- within Antitrust/Competition Law and Immigration topic(s)
The healthcare ecosystem has closed the book on a volatile 2025, and HIPAA enforcement has moved into 2026 with sharper edges, wider apertures, and higher stakes. Regulators spent 2025 refining the tools they use, broadening the set of entities they scrutinize, and tightening expectations around cybersecurity hygiene, vendor oversight, and the responsible use of digital technologies. At the same time, parallel enforcement—from the Department of Justice, the Federal Trade Commission, and state attorneys general—has reinforced the reality that data protection failures are not just a compliance problem; they are an enterprise risk with civil, criminal, and reputational dimensions.
What 2025 Signaled—And Why It Matters
In 2025, the Office for Civil Rights maintained its steady cadence on HIPAA Right of Access cases, but increasingly linked access failures to broader issues—training, audit controls, and vendor performance—resulting in corrective action plans that are deeper, more prescriptive, and longer in duration. Ransomware, extortion, and third-party compromise incidents dominated the breach landscape, and OCR acted when it observed encryption "in name only," lagging patch management, and incomplete network segmentation. These deficiencies drew scrutiny not as isolated misses, but as indicators of a security program that had failed to keep pace with anticipated threats.
Regulators also signaled less tolerance for ambiguity around tracking technologies and analytics. OCR's focus on pixel and SDK deployments continued, with an emphasis on whether regulated entities know where data flows, what identifiers are transmitted, and whether disclosures fall within HIPAA's framework or require authorization and business associate agreements. The takeaway from 2025 was that undocumented assumptions, untested vendor claims, and incomplete data mapping are no longer defensible regarding pixels.
Finally, 2025 underscored an expansion in the enforcement perimeter. The FTC's Health Breach Notification Rule enforcement and state health privacy statutes operated in the space where HIPAA does not reach—consumer-facing health apps, digital tools, and non-covered intermediaries—creating a layered enforcement environment. Covered entities and business associates increasingly found themselves accountable not only for their own controls, but for the practical downstream realities of their digital ecosystem.
The 2026 Enforcement Outlook: Five Themes to Plan Around
1) Expect continued rigor on the basics.
Encryption at rest and in transit, privileged access management,
multifactor authentication, vulnerability remediation timelines,
and incident response playbooks remain fundamentals. For
documentation, you need logs that prove controls are enabled and
effective, metrics showing patching intervals and exception
management, and board-level reporting that demonstrates oversight
of security performance, not just policy adoption.
2) Vendor risk management will be judged, and the metric
will be outcomes.
OCR and parallel enforcers will look past contract clauses to
confirm that providers know which vendors touch protected health
information, that security representations have been validated, and
that terminations, substitutions, and subcontractor changes are
traceable. A living, risk-based inventory, periodic testing of
vendor controls, and clear escalation paths for vendor incidents
will be essential.
3) Digital health and tracking technologies will remain
enforcement priorities.
Can you prove your pixels do not disclose PHI without
authorization? Anticipate diligence records on data elements
captured, IP address treatment, unique identifiers, and any
fingerprinting, with corresponding legal rationales and BAAs where
appropriate. Where consent is implicated, regulators will assess
whether the consent is specific, informed, and technically
enforced.
4) The line between HIPAA enforcement and white-collar
risk will continue to blur.
Expect increased coordination between OCR, DOJ, and state
authorities when breach investigations uncover wire fraud, identity
theft, kickbacks facilitated by data misuse, or false statements to
regulators and patients. When cyber incidents intersect with claims
data, utilization records, or patient enrollment information,
healthcare organizations should assume that criminal exposure for
individuals—not only corporate liability—will be
assessed.
5) Artificial intelligence will move into
everything.
As health systems implement AI for scheduling, documentation,
triage, and revenue cycle, regulators will probe training data
provenance, access to PHI within model workflows, and the adequacy
of role-based controls and human oversight. Documentation of
purpose limitations, output monitoring, and error handling will be
necessary to demonstrate compliance with HIPAA's minimum
necessary standard and safeguards.
Rulemaking and Guidance: What to Watch
On the policy front, organizations should watch for continued alignment of health privacy frameworks where HIPAA intersects with other federal and state regimes. Expect additional clarity around reproductive health-related disclosures, the ongoing harmonization of 42 C.F.R. Part 2 confidentiality rules with HIPAA's structure, and further articulation of cybersecurity expectations through HHS performance goals and sector-specific guidance.
Parallel Enforcement: FTC, State AGs, and Litigation Pressures
The FTC will continue to treat undisclosed data flows and misleading privacy claims as deceptive practices, particularly in the non-covered app and device ecosystem, while state attorneys general leverage state health privacy and general UDAP laws.
At the same time, class actions will track regulatory theories, with plaintiffs emphasizing allegedly inadequate security controls, misrepresentations in privacy notices, and harms tied to identity abuse and out-of-pocket mitigation costs.
The practical result is concurrent exposure: a single incident can trigger OCR inquiry, consumer litigation, FTC examination, and state AG scrutiny.
Practical Steps for 2026 Readiness
The organizations best positioned for 2026 will treat HIPAA not as a statutory minimum, but as a floor within a broader risk framework. This starts with disciplined governance: board-level dashboards that quantify security performance, regular briefings that tie threat intelligence to control health, and clear accountability for vendor oversight, data mapping, and product review.
This effort continues with operational excellence: tested incident response across ransomware and extortion scenarios, tabletop exercises that include legal, communications, clinical operations, and revenue cycle, and documented learning loops that convert findings into budgeted remediation.
Organizations also need principled product design: formal reviews for any new data-collecting technology—pixels, SDKs, AI tools, connected devices—before deployment, with monitoring to confirm that configurations remain compliant as vendors update code.
Finally, entities should prepare for investigations as though they are inevitable: preserve logs and artifacts, maintain chronologies and decision records contemporaneously, and ensure counsel can demonstrate why the chosen safeguards are reasonable and appropriate for the organization's risk profile.
To view Foley Hoag's Security, Privacy and The Law Blog please click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
