HIPAA’s New Security Rule: Why Your Clients’ Risk Assessments and BAAs No Longer Comply

Jennifer C. Everett
Jennifer Pike
Alaap B. Shah
Jennifer C. Everett | ALSTON & BIRD LLP
Jennifer Pike | Alston & Bird
Alaap B. Shah | Epstein Becker & Green, P.C.

On-Demand: June 30, 2026

2 hour CLE

Tuition: $195.00
Subscribe to Federal Bar Association CLE Pass...
Co-Sponsored by myLawCLE
Get this course, plus over 1,000+ of live webinars.
Learn More
Training 5 or more people?

Sign-up for a law firm subscription plan and each attorney in the firm receives free access to all CLE Programs

Program Summary

OCR just eliminated the flexibility that made HIPAA compliance manageable. The "addressable" safeguards your clients deferred for years—MFA, encryption, network segmentation, penetration testing—are becoming binding mandates, and the risk assessments and BAAs in their files no longer hold up. With a 240-day compliance clock and OCR already penalizing risk-analysis failures, this program gives you the gap analysis framework, BAA renegotiation strategy, and board-counseling roadmap to get clients defensible before the rule goes final.

What Will You Learn

Attorneys will learn how the HIPAA Security Rule NPRM eliminates the required versus addressable distinction, expands OCR jurisdiction over business associates, and mandates prescriptive technical safeguards under 45 C.F.R. Part 164 Subpart C.

What Will You Gain

Attorneys will gain ability to identify HIPAA compliance gaps, recalibrate business associate oversight and contracting strategies, and advise boards on risk mitigation while rulemaking remains unresolved.

Key topics to be discussed:

  • Security rule rewrite
    The HIPAA Security Rule NPRM overhauls 45 C.F.R. Part 164 Subpart C for the first time in two decades.
  • Addressable eliminated
    The rule removes the required versus addressable framework, converting flexible safeguards into binding HIPAA mandates.
  • BA jurisdiction
    OCR enforcement expands over business associates, subcontractors, and fringe data handlers under 45 C.F.R. § 160.103.
  • Annual verification
    A new annual business associate verification regime prepares organizations for continuous downstream vendor chain oversight.
  • Mandatory MFA
    Multi-factor authentication becomes required for remote and privileged access to electronic protected health information.
  • Risk analysis
    Enterprise-wide HIPAA gap analyses and written risk assessments anchor OCR's primary enforcement focus.

This course is co-sponsored with myLawCLE.

Closed-captioning available

Speakers

Jennifer C. Everett, Partner | ALSTON & BIRD LLP

Jennifer C. Everett is a partner at Alston & Bird in Washington, D.C., where she focuses on regulatory compliance, enforcement, and transactions in data privacy, cybersecurity, health care, and emerging technologies. As a trusted adviser with over 15 years of experience, she skillfully manages data privacy, cybersecurity, and technology issues both in the U.S. and globally. Jennifer offers strategic guidance to public and private companies across several sectors, including life sciences and health technology, when navigating state, federal, and international privacy regulations, including the EU General Data Protection Regulation (GDPR), state-specific privacy laws, biometric regulations, children’s privacy, workplace privacy, the Federal Trade Commission Act, and other U.S. consumer privacy statutes. She oversees all aspects of U.S. and international data breach investigation and response, providing guidance on forensic investigations, notifications, and related regulatory inquiries. With extensive knowledge of health privacy law, Jennifer provides guidance on a variety of intricate health data matters, including those governed by HIPAA and other regulations, and she actively assists clients in creating privacy programs and mitigating risks related to technologies in digital health and AI-driven platforms. Her consumer protection practice includes counseling clients on marketing and promotional issues, including interest-based ads; automatic renewal and subscriptions; SMS text messaging and telemarketing; and other state and federal consumer protection laws.

  • Education & Credentials

Jennifer earned her J.D. from the University of Virginia in 2008 and her B.A. from Northwestern University in 2003. She is admitted to practice in the District of Columbia and Virginia, and she speaks Japanese.

