The HIPAA Security Rule has not been substantively amended since the Omnibus Rule of 2013, but the operational expectations around supply chain controls have shifted meaningfully in the past two years. The 2024 Notice of Proposed Rulemaking from HHS, the steady stream of OCR enforcement actions involving third-party breaches, and the practical implications of the Change Healthcare incident have collectively raised the bar. This post is a current read of where the expectations sit in 2026 and how covered entities and business associates should be thinking about software supply chain risk.
The regulatory text remains 45 CFR 164.306 through 164.318, but the way OCR is interpreting risk analysis under 164.308(a)(1)(ii)(A) now clearly includes software supply chain risk. The agency has not said this in regulation, but the resolution agreements and corrective action plans of the last two years have repeatedly identified inadequate risk analysis as the root cause of breaches that originated in third-party software. Reading the tea leaves on enforcement is a more reliable signal than waiting for final rules.
How does the 2024 NPRM change the supply chain bar?
The 2024 NPRM, if finalized in the form proposed, will substantially modernize the Security Rule for the first time since 2013. The proposed changes most relevant to supply chain include mandatory written documentation of technology asset inventories, network maps that include third-party connections, and explicit risk analysis of business associate and downstream subcontractor relationships. The proposed compliance timeline gives covered entities and business associates 180 days to comply once the final rule is published.
The final rule has not been published as of this writing, but the comment period closed in March 2025 and OCR has signaled a 2026 publication target. Organizations should be planning for the new requirements even before publication, because the lead time for implementing comprehensive asset inventories and supply chain risk analysis is longer than 180 days for most healthcare technology stacks. The cost of building these capabilities in advance is low compared to the cost of building them under a regulatory deadline.
What does OCR look for in third-party breach investigations?
OCR investigations of third-party breaches consistently focus on three areas: whether the covered entity performed an adequate risk analysis of the business associate before sharing PHI, whether the business associate agreement contained the required provisions and was current, and whether the covered entity exercised reasonable oversight during the relationship. The third area has been the most expansive in recent enforcement, with OCR pressing on what actions the covered entity took when red flags appeared.
For business associates, the parallel scrutiny falls on whether the BA performed adequate risk analysis of its own subcontractors and software dependencies. The Change Healthcare resolution made clear that downstream supply chain failures are not a defense for the business associate; OCR expects the BA to have controls in place to detect and respond to dependency compromise. The evidence pattern that holds up is a recurring, documented review of critical dependencies with timestamped triage of identified issues.
How does PHI exposure interact with software supply chain compromise?
The technical reality is that most modern healthcare software stacks include dozens of open source dependencies, each of which is a potential vector for PHI exposure. A vulnerability in a logging library, a deserialization issue in a JSON parser, or a backdoor in a build-time dependency can each result in PHI exfiltration without any compromise of the application code itself. The 2024 XZ Utils incident was the canonical reminder that supply chain compromise can sit inside trusted tooling.
The risk analysis that 164.308(a)(1)(ii)(A) requires must address this reality in 2026. Listing the application as a single asset and analyzing its risk in aggregate is no longer defensible. The expected analysis identifies the dependencies that have access to PHI in production, evaluates the risk associated with each, and documents the controls in place to mitigate that risk. The analysis should be revisited on a defined cadence and after significant changes to the dependency set.
What do business associate agreements need to address now?
Business associate agreements signed in 2023 and earlier typically do not address software supply chain compromise explicitly, and many do not require timely notification of incidents affecting upstream dependencies. The 2026 expectation, both in the 2024 NPRM and in practice, is that BAAs include explicit obligations around supply chain incident notification, dependency disclosure for components that handle PHI, and the BA's own supply chain risk management practices.
Renegotiating every BAA is impractical, but the prevailing pattern is to update template language for new agreements and to address the supply chain provisions during the next scheduled renewal. Covered entities with leverage over their business associates are increasingly requiring SBOM provision on request, attestation of supply chain controls, and timely notification of supply chain incidents that could affect PHI. This is the direction the final rule, when it lands, is likely to push the standard practice.
How Safeguard Helps
Safeguard provides the asset inventory and risk analysis evidence the 2024 NPRM is poised to require. SBOMs are generated continuously for every build, with the dependency-level detail that PHI risk analysis now demands. Griffin AI runs reachability analysis to identify which dependencies actually have access to PHI in production, which sharpens the risk analysis beyond a generic dependency list. Policy gates in CI block builds that introduce or retain unmanaged risk, producing the operating effectiveness evidence OCR investigations look for. TPRM scoring of business associates and their downstream dependencies, combined with zero-CVE base images, gives covered entities a defensible position on supply chain oversight under both current enforcement and the proposed rule.