day 6: What is in your asset document, and how does this differ from your access control document? This should list everyone who has access to a particular software, whether it is an electronic health record system or email.

Day 7: Are you addressing reproductive healthcare in light of the Purl case (Northern District of Texas) and Skrmetti (U.S. Supreme Court) and adjusting policies and procedures accordingly?

Day 8: Is AI software being evaluated for HIPAA compliance, and have you ensured that it is safe, legal, and effective?

Day 9: Are state laws, including Texas S.B. 1188, being evaluated and incorporated into AI and HIPAA policies and procedures?

Day 10: Are you monitoring the latest bulletins from the FBI, CISA, and DHS?

Day 11: Have you scheduled your 2026 risk analysis and done adequate background checks on workforce members?

Day 12: Are policies and procedures, as well as Business Associate Agreements, up to date, and do they consider potential updates set forth in the January 2025 Notice of Proposed Rule Making for the HIPAA Security Rule? Actual changes and announcements in 2026 by HHS-OCR should be monitored.

Wishing everyone days that are “Merry and Bright”—avoiding cyber-attacks and HIPAA violations!

Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate, and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website: www.rvrose.com