Healthcare Alert: OCR signals expanded HIPAA enforcement priorities for 2026

The Department of Health and Human Services’ Office for Civil Rights (OCR) is signaling a more assertive enforcement posture as it enters 2026, particularly around Security Rule compliance and patients’ right of access. The Director of OCR has emphasized that covered entities (CEs) and business associates (BAs) should expect heightened scrutiny in two long standing areas: security risk management and timely access to health records.

Although both initiatives have been active in recent years, OCR will require healthcare organizations to reassess and strengthen their compliance programs.

Security Rule: Moving Beyond Risk Analysis to Risk Management

OCR launched its Security Risk Analysis Initiative in 2024, resulting in multiple enforcement actions tied to incomplete or outdated assessments. The agency is moving from simply verifying whether an analysis exists to evaluating how organizations are using those findings.

According to OCR, healthcare organizations must now demonstrate:

• A current, documented enterprise-wide risk analysis
• A structured approach to evaluating risks and vulnerabilities identified
• Implementation of appropriate safeguards to address those findings
• Evidence of ongoing review and remediation

Organizations that have completed assessments but taken minimal action in response may be at increased risk of monetary penalties.

Right of Access: New Emphasis on Parental Rights

OCR’s Right of Access Initiative continues to generate some of the highest volumes of HIPAA complaints. With more than 50 enforcement actions already completed, the agency is now adding a specific focus: parents’ access to their minor children’s health information.

Recent complaints suggest some health systems and electronic health record vendors have implemented age-based or policy-based restrictions that unintentionally block parents from accessing their child’s records, even when parents are legally authorized.

OCR has responded by:

• Issuing a letter reminding providers of federal requirements regarding parental access
• Launching several compliance reviews targeting large health systems
• Clarifying that exceptions under the HIPAA Privacy Rule are narrow and must be appropriately interpreted

Healthcare organizations should expect additional investigations and public settlements involving parental access issues throughout 2026.

What Healthcare Organizations Should Do Now

To prepare for increased enforcement, healthcare leaders should prioritize the following:

1. Revisit Your Security Risk Analysis: Confirm the assessment is current and review third party vendor risks, technical controls (e.g. access controls, encryption, etc.), and new technologies implemented over the past year.

2. Strengthen Your Risk Management Process: Document how you address risks and track remediation progress. Treat risk management as a continual process rather than a one-time compliance task.

3. Review Policies Related to Access Rights: Examine whether your electronic health record settings unintentionally restrict parental access and validate workflows for processing record requests.

4. Prepare for OCR Engagement: Educate staff on OCR’s updated focus areas and confirm your organization can rapidly respond to access requests and enforcement inquiries.

We Can Help

If you would like assistance reviewing your HIPAA compliance posture, assessing your security risk processes, or updating access policies, the Elliott Davis Healthcare team is here to help.

‍

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.