Welcome to the first edition of The Fine Print. We're glad you're here.
Q1 2026 is a busy quarter. A HIPAA Security Rule overhaul is on track for finalization in May. The CMMC Phase 2 deadline is six months out. Law firms in three states are getting their first enforceable cybersecurity mandates.
This edition at a glance: 5 articles across Healthcare, Finance, Legal, Manufacturing, and Insurance · 11 upcoming deadlines · 3 enforcement actions from the past six months.
The HIPAA Security Rule overhaul is on OCR's agenda for May. Organizations already aligned with HITRUST will have a head start.
HITRUST certification is not a regulatory requirement, but it has become the most defensible interpretation of HIPAA's vague "reasonable and appropriate safeguards" language. As OCR's enforcement posture sharpens, organizations with a HITRUST attestation will spend less time arguing about what compliance means.
The proposed Security Rule changes are expected to mandate MFA, encryption-in-transit standards, and formal vulnerability scanning cadences. Every one of those is already part of HITRUST CSF v11.
The forthcoming HIPAA overhaul is expected to codify what HITRUST already requires.
What to do this quarter
If you're a covered entity or business associate without HITRUST, get a gap assessment now. The cost of remediation doubles after a regulator request.
More than 22 states have enacted the NAIC Insurance Data Security Model Law. Most agency owners have no idea it applies to them.
If you hold an insurance license in Connecticut, New York, South Carolina, Ohio, Mississippi, Michigan, Alabama, Louisiana, Delaware, Indiana, New Hampshire, North Dakota, Virginia, Wisconsin, Tennessee, Kentucky, Hawaii, Iowa, Maine, Minnesota, Vermont, or Maryland, you have a legal obligation to maintain a written information security program.
What to do this quarter
Pull your active license list. Cross-reference against the 22 states. If there's overlap and you don't have a documented WISP, the gap closes the moment a breach happens.
Self-attestation ends. The assessor you choose matters more than most contractors realize.
Assessment ranges typically run 12 to 16 weeks. Current C3PAO backlogs are running 6 to 12 months. Choosing the wrong one isn't a procurement mistake — it's a contract risk.
What to do this quarter
If you handle CUI under a DoD contract and haven't started a gap assessment against the 110 NIST SP 800-171 controls, that is where this process begins.
Governance documentation is now required. Here is what small firm CEOs need to do before their next examination.
The SEC Regulation S-P deadline for smaller entities is June 3, 2026. FINRA's 2026 Regulatory Oversight Report makes it explicit: GenAI governance is no longer optional.
What to do this quarter
Build the inventory first. Every AI tool a registered representative touches needs to be documented before the policy is written.
A phishing attack exposed patient PHI. OCR's investigation zeroed in on one missing requirement: no enterprise-wide risk analysis had ever been completed. That gap alone produced a $3 million settlement.
Breaches at eight auto insurers in 2023 exposed driver's license numbers. NYDFS found the same failures across all eight: no written cybersecurity programs, no periodic risk assessments.
CMMC Readiness Resource
The clock is running. Do you know where you stand?
CMMC Phase 2 begins November 10, 2026. The average preparation timeline runs 12 to 16 months.
