Updated requirements, enforcement trends, and the practical steps to stay compliant without drowning in paperwork
Why 2026 Is Different for HIPAA Compliance
Every year, HIPAA compliance matters. But 2026 brings specific changes that ABA practices need to understand and act on. The HHS Office for Civil Rights has signaled increased enforcement activity, particularly around cybersecurity practices and risk analysis requirements. The proposed Security Rule updates, first introduced in late 2024, are moving toward finalization, and their emphasis on concrete technical controls rather than addressable specifications changes the compliance calculus for every covered entity.
For ABA practices specifically, the compliance landscape is shaped by several converging factors. The shift toward telehealth and remote data collection during and after the pandemic expanded the attack surface for most practices without a corresponding increase in security infrastructure. The proliferation of cloud-based practice management tools means that protected health information now flows through more systems and vendors than ever before. And the ABA industry's rapid growth has attracted the attention of payers, regulators, and auditors who are scrutinizing smaller healthcare providers with new intensity.
This checklist is not exhaustive — comprehensive HIPAA compliance requires legal counsel familiar with your specific situation. But it covers the areas where ABA practices most commonly have gaps and where enforcement actions are most likely to focus in 2026.
Risk Analysis: The Foundation Everything Else Builds On
The single most cited deficiency in HIPAA enforcement actions is the failure to conduct a thorough and accurate risk analysis. Not a checklist. Not a vendor questionnaire. A genuine assessment of where protected health information exists in your organization, what threats and vulnerabilities could compromise it, and what the likelihood and impact of each risk would be.
For an ABA practice, this means documenting every system, device, and workflow that touches PHI:
- Practice management software: Where is it hosted? Who has access? How is data encrypted at rest and in transit? What happens if the vendor experiences a breach?
- Data collection devices: Tablets and phones used by RBTs during sessions. Are they managed devices with enforced security policies, or personal devices with a downloaded app? What happens when a device is lost or stolen?
- Communication channels: How does your team communicate about patients? Email, text, phone calls, messaging apps? Which of these channels are HIPAA-compliant? Which are not?
- Paper records: Yes, they still exist. Intake forms, consent documents, printed treatment plans. Where are they stored? Who has physical access? How are they destroyed?
- Telehealth platforms: If you provide any services remotely, the platform must meet HIPAA requirements. The temporary enforcement discretion that existed during the pandemic has expired.
Your risk analysis should be documented, dated, and reviewed at least annually or whenever significant changes occur in your operations, technology, or organizational structure. If you cannot produce a current risk analysis when asked, you are exposed to enforcement action regardless of how good your actual security practices may be.
Administrative Safeguards Checklist
Administrative safeguards are the policies, procedures, and organizational measures that govern how your practice manages PHI security. These are the areas where ABA practices most commonly fall short because they require documentation and process, not just technology.
- Security Officer designation: Someone in your organization must be formally designated as the HIPAA Security Officer. This person is responsible for developing and implementing security policies. In small practices, this is often the owner or practice manager. The key requirement is that the designation is documented and the person understands their responsibilities.
- Workforce training: Every employee who handles PHI must receive HIPAA training at hire and at least annually thereafter. Training must be documented — who was trained, when, and on what topics. Generic online courses count, but they should be supplemented with practice-specific training that addresses your actual workflows and systems.
- Access management: Document who has access to what systems and why. When an employee's role changes or they leave the organization, their access should be modified or terminated promptly. This is particularly important in ABA practices with high RBT turnover — a terminated employee who still has active credentials to your practice management system is a compliance violation waiting to happen.
- Incident response plan: You need a documented plan for responding to security incidents, including potential breaches. The plan should specify who is responsible for what, how incidents are investigated, how breach notifications are made, and how the response is documented. The plan should be tested at least annually, even if only as a tabletop exercise.
- Business Associate Agreements: Every vendor that handles PHI on your behalf must have a current, signed BAA. This includes your practice management software vendor, your clearinghouse, your IT support company, your cloud storage provider, your telehealth platform, your shredding service, and any other entity that creates, receives, maintains, or transmits PHI. Review your BAA inventory quarterly to ensure no vendor relationship is operating without one.
Technical Safeguards Checklist
Technical safeguards are the technology controls that protect electronic PHI. The proposed Security Rule updates are expected to make many currently addressable specifications into required implementations, so practices should be moving toward full implementation now rather than waiting for the final rule.
- Encryption everywhere: ePHI must be encrypted at rest and in transit. This means full-disk encryption on all devices that store PHI, encrypted email for communications containing PHI, HTTPS for all web-based systems, and encrypted backups. If a device is lost or stolen and the data is encrypted, it is not considered a breach under HIPAA — this single control can be the difference between a minor incident and a reportable breach with notification obligations.
- Multi-factor authentication: MFA should be enabled on every system that accesses PHI. This includes your practice management software, email, cloud storage, and any remote access tools. The proposed Security Rule updates are expected to make MFA mandatory rather than addressable. If you have not implemented it yet, do so now.
