HIPAA Compliance & IT: What Colorado Medical Practices Actually Need in 2026

Let’s skip the preamble. If you’re a practice manager, office administrator, or physician owner in Colorado, you already know HIPAA exists. What you may not know is that the rules are being significantly rewritten right now — and the timeline is tighter than most of your IT vendors are telling you.

The HHS Office for Civil Rights has proposed the most comprehensive overhaul of the HIPAA Security Rule since 2003. Final rule publication is expected mid-2026, with a 180-day compliance window. That means enforcement could begin as early as Q1 2027 — which is not as far away as it sounds when you’re talking about implementing MFA across a multi-provider practice, renegotiating every vendor BAA, and building annual documentation your IT partner may never have produced before.

At ABT, we’ve been serving Colorado healthcare organizations since 2005 — from single-physician family practices in Colorado Springs to multi-site clinics across the Front Range. What I’m going to lay out here is exactly what’s changing, what it means for your practice’s IT infrastructure, and what questions you need to be asking if you’re evaluating or re-evaluating your Managed IT Services provider.

The Bottom Line Up Front The HIPAA Security Rule is transitioning from a framework where many controls were “addressable” (meaning optional with documentation) to one where nearly everything is required. MFA, encryption at rest and in transit, annual SRAs, penetration testing, network segmentation — these are moving from best practices to legal obligations. If your current IT setup doesn’t cover these, you have a compliance gap that your MSP needs to close before enforcement begins.

1. What Just Changed — and What’s Still Coming

HIPAA hasn’t seen a major Security Rule overhaul since 2003. That original rule was written before cloud computing was mainstream, before ransomware was a business model, before telehealth existed at scale, and before the EHR mandate made every practice a target. The proposed 2026 updates are HHS’s acknowledgment that the existing framework is two decades behind the threat environment.

Here’s the timeline as of this writing:

Date	Event
January 2025	HHS publishes proposed HIPAA Security Rule overhaul in the Federal Register
February 16, 2026	Deadline to update Notices of Privacy Practices (NPP) — already passed; if you haven’t done this, act now
Mid-2026 (expected)	Final Security Rule published; 180-day compliance window begins
Early 2027 (projected)	Enforcement begins — OCR can assess penalties for non-compliance

The proposed rule does several things that matter operationally:

It eliminates the “addressable” vs. “required” distinction. Under the current rule, covered entities could choose not to implement certain controls — like encryption or MFA — if they documented why an alternative approach was reasonable. That flexibility is going away. Nearly everything becomes required, full stop.

It introduces explicit timelines. Incident response, breach notification to business associates (24 hours for contingency plan activation), and system restoration targets must now be documented with specific, measurable timeframes — not vague language like “as soon as practicable.”

It expands business associate accountability. Your IT vendor isn’t just signing a BAA anymore. They need to demonstrate ongoing compliance, not just attest to it. Vendors who can’t produce security documentation may not qualify for healthcare partnerships under the new rule.

Note on Timing The final rule had not been published as of this writing. The proposed requirements are well-documented and the direction is clear. Organizations waiting for the final rule before beginning implementation will face timelines that may be impossible to meet. Start now. The proposed controls are already security best practices regardless of enforcement status.

2. The Three Safeguard Categories, Explained

HIPAA’s Security Rule organizes requirements into three categories. Your IT provider, compliance officer, and legal counsel all need to understand how these interact — because gaps in any one category create exposure across all three.

Category 1 Technical Safeguards The technology controls: access controls, MFA, encryption, audit logs, automatic logoff, transmission security. This is where most of the new 2026 requirements land.

Category 2 Administrative Safeguards The policies, procedures, and people: annual SRAs, workforce training, incident response plans, designated Security Officer, BAA management. Most practices are weakest here.

Category 3 Physical Safeguards The physical environment: server room access, workstation placement, device disposal, visitor access controls, facility security. The most commonly overlooked category in small practices.

Here’s what I see consistently across Colorado practices: the IT vendor handles the technical layer reasonably well, the compliance officer (or whoever plays that role) manages the administrative paperwork inconsistently, and the physical safeguards get ignored until an auditor shows up. All three have to work together. A breach that starts with a stolen unencrypted laptop in the parking lot is a physical safeguard failure — but if it was never inventoried, that’s also an administrative failure. And if the data on it wasn’t encrypted, that’s a technical failure too. One incident, three violations.

Not Sure Where Your Practice Stands? ABT offers a free HIPAA-aligned IT assessment for Colorado medical practices. We’ll map your current technical, administrative, and physical safeguards against the 2026 requirements and give you a prioritized gap report. Get Your Free IT Assessment →

3. Technical Safeguards: What’s Now Mandatory

This is the category your IT vendor is most responsible for — and where the 2026 Security Rule is making the most sweeping changes. Here’s the full list of what’s moving from “addressable” or implied to explicitly mandatory:

Multi-Factor Authentication (MFA)

Under the current rule, MFA is addressable — you could skip it with documentation. Under the proposed 2026 rule, MFA becomes required for all systems that create, receive, maintain, or transmit ePHI. That means your EHR, your practice management system, your email platform, remote desktop/VPN access, and any cloud storage where patient records live.

