HIPAA Compliance June 10, 2026 8 min read

Compliancy Group's The Guard: What It Covers and What It Misses

By Sam Cherkaoui, CIPP/US Certified Data Privacy Advisor

Quick Answer

Enforcement is accelerating: OCR completed 22 HIPAA enforcement actions in 2024, the second-highest annual total in OCR history, collecting over $9.9 million in settlements and civil money penalties.
The Risk Analysis Initiative is active: OCR launched a Risk Analysis Enforcement Initiative in October 2024; by April 2025 it had produced eight enforcement actions with combined settlements of nearly $900,000, targeting practices that lack accurate, thorough risk analyses.
Proposed technical mandates go beyond any platform: The January 2025 HIPAA Security Rule NPRM proposes mandatory MFA, required encryption of ePHI at rest and in transit, vulnerability scanning every six months, and annual penetration testing, all technical controls that compliance software cannot implement on your behalf.
Texas adds a separate compliance layer: Texas HB 300 requires workforce training within 90 days of hire and every two years after, with signed acknowledgments retained six years, stricter than federal HIPAA and enforced independently by the Texas AG.
Small practices are not exempt: OCR settled with Comprehensive Neurology, PC for $25,000 after a ransomware attack encrypted the ePHI of just 6,800 individuals, confirming that practice size does not insulate you from federal enforcement.

Quick answer

Compliance platforms like The Guard from Compliancy Group help practices build and document HIPAA policies, run workforce training, and maintain risk analysis workflows. After six months, most users find the documentation layer is solid. The gaps appear when OCR targets technical security controls, state-specific training rules, and the sweeping changes proposed in the January 2025 HIPAA Security Rule NPRM. With OCR running 22 enforcement actions in 2024 and a Risk Analysis Initiative already generating eight enforcement actions worth nearly $900,000 in settlements, the question is not whether The Guard helps, but whether it covers everything regulators are now targeting.

If you run a medical practice in Texas or anywhere else, you have probably seen Compliancy Group market The Guard as an all-in-one HIPAA compliance solution. After six months with the platform, most practices discover that compliance software handles documentation and training records well but leaves a meaningful gap on technical controls and state law. That gap matters more each month, given where OCR enforcement is heading and what the proposed Security Rule overhaul would require.

How does the current enforcement climate change what “compliant” means?

OCR completed 22 HIPAA enforcement actions in 2024, the second-highest annual total in OCR history, and collected over $9.9 million in settlements and civil money penalties. That figure reflects a deliberate shift in OCR’s posture. In October 2024, OCR launched its Risk Analysis Enforcement Initiative, targeting covered entities and business associates that fail to conduct an accurate and thorough risk analysis under 45 CFR 164.308(a)(1)(ii)(A). By April 2025, the initiative had produced eight enforcement actions with combined settlements of nearly $900,000.

The cases follow a consistent pattern. In April 2025, Comprehensive Neurology, PC settled for $25,000 after a December 2020 ransomware attack encrypted the ePHI of approximately 6,800 individuals. Small practices are not below OCR’s threshold. In May 2025, Comstar, LLC, an ambulance billing company, settled for $75,000 after a March 2022 ransomware attack exposed roughly 585,621 individuals’ records; Comstar had not conducted an adequate risk analysis and failed to detect the intrusion for seven days. In July 2025, Deer Oaks paid $225,000 following both an incident in which ePHI was accessible on the public internet and a ransomware attack affecting 171,871 individuals.

Each case points to the same failure: a risk analysis that was missing, outdated, or not tied to actual remediation work. A compliance platform that helps you build a risk analysis document is doing something useful. The real question is whether that document is accurate, current, and reflects what is actually happening in your systems, or whether it is a checklist completed once and left alone.

OCR also resumed its HIPAA audit program in December 2024 after a seven-year hiatus. The 2024-2025 audit round will cover approximately 50 covered entities and business associates, focusing on Security Rule compliance most relevant to hacking and ransomware. Desk audits require document production within 10 business days via OCR’s secure portal. If your compliance platform produces documentation you cannot locate and produce on a 10-day clock, your audit readiness is incomplete. You can review the current enforcement agreement index to see the types of violations drawing attention.

Does The Guard prepare you for the proposed Security Rule changes?

