In partnership with

Must Read: HIPAA 2.0 Updates

Big changes are coming to HIPAA and if your organization handles protected health information (PHI), it’s time to act.

The Office for Civil Rights (OCR) is finalizing major updates to the HIPAA Security Rule, aimed at modernizing healthcare cybersecurity practices. As enforcement intensifies in 2025, both Covered Entities and Business Associates must move from passive compliance to proactive security strategies—or risk being left behind.

VanRein Compliance has been tracking these proposed updates and it was part of our decision to create and launch the VRC1 platform, making it easier and more efficient to document and track your compliance journey in this ever-changing, dynamic environment. VRC1 is also a real-time communications tool, giving our clients that "right now" ability when and if something should happen.

📣 What’s Changing?

The revised HIPAA Security Rule, often called “HIPAA 2.0” by industry experts, is focused on closing security gaps that have led to some of the largest healthcare data breaches in the past decade. Here’s what’s on the table:

🔍 1. Mandatory, Annual Risk Assessments

No more vague requirements. OCR plans to enforce documented, repeatable risk analysis processes to identify, assess, and mitigate risks to ePHI.

🔐 2. Encryption for Data in Transit and at Rest

What was once “addressable” may soon be required. Proposed changes would make end-to-end encryption a standard for emails, file transfers, and stored PHI especially for remote workforces and cloud-hosted systems.

🧩 3. Multifactor Authentication (MFA) for System Access

To reduce credential theft, OCR is pushing for MFA on all administrative accounts and access points to systems storing ePHI.

📋 4. Policy and Technical Safeguard Alignment

Organizations will be expected to show clear alignment between their written policies and their actual technical safeguards, something many providers struggle to maintain without a centralized compliance system.

📌 Current Status of HIPAA Security Rule Updates

• In January 2025, HHS OCR issued a Notice of Proposed Rulemaking (NPRM) for significant updates to the HIPAA Security Rule—covering risk assessments, encryption, MFA, asset inventories, incident response, and more.

• The public comment period closed on March 7, 2025, with thousands of responses submitted .

• A final rule has not yet been published, meaning none of these proposed changes are legally enforceable at this time.

⏳ What Happens Next?

Once the final rule is released, standard implementation timing applies:

• 60 days after publication: the rule becomes effective

• 180 days after that: covered entities and BAs must comply with most provisions

⚠️ You Can’t Wait to Comply

These updates aren’t just theoretical.

• OCR has already ramped up investigations in 2025, focusing on smaller practices, call centers, and vendors that handle PHI.

• Civil monetary penalties are increasing, and enforcement is targeting not just breaches, but failure to prepare.

• Business Associates (including IT firms, TAS providers, and billing companies) are under the same scrutiny as hospitals and clinics.

🛡️ VanRein Compliance Helps You Stay Ahead

At VanRein Compliance, we don’t just help clients “meet HIPAA requirements”—we help them build security programs that scale and evolve with the law.

Here’s how:

✅ Risk Assessment Support
We walk you through the process, document risks, and build mitigation plans you can present during an audit.

✅ MFA & Encryption Readiness
We help identify gaps in authentication and encryption across your systems, then guide implementation with IT or vendors.

✅ Audit-Ready Documentation
Your policies, training records, and security measures are organized and accessible in VRC1, our real-time compliance platform.

✅ Strategic Support for Covered Entities and BAs
We tailor everything to your role, client needs, and industry whether you’re a solo provider or an enterprise partner.

🎯 Don’t Wait for HIPAA 2.0 to Become a Problem

OCR’s updated rules are coming and so are audits. Now is the time to tighten your security, clean up documentation, and build a proactive compliance strategy that protects your clients, your contracts, and your reputation.

Stay up-to-date with AI

The Rundown is the most trusted AI newsletter in the world, with 1,000,000+ readers and exclusive interviews with AI leaders like Mark Zuckerberg, Demis Hassibis, Mustafa Suleyman, and more.

Their expert research team spends all day learning what’s new in AI and talking with industry experts, then distills the most important developments into one free email every morning.

Plus, complete the quiz after signing up and they’ll recommend the best AI tools, guides, and courses – tailored to your needs.

Sign up to start learning.