A few things the rule is clear about that your MSP needs to understand: SMS OTP (text message codes) alone isn’t sufficient for high-risk access points. App-based authenticators or hardware tokens are the baseline. And blanket “trusted network” exclusions — where staff inside the office don’t need MFA — are only acceptable with documented compensating controls.

Watch Out For This Many smaller practices have Microsoft 365 or Google Workspace without MFA enforced on all accounts. A single unprotected admin account is a breach waiting to happen — and under the proposed rule, it’s a documented compliance gap. Ask your IT provider to run an MFA coverage audit today.

Encryption — At Rest and In Transit

Most practices encrypt data in transit (HTTPS) because modern browsers and email clients handle it automatically. What they miss is encryption at rest — meaning the actual data stored on servers, workstations, laptops, backup drives, and removable media.

Under the 2026 rule, encryption of ePHI at rest is mandatory with no exceptions and no alternative measures. This aligns with NIST Cybersecurity Framework standards. For a Colorado practice, that means:

• Full-disk encryption on every workstation that could hold or cache ePHI
• Encrypted backup solutions — not just an external drive in a drawer
• Encrypted email for any transmission containing PHI (standard Gmail or Outlook without a BAA is a violation)
• Secure key management — encryption only works if the keys are also protected
• End-of-life device destruction with documented attestation

Annual Security Risk Assessments (SRAs)

The SRA has always been required — it’s just that many practices either don’t do one or do one that doesn’t actually drive action. The 2026 update changes the standard significantly: SRAs must be conducted annually, must cover all systems that touch ePHI, must be formally documented, and must produce an actionable remediation plan with timelines and responsible parties. “We assessed and everything looks fine” is not an SRA. It’s a checkbox — and OCR is increasingly distinguishing between the two in enforcement actions.

For context: risk analysis failures are the single most cited HIPAA violation in OCR enforcement actions. That’s not a coincidence. It’s because a documented SRA is also evidence that you knew about a gap. If you identified a gap and didn’t remediate it, you’ve moved from Tier 1 (unknowing violation) to Tier 3 or 4 territory — which is where the $73,000–$2.19 million per year penalties live.

Vulnerability Scanning and Penetration Testing

The proposed rule introduces explicit requirements for regular vulnerability scanning and annual penetration testing conducted by experienced security professionals. This is a significant operational lift for most small-to-mid-size practices. Automated vulnerability scans are not the same as penetration testing — they don’t validate that a vulnerability is actually exploitable. Both are now expected.

Network Segmentation and Asset Inventory

Two new requirements that are often the biggest surprise for practice managers: you need a documented, current asset inventory of every device and system that touches ePHI, and your network needs to be segmented so that a compromised device can’t laterally move to your EHR or billing system.

In practical terms, this means your MFPs, your imaging systems, your front-desk workstations, and your clinical workstations should not all be on the same flat network. Network segmentation — separating those environments with VLANs, firewalls, and access controls — is now an expected baseline, not an enterprise-only luxury. This is something ABT’s Managed IT team addresses during every healthcare environment assessment.

Audit Logs and Access Controls

Unique user IDs (no shared logins — ever), automatic session timeouts, emergency access procedures, and comprehensive audit logs that track who accessed what ePHI, when, and from where. These have always been required, but enforcement is intensifying. If your EHR vendor provides audit log capability and your IT partner isn’t managing and reviewing those logs, you have a gap.

4. Administrative Safeguards: The Documentation Problem

This is where most Colorado practices fall apart — not because they’re negligent, but because administrative safeguards require a different kind of discipline than technical ones. Your IT vendor can configure MFA. They can’t write your incident response policy for you (well, a good one can help, but it has to be your policy). Here’s what has to exist as actual, retrievable documentation:

Requirement	What It Actually Means	Status Under 2026 Rule
Annual Security Risk Assessment	Formal, documented, drives remediation with assigned owners and timelines	Mandatory annually
Incident Response Plan	Written plan with specific timeframes for detection, containment, notification	Timeframes now required
Workforce Training	Role-based, documented, includes phishing awareness — not just a generic video	Required + documented
Sanctions Policy	Written consequences for workforce HIPAA violations — must be applied consistently	Existing requirement
Network / ePHI Flow Map	Current documentation of where ePHI lives and how it moves — updated annually	New requirement
Notice of Privacy Practices (NPP)	Must include updated reproductive health and SUD language per 2026 amendments	Feb 16, 2026 deadline

The NPP deadline deserves emphasis: February 16, 2026 has already passed. If you haven’t updated your Notice of Privacy Practices to include the required reproductive health care language (from the 2024 Final Rule) and the updated Part 2 SUD disclosures, you’re currently non-compliant. This is a quick fix — your compliance attorney or a HIPAA compliance platform can update this in a day — but it needs to happen immediately.