  • Recognition & Leadership

Jennifer’s work has earned significant recognition, including being named to the Washington Business Journal’s “40 Under 40” and selected by Virginia Lawyers Weekly as a Go To Lawyer for Cybersecurity/Privacy (2025). She was recognized by Lawdragon as a “Leading Cyber Lawyer” (2024–2025) and by Law360 as a Rising Star in Cybersecurity (2020). She also serves on the advisory board of Corporate Counsel Women of Color Next Gen (2025).

  • Professional Involvement

Jennifer is a member of the International Association of Privacy Professionals, the American Bar Association, and the National Bar Association. She also serves on the board of directors of the Washington Legal Clinic for the Homeless. She is an active author and speaker, with publications including “Flurry of Federal Trade Commission Activity Shows Enforcement Emphasis on Youth Protection” (Pratt’s Privacy & Cybersecurity Law Report, January 2026), “What Businesses Need to Know About California’s AI Safety Law” (Bloomberg Law, December 2025), “Strategies for Addressing Cybersecurity Threats to a Prime Critical Infrastructure Target – Data Centers” (Cybersecurity Law Report, September 2025), “Protecting Data and Avoiding Pitfalls with AI Assets During M&A” (Bloomberg Law, April 2025), and “Federal Trade Commission’s Updated Health Breach Notification Rule Is Now in Effect” (Employee Benefit Plan Review, November 2024). Her presentations include “Unlocking Value: Optimizing Efficiency and Minimizing Risk through Defensible Data Retention Program” at the Association of Corporate Counsel’s 2024 General Counsel Toolkit and “The Brussels Effect (Again): Compliance Strategies for the EU’s New Digital and Cyber Laws” at the Privacy + Security Forum Spring Academy in May 2024.

  • Experience

Jennifer has defended clients in regulatory inquiries regarding data security practices, including investigations by the FTC, the U.S. Department of Health and Human Services, state attorneys general, and international regulators following data security incidents, and she frequently conducts training sessions for senior leadership and corporate boards focused on mitigating privacy and cyber risks. In her regulatory advisory and compliance work, she has advised numerous companies on proactive compliance with emerging U.S. state comprehensive privacy laws, including the CCPA, VCDPA, CTDPA, and Consumer Privacy Act, as well as topical state privacy laws relating to health and biometric data; advised companies on website design and deployment of adtech and other third-party technologies; conducted privacy and security assessments for international SaaS platform providers and data analytics companies; advised smart camera companies on the deployment of smart technologies, including facial recognition; and counseled online services companies on emerging laws related to teen and child users, age verification, and parental consent. On the regulatory and enforcement side, she has resolved U.S. state and multistate attorney general investigations following data breaches, resolved an FTC investigation involving a consumer goods company, represented an online financial consumer company in a state attorney general investigation following a security incident, and represented hospitals and health care companies in investigations by the Office of Civil Rights following data breaches. In incident response matters, she advised an online consumer goods company on a global incident involving a breach of more than 20 million records and counseled health care companies, hospitals, and pharmaceutical companies on all aspects of incident response, including forensic investigations and notification obligations under various state and federal laws, including HIPAA.

 

Jennifer Pike, Partner | Alston & Bird

Jennifer Pike is Counsel at Alston & Bird in the firm’s Washington, D.C. office, where she has cultivated a dynamic legal practice at the intersection of health care regulation, privacy and cybersecurity, and technology contracting. She serves as a trusted advisor for clients across the health care, technology, and life sciences sectors, supporting providers, health plans, technology vendors, and investors as they navigate the complex landscape of health care data protection and regulatory compliance. Clients rely on Jen to craft strategic and practical solutions as they address complex regulatory challenges and innovation-driven legal issues involving HIPAA-regulated health care data. She advises on health care data sharing initiatives and the integration of emerging technologies such as artificial intelligence, leads HIPAA security risk assessments, develops privacy policies, and counsels organizations on data monetization and technology adoption. Her proactive and collaborative approach helps health care clients stay ahead of regulatory changes and leverage innovation for strategic growth, while her deep experience in health care data breach response equips her to guide clients through HIPAA reporting obligations, risk assessment, notification strategies, and regulatory investigations.