Texas Signs AI Governance Act

On June 22, 2025, Texas Governor Greg Abbott enacted the Texas Responsible Artificial Intelligence Governance Act (TRAIGA), which will take effect January 1, 2026.

🤖 What the Law Covers

TRAIGA prohibits the development or deployment of AI systems by both government and some private entities that are designed to:

• Manipulate human behavior in harmful ways

• Discriminate against protected groups

• Generate sexually explicit content or child deepfakes

• Use biometric data for identification without consent

The law also requires governmental agencies to disclose AI usage to consumers in clear, conspicuous language.

🧑‍⚖️ Who It Applies To

• Government entities: Full requirements apply, including transparency and prohibited-use rules.

• Private-sector “deployers” and “developers” of AI systems used or marketed in Texas: they face restricted prohibitions, especially concerning discriminatory or harmful applications.

🛠️ Enforcement and Guardrails

• Texas Attorney General oversees the law. Noncompliance can be cured within 60 days; then penalties range from $10K–$200K per violation, plus daily fines if unresolved.

• The law creates a regulatory sandbox for safe AI experimentation, overseen by an appointed AI Advisory Council.

🗝️ Why It Matters to You

Even without federal AI regulation yet, states like Texas are leading. TRAIGA signals:

1. A shift toward proactive harm prevention and transparency

2. The potential for state-level AI enforcement, especially if your systems are used by Texas residents

3. The growing importance of internal AI documentation and risk frameworks like ISO 42001 or the NIST AI RMF

Whether or not you're based in Texas, your organization may feel TRAIGA’s impact. VanRein Compliance's suite of AI governance tools—including ISO 42001 alignment, policy guidance, and AI audit services—can help you build defensible systems now, no matter what jurisdiction comes next.

Reactive No More: Compliance Is Becoming a Strategic Advantage

For years, compliance was treated like a checklist—something you scramble to complete before an audit, a renewal, or a client security review.

But in 2025, that mindset is shifting fast. Compliance is no longer just about avoiding penalties. It’s about building trust, earning credibility, and gaining an edge.

Whether you're a growing tech company, a call center handling PHI, or an education provider protecting student data, one thing is clear: compliance is now a core business strategy.

📉 From Reactive to Risk-Ready

Most teams recognize this story:

• Policies are scattered across Google Drive.

• Training happens once a year—usually a day before something’s due.

• Vendor lists aren’t tracked.

• You pass audits, but you’re holding your breath until the results arrive.

That approach isn’t sustainable anymore. Frameworks like HIPAA, SOC 2, ISO 27001, and FERPA demand continuous compliance. Your clients expect transparency. Your investors ask for evidence. And your team can’t afford last-minute scrambles.

✅ What Strategic Compliance Looks Like

At VanRein Compliance, we’re helping organizations evolve their approach by integrating real-time tools, smarter training, and audit readiness into everyday operations.

Here’s what that looks like in practice:

📊 Real-Time Compliance with VRC1

Our all-in-one compliance platform, VRC1, turns your documentation, risks, training, and evidence into a single source of truth.

• Assign tasks with due dates and reminders

• Upload and organize evidence by control or framework

• Track policies, training, and risk items across departments

• Prepare for audits without starting from scratch

It’s compliance built to scale with you—not slow you down.

🧠 Role-Based Team Training

Forget cookie-cutter courses. VanRein offers tailored training by role and industry because your front desk, IT team, and leadership need different content.

• HIPAA for Operators (TAS & BAs)

• SOC 2 Essentials for SaaS Teams

• FERPA for Educators & Support Staff

• AI Governance & Risk for Tech Teams

Training isn’t just about checking a box. It’s about empowering your team to spot risks, respond properly, and support compliance from the inside out.

📋 Audit-Prep Checklists & Templates

We don’t just help you meet the requirements. We show you exactly what they are. Our clients receive:

• Industry-specific audit checklists

• Policy templates that align with your real operations

• Pre-audit walkthroughs and evidence reviews

• Compliance health insights so you know where you stand at all times

🎯 Let’s Turn Compliance Into an Advantage

You don’t need a full compliance department to do this right. You just need the right tools, clear guidance, and a partner who knows how to adapt compliance to your industry.

Whether you're getting started or tightening internal controls, VanRein Compliance is here to help you build a future-proof program that earns trust, wins business, and evolves with your growth.