On January 6, 2025, HHS OCR published a Notice of Proposed Rulemaking to overhaul the HIPAA Security Rule in the Federal Register. The public comment period closed March 7, 2025, and HHS received more than 4,700 comments. As of June 2026, OCR has not published a final rule, but the proposed changes represent the first Security Rule overhaul since 2003 and would fundamentally change what technical compliance requires.

The NPRM proposes eliminating the distinction between “required” and “addressable” implementation specifications, making all specifications mandatory. It proposes mandatory multi-factor authentication (MFA) and elevates encryption from an addressable specification to a standalone required standard, mandating encryption of ePHI both at rest and in transit. New hard deadlines would require vulnerability scanning at least every six months and annual penetration testing, along with annual review and testing of security incident response plans.

These are not documentation tasks. MFA must be configured in your systems. Encryption must be implemented and verified at the infrastructure level. Penetration testing must be commissioned from qualified professionals. A compliance management platform can remind you that items are due and store the resulting reports, but it cannot perform the technical work. HHS projected approximately $9 billion in year-one industry-wide compliance costs for the proposed changes, a figure industry associations cited when requesting the NPRM’s withdrawal. Most of that cost is technical labor, not documentation.

Cyber insurance data reinforces the gap. At-Bay’s 2025 InsurSec Report found that remote access tools were the initial intrusion vector for 80% of ransomware claims, with VPN compromises accounting for 73% of ransomware intrusions where an entry vector was identified. No compliance platform patches a VPN. Coalition’s 2025 Cyber Claims Report found that healthcare cyber insurance claim frequency dropped 19% in 2024, but claims severity increased 32% year-over-year, with an average healthcare loss of $144,662. Documented policies did not prevent those losses. The controls that prevent them are technical.

What does The Guard miss for Texas-based practices?

Texas practices face a second compliance layer that many national platforms handle superficially or not at all. Texas Health and Safety Code Chapter 181, the Texas Medical Records Privacy Act, applies to a broader set of entities than federal HIPAA, including workers’ compensation carriers, school districts, and governmental units. That expanded scope means some of your business partners may independently be subject to Chapter 181.

Texas HB 300 requires covered entities to provide workforce training on state and federal PHI law, tailored to the entity’s course of business, within 90 days of a new employee’s hire date, with mandatory refresher training at least once every two years. Employers must obtain and retain signed written acknowledgments of training completion for six years. Federal HIPAA sets no explicit biennial recurrence requirement. If The Guard’s training module does not produce Texas-compliant acknowledgment records, you carry a state law gap alongside your federal compliance work.

The Texas AG enforces Chapter 181 independently of OCR. Civil penalties under Section 181.201 reach up to $25,000 per knowing or intentional violation and up to $250,000 per violation where PHI was used for financial gain, with annual penalties for pattern violations reaching $1.5 million. These penalties stack on top of federal civil money penalties. The Texas AG’s Fiscal Year 2024 HB 300 Annual Report recorded 580 total complaints, including 365 allegations of unlawful PHI disclosure and 17 allegations of failure to provide required training.

Right-of-access compliance also deserves attention. Under 45 CFR 164.524, covered entities must act on PHI access requests within 30 calendar days, with one 30-day extension available if written notice is provided within the initial window. OCR’s Right of Access Initiative has produced 54 enforcement actions as of May 2025, including a $112,500 settlement with Concentra, Inc., a Dallas, Texas-based occupational health provider, for failing to provide timely access to PHI. A compliance platform should track access request deadlines in real time. If yours does not, that is a gap with a documented enforcement record behind it.

Business associate oversight is a final area to audit carefully. The Change Healthcare breach, reported to affect approximately 192.7 million individuals as of July 2025, showed what happens when a covered entity’s clearinghouse partner experiences a catastrophic security failure. Under HITECH, business associates are directly liable under 45 CFR sections 164.308, 164.310, 164.312, and 164.316. OCR’s August 2025 settlement with BST & Co. CPAs for $175,000, its 15th ransomware enforcement action, confirmed that OCR pursues business associates directly for Security Rule failures. A compliance platform can maintain a business associate agreement log, but it cannot audit whether your billing company, EHR vendor, or IT consultant actually implements the security controls they agreed to in that BAA.