  • Education & Credentials

Jennifer graduated cum laude from the University of Maryland School of Law, earning her J.D. in 2011, and earned her Bachelor of Science with honors from the University of Maryland, College Park, in 2008. She is admitted to practice in the District of Columbia and Maryland.

  • Professional Involvement

Jennifer is actively engaged in thought leadership on health care data and privacy issues. She has contributed to public-facing educational content addressing how HIPAA shapes health care data monetization strategies, including the distinctions in HIPAA permissions for covered entities and business associates, de-identification, and the critical role of business associate agreements. She has participated in discussions on deploying vendor-provided AI solutions into health care workflows—covering organizational goals, vendor evaluation, key contract terms, and ongoing auditing—and has assessed federal privacy developments, including the Request for Information from Congress’s Privacy Working Group, addressing potential HIPAA exemptions, private rights of action, data security standards, and the interplay between federal regulation and state artificial intelligence requirements. Her practice spans related services and industries including health care, HIPAA/health information privacy, security and breach response, privacy, cyber and data strategy, health care regulatory counseling and fraud and abuse, artificial intelligence, corporate health care transactions, private equity, technology transactions, hospitals and hospital systems, digital health care, electronic health records and health IT, remote patient monitoring, technology-enabled behavioral health, and telehealth program development and compliance.

  • Experience

Jennifer assisted in the investigation and HIPAA individual and substitute notice process for the largest health care data breach in history. She has guided clients through all aspects of health care transactions across the industry, including deal structure, due diligence, negotiation of purchase agreements, and the preparation and submission of state and federal regulatory filings, along with health care licensing and change of ownership issues. She has guided clients through IT-related transactions, including analysis of arrangements aligned with client business goals and risk profiles, and the negotiation of data use agreements, license agreements, SaaS agreements, service level agreements, information security agreements, end user license agreements, and terms and conditions. Jennifer has advised health care entities on federal and state regulatory and compliance issues, including Medicare and Medicaid conditions of participation, billing and reimbursement, corporate practice of medicine, licensure, and ACA Section 1557. She has provided strategic guidance to health care providers on the integration and application of artificial intelligence technologies, as well as to developers of such technologies; drafted and negotiated physician services agreements ensuring compliance with federal and state fraud and abuse laws; advised one of the top five U.S. banks on establishing a HIPAA compliance program from the ground up to support its financial services for health care providers; conducted a comprehensive privacy risk assessment of an urgent care provider’s website and advised on mitigation strategies to reduce exposure to FTC and state enforcement actions as well as active class action litigation; and advised the creator of an AI-powered ophthalmology app on regulatory risks while drafting commercialization terms to support its launch in the health care space. Before joining private practice, Jen was a policy analyst for the American Podiatric Medical Association.

 

Alaap B. Shah_Epstein Becker & Green, P.C._FedBarAlaap B. Shah, Co-leader | Epstein Becker & Green, P.C.

Alaap B. Shah is a Member of the Firm at Epstein Becker & Green, P.C., based in the firm’s Washington, DC office. Tech-savvy and solutions-oriented, Alaap deftly guides clients through complex and ever-evolving privacy, cybersecurity, medical device, artificial intelligence (AI), interoperability, digital health, telehealth, fraud and abuse, and other laws and regulations. As a co-leader of Epstein Becker Green’s AI Cross-Practice Working Group, he helps clients compliantly develop and deploy these cutting-edge technologies, enabling them to build trust among stakeholders so they can robustly collect, share, analyze, and protect data and information technology assets. Alaap’s clients include all types of health care, life sciences, data analytics, and technology companies at various stages of development, ranging from startup companies in the United States and abroad developing digital health applications, medical devices, telehealth solutions, AI, and data analytics platforms, to mid-size and large companies seeking to expand and mature legal, compliance, and risk management functions. Clients appreciate his strategic and pragmatic approach to risk management that bridges the gap among legal, compliance, IT, and business teams, and his ability to translate “IT speak” for legal, compliance, and business people.