The Real Compliance Gap 88% of healthcare data breaches involve human error. Training isn’t a nicety — it’s your first line of defense and it’s documented proof that you took reasonable steps. A workforce that knows how to spot a phishing attempt, understands why they can’t use personal email for patient info, and knows the incident reporting process is worth more than any single technical control.

5. Physical Safeguards: The Overlooked Requirement

I have a consistent conversation with practice managers who believe HIPAA is primarily a technology problem. It’s not. Physical access to systems that touch ePHI is a covered requirement — and it intersects directly with the access control infrastructure in your building.

Physical safeguard requirements include:

• Facility access controls: Who can physically reach your server room, your medical records storage, your workstations? “It’s in a locked office” isn’t a policy. It needs to be documented access management with audit trails.
• Workstation placement: Is the front-desk screen visible to patients in the waiting room? That’s a HIPAA exposure. Workstation positioning, screen filters, and clean desk policies are all in scope.
• Device disposal: Decommissioned workstations, retired MFPs, old hard drives — all require documented destruction procedures. Your MFP recycling process needs to include documented hard drive sanitization or destruction before the device leaves your facility.
• Mobile device management: Any device that can access ePHI — including personal phones used for clinical apps — needs to be in scope for your MDM policy, with remote wipe capability documented.
• Visitor and vendor access: Your IT vendor, your copier technician, your janitorial staff — anyone with physical access to areas where ePHI exists needs documented access policies.

This is where cloud-managed access control becomes a HIPAA tool, not just a security investment. Badge-based entry with audit logs, zone-based access policies for medication rooms and records areas, time-bound vendor access — these create the documented physical access controls the rule requires, and they generate the audit trails that make an OCR investigation survivable.

ABT Access Control for Healthcare ABT deploys cloud-managed access control systems for Colorado medical practices — badge readers, door controllers, audit logs, and mobile management from a single dashboard. Verkada-authorized. All three Front Range offices for onsite support. Explore Access Control →

6. Business Associate Agreements and Vendor Oversight

Your BAA is not a compliance checkbox. It’s a legally binding contract that defines your vendor’s obligations — and under the 2026 rule, the bar for what that contract must contain and what oversight you must exercise is going up significantly.

Every vendor that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate and requires a signed BAA before they touch your data. That list includes:

• Your IT managed services provider
• Your EHR and practice management system vendor
• Your cloud storage and backup provider
• Your medical billing company
• Your transcription service
• Any telehealth platform
• Your document management or secure fax provider
• Your MFP/copier service provider if devices store or transmit ePHI

Under the proposed 2026 rule, BAAs must now specify the actual cybersecurity requirements — MFA coverage, encryption controls, incident reporting timelines, vulnerability scanning and pen testing obligations. Generic BAA language that references “appropriate safeguards” without specificity may no longer satisfy the standard.

The 2026 rule also introduces a 24-hour notification requirement for business associates: if a BA activates their contingency plan due to a system disruption or security incident, they must notify you within 24 hours. If your current IT vendor’s SLA doesn’t include this, it needs to be renegotiated.

MFP Hard Drives and BAAs Modern MFPs store copies of scanned documents on internal hard drives. If your copier or MFP dealer doesn’t have a signed BAA and a documented process for hard drive sanitization at end-of-lease, you have a live HIPAA exposure right now. Ask your managed print provider for their BAA and data destruction documentation before your next lease renewal.

7. What to Ask Your MSP Before You Sign (or Renew)

Not every managed IT provider is equipped to serve healthcare. General IT support is not the same as HIPAA-aligned IT management. Here are the questions that separate MSPs who understand the compliance environment from those who are figuring it out on your dime:

Ask This	Why It Matters
“Will you sign a BAA that specifies your MFA, encryption, and incident notification obligations?”	A provider that hedges on this is telling you something important about their HIPAA posture
“Can you produce the SRA report you conducted for your last healthcare client?”	If they can’t show you a real SRA, they’re unlikely to produce one for you
“How do you handle MFA enforcement for staff who resist it?”	Rollout without change management is the single biggest reason MFA deployments fail
“What does your 24-hour incident notification process look like?”	Required under proposed 2026 rule — your provider needs a documented process, not just a phone number
“Do you provide network segmentation for clinical environments?”	Flat networks where MFPs and EHR workstations share the same VLAN are a documented risk vector
“How do you handle end-of-life device data destruction for copiers and workstations?”	Physical safeguard — requires documented destruction with attestation, not just recycling

If you’re in the Denver metro, Colorado Springs, or the Westminster/NoCO corridor, ABT’s healthcare IT team works directly with practice managers and compliance officers to answer these questions — and to show you the documentation before you sign anything. Request a free assessment here.

