Skip to content
Close
Get Started
Get Started
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals."
City of Valdosta, GA
Get out of the IT trenches

Municipal Disaster Recovery Checklist

Download the guide for real-life scenarios, containing data backup lessons and a checklist to help ensure you are ready for a disaster. 


Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical concerns.
Get Started

2025 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

 

Get the Guide
Get Started
wooman-doctor-using-tablet-with-creative-glowing-d-2025-10-15-02-24-28-utc

HIPAA 2026 Security Rule Readiness Checklist

Are you prepared for the most significant HIPAA update in over a decade? 
Use this practical self-assessment to identify gaps before the deadline arrives. 

The HHS Office for Civil Rights (OCR) has proposed sweeping changes to the HIPAA Security Rule that will take effect in late 2026 or early 2027. For the first time, flexible controls such as MFA, encryption, network segmentation, and penetration testing are becoming mandatory requirements. 

This checklist will help your organization identify gaps and prioritize remediation steps to prepare for these changes.

HIPAA Readiness Checklist 2026

 

Want a Copy? Download the PDF ⬇️

1. Asset Inventory and Network Mapping  

⏹️ Create and maintain an inventory of all systems, devices, and applications that store or transmit ePHI. (Proposed 2026 change) 

⏹️ Document how ePHI flows through your environment (including cloud systems and third-party vendors). (Proposed 2026 change)

2. Risk Analysis 

⏹️ Conduct a Security Risk Analysis (SRA) that assigns specific risk levels to identified threats and vulnerabilities. (Proposed 2026 change—elevated from current requirements) 

⏹️ Translate your risk findings into a prioritized remediation roadmap with assigned owners and timelines. (Proposed 2026 change—elevated from current requirements) 

3. Technical Safeguards 

⏹️ Enforce MFA on all systems that access ePHI. (Proposed 2026 change) 

⏹️ Encrypt ePHI at rest and in transit across all systems, devices, and backups. (Proposed 2026 change) 

⏹️ Deploy endpoint detection and response (EDR) on all systems that access ePHI. 

⏹️ Implement network segmentation to isolate ePHI systems from general office and guest networks. (Proposed 2026 change) 

 ⏹️ Conduct vulnerability scanning at least every six months and penetration testing at least annually. (Proposed 2026 change)   

4. Backup and Incident Response 

⏹️ Maintain encrypted, regularly tested backups of all ePHI systems. 

⏹️ Document and test written procedures to restore critical systems and data within 72 hours. (Proposed 2026 change) 

⏹️ Maintain a written incident response plan with clearly defined roles and responsibilities. 

5. Documentation and Policies 

⏹️ Maintain written, up-to-date policies and procedures covering all HIPAA Security Rule requirements. 

⏹️ Keep evidence of adhering to requirements (including tickets, approvals, test results, and remediation records). 

⏹️ Ensure documentation is centralized, version-controlled, and not dependent on institutional knowledge. (Proposed 2026 change—elevated from current requirements) 

6. Vendor and Business Associate Oversight 

⏹️ Maintain a current inventory of all vendors and business associates that handle ePHI. 

⏹️ Ensure signed BAAs are on file for every applicable vendor. 

⏹️ Collect annual written verification from vendors confirming required safeguards are in place. (Proposed 2026 change) 

7. Audits and Workforce Training 

⏹️ Conduct a formal compliance audit at least annually. (Proposed 2026 change) 

⏹️ Deliver and document HIPAA security awareness training for all workforce members annually. 

How to Interpret Your Results

18 or more checked: Strong foundation. Focus on items marked "Proposed 2026 change" to close emerging gaps.

⚠️ 11 to 17 checked: Meaningful gaps exist. Prioritize MFA, encryption, documentation, and vendor oversight immediately.

10 or fewer checked: You like have significant risk exposure under both current and proposed requirements. A formal gap assessment should be your next step.

Note: This checklist reflects high-priority items based on current HIPAA Security Rule requirements and OCR's proposed 2026 updates. Proposed changes are not yet final. This is not a complete compliance assessment.

Need help getting started? VC3 provides HIPAA Compliance as a Service, combining gap assessments, technical safeguard implementation, documentation management, and ongoing advisory support to get you compliant and keep you there.

"Everything Works Everyday ..."

Strategic planning has been the most valuable aspect of partnering with VC3. Their periodic assessments keep us ahead of the curve.

▸ Nabil Razzouk, Ph.D. | CEO of Arrowhead Orthopaedics

 

Implementing all these best practices may feel overwhelming. Reach out to VC3 today to connect with a HIPAA Compliance as a Service expert!