The VRC Newsletter (December 3)

Sponsored by

2025 brought the most significant transformation to the compliance world in more than a decade.
HIPAA moved.
NIST moved.
ISO shifted.
SOC 2 evolved.
HITRUST expanded.
State privacy laws exploded.

If you work in healthcare, digital health, telehealth, SaaS, MSP, or any security-sensitive environment, this year reshaped the rules of engagement — and 2026 will set the new standard.

This article is your practical roadmap. No legal jargon. No alphabet soup. Just clarity.

2025: A TURNING POINT

Cyber threats accelerated at levels regulators couldn’t ignore — ransomware, AI-driven phishing, telehealth expansion, multi-state care, cloud-first infrastructure.

The frameworks that carried us for the last 10+ years no longer fit the way organizations handle data.

2025 became the “realignment year.”
2026 is shaping up to be the year these changes become mandatory.

2025: THE BIG CHANGES

1. HIPAA’s Massive Modernization

The proposed update to the HIPAA Security Rule (first major change since 2013) is a game-changer.

Key highlights:

• “Addressable” controls become required: MFA, encryption, audits, incident response.

• Stronger BAAs with technical security requirements.

• Mandatory annual HIPAA audits with documented evidence.

• Telehealth tightened: secure messaging, identity verification, patient access, consent.

• Enforcement shift toward:

  • patient right-of-access

  • telehealth privacy failures

HIPAA is finally catching up to reality — and OCR expects organizations to follow suit.

2. NIST: The Backbone of Modern Compliance

Two major updates defined the year:

NIST Update #1 – Cybersecurity Framework 2.0

Introduced the new Govern function, emphasizing:

• vendor oversight

• supply chain security

• governance

• metrics for cyber programs

NIST Update #2 – SP 800-53 Revision 5.2

New safeguard enhancements, privacy strengthening, tighter alignment with HIPAA, ISO, and HITRUST.

Organizations aligning to NIST now will glide through 2026.

3. ISO 27001:2022 Transition Deadline

ISO 27001:2013 certifications expire October 2025.
Every organization must migrate to ISO/IEC 27001:2022.

The updated standard includes:

• 93 modernized controls

• enhanced cloud and identity security

• updated threat management frameworks

If ISO is part of your stack, transition early — not in the deadline chaos.

4. SOC 2 + HITRUST: The Power Combo

SOC 2 remains the go-to for SaaS, service providers, and cloud-native organizations.
But healthcare, telehealth, and AI-driven platforms increasingly need more.

HITRUST CSF v11.4 brings:

• deeper mappings

• stronger technical controls

• enhanced inheritance

• tighter vendor-risk modeling

For companies handling PHI, HITRUST is quickly becoming the “unified framework” of choice.

5. State Privacy Laws: The Silent Earthquake

2025 saw major increases in state data-privacy rules, including:

• new breach-notification laws

• telehealth consent requirements

• reproductive health data protections

• cross-state data governance

• data-minimization and retention rules

Even if you don’t operate in a state, having patients or customers there creates compliance obligations.

2026 won't be “HIPAA only” for anyone — it will be federal + state compliance.

🔭 Coming in 2026: Your Action Plan

1. Prepare for the Final HIPAA Security Rule (target: May 2026)

The proposed 2025 overhaul will likely become mandatory early next year.
Begin your gap assessment now.

2. Rebuild your risk program around NIST

It’s now the universal reference point for HIPAA, HITRUST, SOC 2, and ISO readiness.

3. Update your core policies

Especially:

• access control

• IR

• vendor management

• secure messaging

• telehealth workflows

• AI & data-use governance
  

4. Strengthen BAAs & DPAs

OCR is signaling vendor governance is a 2026 focus area.

5. Finish ISO 27001:2022 transitions

Avoid the last-minute rush.

6. Consider HITRUST for unified compliance

Especially for digital health, telehealth, and AI-driven platforms.

7. Add a state-law review to your compliance program

This will become the difference between passing and failing audits.

Final Thoughts

2025 changed the rules.
2026 will enforce them.

Organizations that move now will win contracts, build trust, and operate with confidence.
Those that wait will find themselves behind — sometimes by years.

At VanRein Compliance, we help companies stay ahead of these changes, not react to them.

If you want help building a HIPAA-ready, NIST-aligned, SOC2-capable, ISO-modernized, HITRUST-credible compliance program — we’re here.

Find out why 100K+ engineers read The Code twice a week

Staying behind on tech trends can be a career killer.

But let’s face it, no one has hours to spare every week trying to stay updated.

That’s why over 100,000 engineers at companies like Google, Meta, and Apple read The Code twice a week.

Here’s why it works:

• No fluff, just signal – Learn the most important tech news delivered in just two short emails.

• Supercharge your skills – Get access to top research papers and resources that give you an edge in the industry.

• See the future first – Discover what’s next before it hits the mainstream, so you can lead, not follow.

Join 100,000+ engineers who read The Code to stay ahead of the curve.

All the stories worth knowing—all in one place.

Business. Tech. Finance. Culture. If it’s worth knowing, it’s in the Brew.

Morning Brew’s free daily newsletter keeps 4+ million readers in the loop with stories that are smart, quick, and actually fun to read. You’ll learn something new every morning — and maybe even flex your brain with one of our crosswords or quizzes while you’re at it.

Get the news that makes you think, laugh, and maybe even brag about how informed you are.

Try it for free