- Audit logging: Systems that contain PHI should log who accessed what, when, and from where. These logs should be reviewed regularly for unusual access patterns. Your practice management software should provide audit logs — if it does not, that is a significant red flag about the vendor's security maturity.
- Automatic session timeout: Systems should automatically lock or log out after a period of inactivity. This prevents unauthorized access when a device is left unattended — a common scenario when RBTs move between clients' homes with tablets.
- Backup and recovery: ePHI must be backed up regularly, and your practice must be able to restore data in the event of a system failure, ransomware attack, or other disaster. Backups should be tested periodically to verify they actually work. A backup you have never tested is not a backup — it is a hope.
Physical Safeguards Checklist
Physical safeguards control physical access to systems and facilities where PHI is stored or accessed. For ABA practices that operate across multiple locations, including clients' homes, physical security requires particular attention.
- Facility access controls: Offices where PHI is stored or displayed on screens should have controlled access. This does not necessarily mean key cards and security cameras, though those are ideal. At minimum, it means that areas where PHI is visible or accessible are not open to unauthorized individuals, including cleaning staff, visitors, and other non-workforce members without appropriate oversight.
- Workstation security: Computers and devices that display or access PHI should be positioned so screens are not visible to unauthorized individuals. In open-plan offices, this may mean privacy screens. In home-based settings where RBTs use tablets, it means ensuring the device screen is not visible to other household members during data entry.
- Device management: All devices that access PHI should be inventoried and tracked. When a device is retired, repurposed, or disposed of, all PHI must be securely removed. For mobile devices used by field staff, implement remote wipe capability so data can be destroyed if a device is lost or stolen.
- Paper record security: Any paper documents containing PHI should be stored in locked cabinets or rooms when not in active use and destroyed by shredding or other approved methods when no longer needed. This includes intake paperwork, printed reports, and any other physical documents.
The Breach Notification Rule: What Happens When Things Go Wrong
Despite best efforts, breaches happen. When they do, HIPAA's Breach Notification Rule imposes specific obligations with strict timelines.
If a breach of unsecured PHI affects 500 or more individuals, you must notify HHS, the affected individuals, and prominent media outlets within 60 days of discovery. For breaches affecting fewer than 500 individuals, you must notify the affected individuals within 60 days and report to HHS within 60 days of the end of the calendar year in which the breach was discovered.
The critical word is "discovery." The clock starts when you know or should have known about the breach, not when you confirm its scope. This is why incident detection and response capabilities matter — a breach that goes undetected for months creates compounding liability.
Notification must include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what the practice is doing in response, and contact information for questions. Having a notification template prepared in advance, reviewed by legal counsel, ensures you can respond within the required timeframe without scrambling to draft communications under pressure.
Enforcement Trends to Watch in 2026
OCR has publicly identified several enforcement priorities that ABA practices should be aware of:
- Risk analysis failures: This has been the top finding in enforcement actions for years and shows no signs of changing. If you do not have a documented, current risk analysis, consider it your highest compliance priority.
- Right of access violations: Patients and their representatives have the right to access their records within 30 days of a request, with one 30-day extension. OCR has brought enforcement actions against providers for charging excessive fees, imposing unreasonable delays, or failing to provide records in the format requested. Make sure your practice has a documented process for handling access requests promptly.
- Ransomware and cybersecurity: OCR has increasingly treated ransomware attacks as presumed breaches and has pursued enforcement actions against providers whose security deficiencies contributed to successful attacks. Practices that lack encryption, MFA, or current risk analyses are particularly vulnerable to post-incident enforcement.
- Telehealth compliance: The pandemic-era enforcement discretion is over. Telehealth sessions must be conducted on HIPAA-compliant platforms with appropriate BAAs. Practices still using consumer video conferencing tools for client sessions are operating outside compliance.
Your Action Plan: Priority Order
If your practice has not recently audited its HIPAA compliance posture, the following priority order addresses the highest-risk items first:
- Conduct or update your risk analysis. This is the single most impactful compliance action you can take. It identifies all other gaps and demonstrates good faith effort to regulators.
- Review your BAA inventory. Ensure every vendor that handles PHI has a current, signed agreement. Use a BAA compliance checker to verify that existing agreements contain all required provisions.
- Implement encryption and MFA. These two technical controls address the most common attack vectors and provide safe harbor in the event of a device loss or theft.
- Document your policies. Policies that exist only in people's heads do not count. Written, dated, and signed policies demonstrate compliance in a way that verbal assurances cannot.
- Train your workforce. Documented, role-specific training with annual refreshers. Keep records of who completed what training and when.
Wilma is built with HIPAA compliance at its core — encrypted data at rest and in transit, role-based access controls, comprehensive audit logging, automatic session timeouts, and a built-in BAA compliance checker that helps you verify your vendor agreements contain all required provisions.