GuardWell Compliance
Regulatory Intelligence

Compliance Updates & Regulatory News

GuardWell's regulatory intelligence engine monitors federal and state regulatory sources daily. Here are the latest updates affecting healthcare practices.

February 2026

February 16, 2026HIPAA

42 CFR Part 2 Aligns with HIPAA — Substance Use Disorder Records

The final rule aligning 42 CFR Part 2 with HIPAA took effect February 16, 2026. Substance use disorder (SUD) treatment records can now be disclosed under the same framework as other protected health information, reducing the separate-consent burden for providers while maintaining patient protections against use in legal proceedings.

What this means for your practice

Practices that handle SUD records should update their Notice of Privacy Practices and train staff on the streamlined disclosure rules.

Source: SAMHSA / HHS

November 2025

November 1, 2025CMS

CMS Finalizes 2026 MIPS Performance Thresholds and MVPs

CMS released the 2026 Medicare Physician Fee Schedule final rule with updated MIPS performance thresholds. The performance threshold increased to 82 points (from 75), and additional MIPS Value Pathways (MVPs) are now available for specialty-focused reporting. The rule also updates the cost category weight to 40 percent of the final score.

What this means for your practice

Review your MIPS reporting strategy, especially if you use traditional MIPS. Consider transitioning to an MVP that aligns with your specialty.

Source: Centers for Medicare & Medicaid Services

June 2025

June 1, 2025OCR

OCR HIPAA Enforcement Trends: Record Settlements in 2025

HHS OCR continued aggressive HIPAA enforcement through 2025, reaching settlement agreements totaling over $12 million in the first half of the year. Notable actions targeted failures in Security Risk Analysis, lack of encryption, improper disposal of PHI, and insufficient access controls. Small practices were not exempt, with several sub-10-provider offices receiving penalties.

What this means for your practice

Ensure your Security Risk Analysis is current and documented. Small practices should not assume they are below the enforcement threshold.

Source: HHS Office for Civil Rights

March 2025

March 15, 2025DEA

DEA Updates Electronic Prescribing for Controlled Substances (EPCS) Rules

The DEA finalized updates to 21 CFR Parts 1300, 1304, and 1311 governing electronic prescribing of controlled substances. The updates modernize identity proofing requirements, expand approved two-factor authentication methods, and streamline the EPCS application process for providers using certified EHR systems.

What this means for your practice

Verify your EHR's EPCS module meets the updated authentication requirements. Providers not yet using EPCS should evaluate certified solutions.

Source: Drug Enforcement Administration

January 2025

January 15, 2025OIG

OIG Releases 2025 Work Plan: Healthcare Fraud Priorities

The HHS Office of Inspector General published its 2025 Work Plan highlighting enforcement priorities for healthcare providers. Key focus areas include telehealth billing oversight, Medicare Advantage risk adjustment audits, opioid prescribing patterns, and laboratory test utilization reviews. The Work Plan signals where OIG will direct audit and investigation resources.

What this means for your practice

Review your billing practices for telehealth services and ensure documentation supports medical necessity. Audit high-risk CPT codes flagged in the plan.

Source: HHS Office of Inspector General
January 6, 2025HIPAA

HHS Proposes Major HIPAA Security Rule Overhaul

HHS published a Notice of Proposed Rulemaking to modernize the HIPAA Security Rule for the first time since 2013. Key proposals include mandatory encryption of ePHI at rest and in transit, required multi-factor authentication, annual compliance audits, and more prescriptive technical safeguard standards. The comment period has closed and a final rule is anticipated in 2026.

What this means for your practice

Start preparing now: assess current encryption practices, evaluate MFA readiness, and review your Security Risk Analysis process.

Source: HHS Office for Civil Rights
January 1, 2025OSHA

OSHA Expands Electronic Injury Reporting Requirements

Starting January 1, 2025, establishments with 100 or more employees in designated high-hazard industries must electronically submit OSHA Form 300 (Log of Work-Related Injuries) and Form 301 (Injury and Illness Incident Report) in addition to the existing Form 300A requirement. This data will be published on a searchable public database.

What this means for your practice

Larger practices must ensure all three OSHA forms are submitted electronically by March 2 each year. Verify your OSHA ITA account is active.

Source: Occupational Safety and Health Administration

June 2024

June 25, 2024HIPAA

HIPAA Privacy Rule Update: Reproductive Health Information Protections

The final rule adding protections for reproductive health information under HIPAA took effect June 25, 2024. Covered entities and business associates are now prohibited from disclosing PHI related to lawful reproductive healthcare for non-healthcare purposes such as investigations or legal proceedings in states where the care was legally provided.

What this means for your practice

Update your Notice of Privacy Practices to reflect new reproductive health attestation requirements and train staff on permissible disclosures.

Source: HHS Office for Civil Rights

Never miss a compliance change

GuardWell automatically monitors regulatory sources, analyzes changes, and updates your compliance program — so you don't have to.

See how it works

Start your compliance journey today

Join practices using GuardWell Compliance to stay ahead of HIPAA audits, OCR enforcement, and state regulatory inspections — $199/month with annual billing. Try free for 7 days.

No setup fees · No contracts · Cancel anytime

GuardWell

Healthcare Compliance Assistant

Hi! I'm GuardWell's sales assistant.

I can answer questions about our healthcare compliance platform, pricing, and features. How can I help?

Powered by GuardWell AI