  • Education & Credentials

Alaap earned his J.D., cum laude, from the University of Maryland School of Law, where he served as Notes & Comments Editor of the Journal of Health Care Law & Policy. He holds a Master of Public Health (M.P.H.) in Health Policy & Management from Columbia University and a Bachelor of Science (B.S.) in Biochemistry from Union College. He is admitted to practice in the District of Columbia and New York. Alaap also holds several globally recognized technology and information assurance credentials, including the Artificial Intelligence Governance Professional (AIGP) and Certified Information Privacy Professional in the United States (CIPP/US) certifications from the International Association of Privacy Professionals (IAPP), the Certified Professional in Healthcare Information and Management Systems (CPHIMS) certification from the Healthcare Information and Management Systems Society, and the Certified Common Security Framework Practitioner (CCSFP) certification from the Health Information Trust Alliance (HITRUST).

  • Recognition & Leadership

Alaap has been recognized by OneTrust DataGuidance as a “DataGuidance Expert” for Washington, DC. Within Epstein Becker Green, he serves as Vice Chair of the firm’s Diversity and Professional Development Committee, a Board-level committee that includes the firm’s Pro Bono Program and Hiring Committee, and as a co-leader of the firm’s AI Cross-Practice Working Group.

  • Professional Involvement

Alaap is an active contributor to several professional organizations and advisory bodies. He serves as a Member of the 4medica® Advisory Board and as a Member of the American Health Lawyers Association’s AI Program Planning Committee. He is also affiliated with the North Asian Pacific American Bar Association and the South Asian Bar Association.

  • Experience

Alaap began his legal career at Epstein Becker Green and later served as Senior Counsel and Chief Privacy and Security Officer at an oncology membership society, where he strengthened enterprise-wide privacy and security, helped launch a Big Data company focused on improving quality of care by harnessing real world cancer patient medical information, and built data sharing trust networks among the oncology community, before rejoining the firm in October 2017. During law school, he worked with the U.S. Department of Health and Human Services (HHS), Office of General Counsel, providing legal counsel and support to all agencies and programs under the Public Health Division of HHS. His representative experience includes assisting a U.S.-based technology company providing point-of-care decision support related to laboratory test selection and management to obtain HITRUST certifications and conduct HIPAA-compliant risk analyses and management planning; developing a compliance model for a U.S.-based data analytics company offering point-of-care coordination tools and supporting downstream research activities; assisting a U.S.-based health information technology, interoperability, data analytics, and AI platform company in performing initial and ongoing in-depth 50-state research across consent and authorization laws; serving as virtual General Counsel and Privacy Officer for a California-based provider group to support a wide range of legal and regulatory compliance efforts as well as contracting and M&A transactions; and assisting a U.S.-based health insurance company with mobilizing a response team to investigate a security event, contain the threat, remediate the issue, and support determinations about legal and regulatory notification requirements to state and federal authorities.

Agenda

SESSION 1 – Navigating the Security Rule in Flux Amid Accelerating OCR Enforcement | 1:00pm – 2:00pm

This session examines the January 2025 HIPAA Security Rule NPRM and OCR’s accelerating enforcement against business associates and subcontractors, addressing elimination of the required versus addressable distinction, annual verification obligations, cascading vendor liability, and concrete compliance actions attorneys should prioritize while rulemaking remains unresolved.

BREAK | 2:00pm – 2:10pm

SESSION 2 – Prescriptive Technical Safeguards and the AI Threat Landscape | 2:10pm – 3:10pm

This session examines the technical safeguards mandatory under the HIPAA Security Rule NPRM—MFA, encryption, network segmentation, least-privilege access, and penetration testing—while addressing ransomware and AI-enabled threats, connecting each mandate to risk assessments, BAA amendments, incident response, and practice development.