8. The Colorado Practice 2026 Readiness Checklist

Use this to assess where you stand today. Every “No” or “Unknown” is a gap your IT partner and compliance team need to address before enforcement begins.

✓MFA enforced on EHR, email, remote access, and cloud systems	Required 2026
✓ePHI encrypted at rest on all workstations, servers, and backup media	Required 2026
✓ePHI encrypted in transit (no unencrypted email with PHI)	Required 2026
✓Unique user IDs — no shared logins across any ePHI system	Existing
✓Automatic session timeouts on all ePHI workstations	Existing
✓Network segmentation separating clinical, administrative, and guest networks	Required 2026
✓Vulnerability scanning conducted regularly (automated + reviewed)	Required 2026
✓Annual penetration test by qualified security professional	Required 2026

✓Formal annual SRA conducted, documented, and producing an actionable remediation plan	Mandatory annual
✓Designated HIPAA Security Officer identified and documented	Existing
✓Written incident response plan with specific detection, containment, and notification timeframes	Updated 2026
✓Current ePHI flow map / network documentation updated within last 12 months	Required 2026
✓Role-based workforce training with documented completion records	Existing + updated
✓NPP updated with reproductive health and SUD language (Feb 16, 2026 deadline)	Deadline passed
✓All BA vendors have current, specific BAAs on file — reviewed within last 12 months	Updated 2026

✓Documented physical access controls for server rooms and records areas with audit logs	Existing
✓Workstations positioned so patient data is not visible to unauthorized individuals	Existing
✓MDM policy covering all mobile devices that can access ePHI — including personal devices	Existing
✓Device disposal procedure with documented hard drive destruction or sanitization — including MFPs	Existing

Free Assessment — Colorado Medical Practices Not Sure How Many Gaps You Have? ABT’s healthcare IT assessment covers every item in this checklist — technical, administrative, and physical safeguards — and gives you a prioritized gap report mapped to the 2026 requirements. No charge, no obligation. Denver, Colorado Springs, and Westminster. Get the Free Assessment → Response within 1 business day

9. FAQ: HIPAA IT Compliance for Colorado Medical Practices

Is my IT vendor automatically my Business Associate?

If they have any access to systems that create, receive, maintain, or transmit ePHI — yes. That includes remote monitoring and management tools, backup software, and even help desk access to workstations. A BAA is required before they touch your environment. If your current IT provider hasn’t signed one, that’s a compliance gap that exists right now, regardless of the 2026 rule.

Do the 2026 HIPAA Security Rule changes apply to small practices?

Yes, with no size exception. The proposed rule explicitly eliminates the ability to use size or complexity as justification for not implementing required controls. A two-physician family practice in Colorado Springs and a 200-provider health system are held to the same baseline technical safeguard standards. The difference is in the resources available to implement them, not in whether they apply.

What’s the difference between a Security Risk Assessment and a HIPAA audit?

An SRA is something you do proactively — it’s your own internal (or third-party-assisted) analysis of where your ePHI is, what the risks to it are, and what you’re doing to mitigate those risks. An audit is something OCR does to you — either in response to a breach complaint or as part of an enforcement investigation. A well-documented SRA is your primary defense in an audit. OCR can’t penalize you for a risk you identified and had a documented plan to remediate. They can — and do — penalize you for risks you never found because you never looked.

My EHR vendor says they handle HIPAA compliance. Is that true?

Partially. Your EHR vendor is responsible for the security of their application and the data within their hosted environment. They are not responsible for your endpoint security, your network configuration, your workforce training, your physical safeguards, your backup procedures, or your administrative policies. The fact that your EHR is cloud-hosted and HIPAA-certified doesn’t mean your practice is HIPAA compliant. It means one piece of the picture is covered.

What’s the most common HIPAA violation OCR actually penalizes?

Risk analysis failures — by a significant margin. This means either never conducting an SRA, or conducting one that wasn’t comprehensive enough to drive real remediation. The second most common: insufficient access controls (shared logins, no termination of access for former employees, no session timeouts). Both are fixable with a competent IT partner and a compliance workflow.

How does ABT handle HIPAA compliance as an MSP?

ABT signs BAAs for all in-scope healthcare IT services. We conduct documented SRAs as part of our healthcare onboarding and annual review process, implement and enforce MFA across all managed environments, provide network segmentation for clinical environments, manage endpoint encryption, and produce the audit logs and documentation your compliance team needs. We’re not a compliance law firm — your attorneys define your legal obligations — but we’re the IT partner that makes those obligations implementable. Learn more about ABT Managed IT Services here.