HIPAA is Moving from Static to Continuous
HIPAA isn’t just a once-a-year audit anymore. Regulators are raising expectations:
· The U.S. Department of Health and Human Services (HHS) continues to tighten enforcement and issue new guidance.
· A Michigan surgical group was recently required to enter a corrective action plan tied to the Security Rule – proof that compliance must be ongoing, not one-time.
· HHS guidance aligns with 405(d) Health Industry Cybersecurity Practices, reinforcing that security programs should evolve as systems and vendors change.
For a plain language refresher, see the HHS HIPAA overview.
The message is clear: HIPAA compliance is a living program, not a static checklist.
What Continuous Compliance Really Means
Instead of sprinting once a year, continuous compliance is a loop you run every quarter and every time your environment changes.
1. Keep Risk Assessment Current
· Update your Security Risk Assessment whenever you add systems, onboard vendors, or change workflows.
· Map threats to safeguards, document residual risk, and assign remediation tasks with clear owners and deadlines.
2. Baseline Technical Safeguards You Can Prove
· Enforce MFA on email, remote access, and privileged accounts – and extend it to all other accounts wherever possible
· Encrypt ePHI in transit and at rest where feasible
· Segment networks to isolate clinical systems and protect backups
· Enable logging and alerting for access, changes, and exfiltration attempts
3. Vendor Oversight That Works
· Maintain an up-to-date inventory of business associates, services, and data flows
· Require timely incident notification and verify security controls
· Attach remediation and reporting requirements directly to contracts
4. Workforce Readiness That Sticks
· Deliver role-based training on phishing, data handling, and incident reporting
· Reinforce lessons with simulations, spot checks, and metrics
5. Recovery You Can Rely On
· Test restores quarterly – not just on paper
· Hold at least one organization-wide incident response drill (tabletop exercise) each year
· Document results, track gaps, and improve after each drill
A Reality Check: When Systems Go Down, Patients Notice
Recent disruptions in the region show how quickly care delivery can grind to a halt when systems or data become unavailable. Continuous compliance isn’t just about avoiding fines – it’s about keeping patient care safe, timely, and uninterrupted.
Your 90-Day Roadmap: From Annual to Continuous
Days 1–30: Establish Foundations
· Approve a policy that keeps your Security Risk Assessment evergreen
· Turn on MFA and encrypt major ePHI data stores
· Build a master inventory of systems, integrations, and business associates
Days 31–60: Prove and Improve
· Run a restore test of a clinical or billing system
· Separate business IT systems from clinical systems so a breach in one can’t spread to the other
· Launch targeted phishing simulations and provide follow-up training
Days 61–90: Practice and Document
· Conduct an organization-wide incident response drill covering ransomware and data exfiltration
· Update business associate agreements with clear response expectations
· Publish a quarterly compliance dashboard for leadership and staff
How Thatch Enables Continuous HIPAA Compliance
Thatch helps providers shift from a static checklist to a measured, year-round compliance program by:
· Building an evergreen Security Risk Assessment
· Hardening identity and endpoint security
· Designing effective network segmentation
· Modernizing backup and recovery strategies
· Operationalizing vendor oversight and workforce training
From our East Lansing headquarters, Thatch supports healthcare providers across Michigan and beyond – providing on-site help when it matters most.
Don’t Wait for Regulators to Test Your Program
Protect patient data. Strengthen compliance. Keep care uninterrupted. Continuous compliance takes the right partner. Contact Thatch to see how we can support your HIPAA program through our managed support.
