Major HIPAA Changes on the Horizon

Healthcare organizations across Michigan and nationwide are facing what may be the most consequential shift in data security requirements in over a decade. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has proposed sweeping changes to HIPAA that would fundamentally alter how healthcare providers, health plans, and their business associates protect electronic protected health information.

These aren’t minor technical adjustments or clarifications of existing regulations. Rather, they represent a comprehensive overhaul driven by an urgent reality: healthcare organizations have become prime targets for increasingly sophisticated cyberattacks.

The proposed changes, announced in December 2024, mark the first major update to HIPAA since 2013. The OCR has signaled its intention to finalize these requirements by May 2026, with an effective date likely arriving in July or August 2026—just 60 days after publication. Most provisions would require full compliance within 180 days of the effective date, meaning healthcare organizations could face hard deadlines as early as late 2026 or early 2027.

For Michigan healthcare providers, from solo practitioners to multi-location group practices, and dental offices to specialized clinics, these changes will demand careful attention, strategic planning, and potentially significant operational adjustments. The question isn’t whether these changes will affect your organization—it’s how prepared you’ll be when compliance deadlines arrive.

 What’s Changing: Breaking Down the Major Provisions

 1. Elimination of “Addressable” Safeguards

• Current framework: required vs. addressable measures
• New requirement: all safeguards become mandatory

2. Annual Compliance Audits

• Formal compliance audits required every 12 months
• Documentation and evidence requirements
• Resource implications for practices and organizations
• Integration with existing financial and operational audits

3. Technology Asset Inventory and Network Mapping

• Comprehensive inventory of all technology assets that handle ePHI.
• Inclusion of AI tools and emerging technologies
• Network mapping requirements showing ePHI flow
• Ongoing maintenance and update obligations

4. Enhanced Risk Management Requirements

• Annual risk analyses (not just when problems occur)
• Gap assessments when implementing new technologies
• Annual patch management policy reviews
• Formal, documented risk management cycle

5. Stricter Technical Controls

• Multi-factor authentication (MFA) for all ePHI access
• Encryption required for data at rest and in transit
• Network segmentation to contain potential breaches
• Implementation considerations for various practice sizes

6. Disaster Recovery and Business Continuity

• Requirement to restore lost systems and ePHI within 72 hours
• Development of comprehensive disaster recovery procedures
• Testing and documentation requirements
• Business impact considerations

7. Business Associate Requirements

• Annual written confirmation of technical safeguards
• 24-hour notification when activating contingency plans
• Workforce access change notifications
• Subcontractor compliance obligations
• Contract amendment necessities

8. Group Health Plan Sponsor Requirements

• Plan document updates required
• Security safeguard compliance mandates
• Incident reporting procedures
• 24-hour contingency plan activation notices

Anticipated Challenges for Healthcare Organizations

Most requirements would be enforceable into late 2026 or early 2027. That may sound distant, but the scope of work—security assessments, gap remediation, budgeting, policy updates, contract revisions, workforce training, and documentation—makes the timeline tight.

Small and mid‑size practices face steep challenges due to limited IT and compliance resources and heavy reliance on vendors. Larger, multi‑site organizations must coordinate consistent implementation across varied systems and workflows.

Technology upgrades such as MFA, encryption, segmentation, and improved backup systems may require replacing outdated infrastructure without disrupting patient care. Contract updates with numerous business associates add another major workload. Finally, workforce training remains essential, requiring ongoing, practical education to ensure staff actually follow new security practices.

For more details, read the HHS Fact Sheet: HIPAA Security Rule Notice of Proposed Rulemaking.

Integrated Compliance and Accounting Specializations

As a trusted advisor to healthcare organizations across Michigan, Yeo & Yeo offers a unique perspective on HIPAA compliance that bridges the gap between regulatory requirements and sound business practices. Our Healthcare Services Group understands that effective compliance isn’t just about checking boxes—it’s about integrating security controls with your existing operational and financial systems.

Yeo & Yeo can help your practice prepare strategically and cost-effectively by strengthening key operational and security foundations, including:

• Technology asset inventory and internal controls
• Workforce access controls and HR integration
• Disaster recovery and business continuity planning
• Annual audit support and compliance documentation
• Policy development and implementation
• Ongoing advisory and support

The proposed changes represent a significant shift in HIPAA compliance expectations, but they also offer an opportunity to strengthen your organization’s overall security posture, operational resilience, and risk management capabilities.

Don’t wait until the compliance deadline is upon you. Contact Yeo & Yeo’s Healthcare Services Group to discuss how these changes will impact your organization and how we can help you prepare.