Credits

Alaska

Approved for CLE Credits
2 General

Our programs are CLE-eligible through Alaska’s recognition of multi-jurisdictional reciprocity.
Alabama

Approved for Self-Study Credits
2 General

Arkansas

Approved for CLE Credits
2 General

Arizona

Approved for CLE Credits
2 General

California

Approved for CLE Credits
2 General

Colorado

Pending CLE Approval
2 General

Connecticut

Approved for CLE Credits
2 General

District of Columbia

No MCLE Required
2 CLE Hour(s)

Delaware

Pending CLE Approval
2 General

Florida

Approved via Attorney Submission
2 General Hours

Receive CLE credit in Florida via attorney submission.
Georgia

Pending CLE Approval
2 General

Hawaii

Approved for CLE Credits
2 General

Iowa

Pending CLE Approval
2 General

Idaho

Pending CLE Approval
2 General

Illinois

Pending CLE Approval
2 General

Indiana

Pending CLE Approval
2 General

Kansas

Pending CLE Approval
2 Substantive

Kentucky

Pending CLE Approval
2 General

Louisiana

Pending CLE Approval
2 General

Massachusetts

No MCLE Required
2 CLE Hour(s)

Maryland

No MCLE Required
2 CLE Hour(s)

Maine

Pending CLE Approval
2 General

Michigan

No MCLE Required
2 CLE Hour(s)

Minnesota

Pending CLE Approval
2 General

Missouri

Approved for Self-Study Credits
2.4 General

Mississippi

Pending CLE Approval
2 General

Montana

Pending CLE Approval
2 General

North Carolina

Pending CLE Approval
2 General

North Dakota

Approved for CLE Credits
2 General

Our programs are CLE-eligible through North Dakota’s recognition of multi-jurisdictional reciprocity. Section 1, Policy 1.14
Nebraska

Pending CLE Approval
2 General

myLawCLE reports attendance to Nebraska on each attorney’s behalf for all programs. Please do not self-report.
New Hampshire

Approved for CLE Credits
120 General minutes

As of July 1, 2014, the NHMCLE Board no longer provides pre- or post-approval of courses. Attendees must self-determine whether a program is eligible for credit, and self-report their attendance online at www.nhbar.org, based on qualification provisions of Rule 53.
New Jersey

Approved for CLE Credits
2.4 General

Our programs are CLE-eligible through New Jersey’s recognition of multi-jurisdictional reciprocity, except for the courses required under BCLE Reg. 201:2
New Mexico

Approved for Self-Study Credits
2 General

Nevada

Pending CLE Approval
2 General

New York

Approved for CLE Credits
2 General

Our programs are CLE-eligible through New York’s Approved Jurisdiction Group “B”.
Ohio

Approved for Self-Study Credits
2 General

Oklahoma

Pending CLE Approval
2.5 General

Oregon

Pending CLE Approval
2 General

Pennsylvania

Approved for Self-Study Credits
2 General

Rhode Island

Pending CLE Approval
2.5 General

South Carolina

Pending CLE Approval
2 General

South Dakota

No MCLE Required
2 CLE Hour(s)

Tennessee

Approved for Self-Study Credits
2 General

Texas

Approved for CLE Credits
2 General

Utah

Pending CLE Approval
2 General

Virginia

Not Eligible
2 General Hours

Vermont

Approved for CLE Credits
2 General

Washington

Approved via Attorney Submission
2 Law & Legal Hours

Receive CLE credit in Washington via attorney submission.
Wisconsin

Approved for Self-Study Credits
2 General

West Virginia

Pending CLE Approval
2.4 General

Wyoming

Pending CLE Approval
2 General

More CLE Webinars
Upcoming CLE Webinars
A, B, C’s of Revocable and Irrevocable Trusts
A, B, C’s of Revocable and Irrevocable Trusts Thu, July 9, 2026
On-Demand
Live Replay
Branding for Firms: Ethics & Strategy
Branding for Firms: Ethics & Strategy Thu, July 16, 2026
Live Webcast
Using AI in Your Law Practice: A Step-by-Step Guide
Using AI in Your Law Practice: A Step-by-Step Guide Wed, July 22, 2026
On-Demand
Live Replay
iPad for Lawyers: The Complete Mobile Practice Toolkit
iPad for Lawyers: The Complete Mobile Practice Toolkit Thu, July 23, 2026
On-Demand
Live Replay
The AI Skills Every Attorney Needs: Think, Prompt, Win
The AI Skills Every Attorney Needs: Think, Prompt, Win Thu, July 30, 2026
On-Demand
Live Replay