What to do next

Six months into any compliance platform is the right time to audit what the software does and does not cover. Documentation workflows, training tracking, and policy templates are starting points, not endpoints. OCR’s current enforcement priorities, particularly the Risk Analysis Initiative and the proposed Security Rule NPRM, demand that your risk analysis be accurate, current, and tied to real remediation. They also demand that your technical controls match your documented policies.

A professional HIPAA risk analysis goes beyond what any software-guided questionnaire produces on its own. It maps your actual systems and data flows, tests your technical safeguards, identifies gaps the platform may not surface, and produces documentation that holds up to OCR audit scrutiny. If your practice is in Texas, it also needs to account for HB 300’s training documentation requirements alongside your federal obligations.

If you are unsure whether your current risk analysis meets the standard OCR is actively enforcing, schedule a review before the next audit cycle finds the gaps first.

Last Updated: June 10, 2026

Frequently Asked Questions

Does completing The Guard's risk analysis workflow satisfy OCR's risk analysis requirement?

A compliance platform can guide you through the documentation steps, but OCR's Risk Analysis Enforcement Initiative, which produced eight enforcement actions with nearly $900,000 in settlements by April 2025, targets analyses that are inaccurate, incomplete, or not tied to real remediation. The document itself is not the standard; accuracy and follow-through are. A professionally conducted risk analysis maps your actual systems and data flows and produces findings your team acts on.

What will the proposed HIPAA Security Rule NPRM require that a compliance platform cannot provide?

The January 2025 NPRM proposes mandatory MFA, encryption of ePHI at rest and in transit as a standalone required standard, vulnerability scanning at least every six months, annual penetration testing, and annual testing of incident response plans. These are technical and operational requirements. A compliance platform can track deadlines and store reports, but it cannot configure MFA in your systems, encrypt your databases, or conduct a penetration test. HHS projected approximately $9 billion in year-one industry-wide costs for these changes, most of which is technical labor.

What Texas-specific rules apply to my practice beyond federal HIPAA?

Texas Health and Safety Code Chapter 181 (HB 300) applies to a broader set of entities than federal HIPAA and requires workforce training within 90 days of hire and at least every two years after, with signed written acknowledgments retained for six years. Penalties under Section 181.201 reach up to $25,000 per knowing or intentional violation and up to $250,000 per violation where PHI was used for financial gain, enforced by the Texas AG independently of OCR. The Texas AG's FY2024 HB 300 report recorded 580 total complaints, including 17 for failure to provide required training.

How much could a HIPAA violation actually cost a small practice?

Current civil money penalty tiers range from $145 per violation at the low end to $2,190,294 per violation category per calendar year at Tier 4 for uncorrected willful neglect. Real-world settlements show the middle ground: Comprehensive Neurology paid $25,000 for a 6,800-record ransomware breach, Comstar paid $75,000 for a breach affecting 585,621 individuals, and Deer Oaks paid $225,000 following a ransomware attack affecting 171,871 individuals. Texas AG penalties stack on top of these federal amounts.

What is OCR's Right of Access Initiative and does it affect my practice?

OCR's Right of Access Initiative targets covered entities that fail to provide individuals timely access to their PHI under 45 CFR 164.524, which requires a response within 30 calendar days. The initiative has produced 54 enforcement actions as of May 2025, including a $112,500 settlement with Concentra, Inc., a Dallas, Texas-based occupational health provider. If your compliance platform does not track access request deadlines in real time, that gap has documented enforcement consequences.

Why are business associate agreements still a risk area even with a compliance platform?

HITECH made business associates directly liable under 45 CFR 164.308, 164.310, 164.312, and 164.316. OCR's August 2025 settlement with BST & Co. CPAs for $175,000 confirmed OCR pursues business associates directly for ransomware-related Security Rule failures. The Change Healthcare breach, ultimately reported to affect approximately 192.7 million individuals, illustrated the downstream risk to covered entities whose billing or clearinghouse partners experience a security failure. A compliance platform can maintain a BAA log, but it cannot audit whether your vendors actually implement the controls they promised.

Last updated: June 10, 2026. This article reflects current US HIPAA and state privacy law enforcement practice. NPA is not a law firm; for case-specific legal advice, consult licensed counsel in your jurisdiction.

Need help with HIPAA compliance or US data privacy law?

NPA helps small healthcare practices and small to mid-sized businesses build and maintain audit-ready compliance programs. CIPP/US certified. Houston-based, serving practices nationwide.

Book a Consultation