Compliance Calendar

Track regulatory deadlines and ongoing compliance requirements for healthcare organizations.

Upcoming

Ongoing

Within 30 Days

Within 90 Days

Upcoming Deadlines

HHS OCR89 days

HIPAA Security Rule Update — Enhanced Requirements

HHS proposed updates to the HIPAA Security Rule requiring covered entities and business associates to implement enhanced cybersecurity measures including MFA, encryption at rest and in transit, and annual security risk assessments.

Applies to:Covered EntitiesBusiness AssociatesHospitals+1 more

Deadline

Jun 1, 2026

Source →

HHS OCR

Business Associate Agreement Annual Review

HIPAA requires covered entities to review and update Business Associate Agreements (BAAs) to ensure vendors handling PHI maintain adequate security controls and breach notification procedures.

Applies to:Covered EntitiesBusiness AssociatesHospitals

Deadline

Jun 30, 2026

Source →

Ongoing Requirements

HHS OCR

HIPAA Breach Notification Rule — 60-Day Requirement

Covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI affecting 500+ individuals. HHS OCR and media must also be notified.

Applies to:Covered EntitiesBusiness AssociatesHospitals+2 more

Deadline

Jan 1, 2026

Source →

State

Washington My Health My Data Act

Washington state law providing broad protections for consumer health data beyond HIPAA, requiring consent for collection, sharing, and sale of health data by all entities, not just HIPAA-covered entities.

Applies to:All Healthcare OrganizationsTelehealth ProvidersHealth Apps

Deadline

Jan 1, 2026

Source →

HHS OCR

HIPAA Right of Access — Ongoing Enforcement Initiative

HHS OCR continues its Right of Access enforcement initiative targeting providers who fail to provide patients timely access to their medical records within 30 days of request.

Applies to:Covered EntitiesHospitalsClinics

Deadline

Jan 1, 2026

Source →

CISA

CISA Healthcare Cybersecurity Performance Goals

CISA's voluntary cybersecurity performance goals for the healthcare sector, providing a prioritized subset of practices to help reduce risk. Aligns with HPH sector-specific guidance.

Applies to:HospitalsHealth SystemsClinics

Deadline

Jan 1, 2026

Source →

State

Connecticut Health Data Privacy Act

Connecticut law requiring entities processing consumer health data to obtain consent, conduct data protection assessments, and implement security measures for health data not covered by HIPAA.

Applies to:All Healthcare OrganizationsTelehealth ProvidersHealth Apps

Deadline

Jan 1, 2026

Source →

FDA

FDA Medical Device Cybersecurity Requirements

FDA requires medical device manufacturers to submit cybersecurity documentation including SBOM, vulnerability disclosure plans, and evidence of security testing as part of premarket submissions under Section 524B of the FD&C Act.

Applies to:Medical Device ManufacturersHospitals

Deadline

Mar 1, 2026

Source →

HHS OCR

HIPAA Annual Security Risk Assessment

All covered entities and business associates must conduct annual security risk assessments to identify vulnerabilities and threats to ePHI. Required under the HIPAA Security Rule administrative safeguards.

Applies to:Covered EntitiesBusiness AssociatesHospitals+1 more

Deadline

Dec 31, 2026

Source →

HHS OCR

HIPAA Minimum Necessary Standard Review

Covered entities must review and update policies to ensure PHI disclosures are limited to the minimum necessary for the intended purpose. Annual review recommended by HHS guidance.

Applies to:Covered EntitiesBusiness Associates

Deadline

Dec 31, 2026

Source →

Regulator Directory

HHS OCR

HHS Office for Civil Rights

Federal

FDA

Food and Drug Administration

Federal

CISA

Cybersecurity & Infrastructure Security Agency

Federal

HC3

Health Sector Cybersecurity Coordination Center

Federal

ONC

Office of the National Coordinator for Health IT

Federal

Disclaimer: This calendar is for informational purposes only and should not be relied upon as legal or compliance advice. Always verify deadlines and requirements with official regulatory sources and consult with qualified compliance professionals.