As Theresa Defino recently reported, HHS OCR will prioritize risk assessments and expand its investigations into risk management in 2026. Alisa Chestler and Layna Cook Rush of Baker Donelson have summarized some recent recommendations from HHS OCR’s January 2026 Cybersecurity Newsletter that regulated entities may want to pay increased attention to at this point:
- Patching Is a Required Risk Management Activity
- Legacy Systems and Unpatchable Vulnerabilities Are Not Excuses
- Unnecessary Software and Default Accounts Create Hidden Risk
- Security Controls Must Be Enabled and Properly Configured
- Security Baselines Are Strongly Encouraged
- Testing and Evaluation Are Mandatory
- Practical Action Items for Regulated Entities
Read more about these recommendations at JDSupra.
Common Pitfalls
In related discussion of HIPAA pitfalls, Eric E. Kinder of Spilman, Thomas, & Battles identifies 10 common pitfalls that may result in enforcement action.
- Forgetting the obligation to perform an organization-wide risk analysis.
- Not following up on identified security risks.
- Denying patient access to health records.
- Not having a HIPAA-compliant business associate agreement.
- Failing to have proper electronic PHI access controls.
- Failing to encrypt PHI.
- Untimely breach notifications.
- Improper disposal of PHI.
- Impermissible disclosures of PHI.
- Prying eyes on healthcare records.
Many of these are what this site and Rachel Seeger of North Country Communications have both highlighted as concerns, especially for small and mid-sized entities with limited resources. Read more of Kinder’s article on SpilmanLaw.com.