Help Center › The 2026 readiness meter
The 2026 readiness meter
The signature feature of Ward: a live score of how ready you are for the proposed 2026 HIPAA Security Rule. This page explains exactly what it measures and how the number is calculated — so it never feels like a black box.
1. What the meter measures
The meter shows a single percentage: how ready you are for the ten headline obligations of the proposed 2026 HIPAA Security Rule. It appears on the Dashboard and on the 2026 Readiness tab, and it updates live as you answer the assessment.
Each mandate is linked to a handful of specific assessment questions. Your answers to those questions determine whether the mandate is Ready, Partial, or a Gap — and those statuses roll up into the percentage.
This is based on a proposed rule. The 2026 content reflects the December 2024 NPRM (Notice of Proposed Rulemaking). OCR’s agenda has targeted a final rule around mid-2026, but the text can change. Ward labels each mandate individually as proposed or final (see section 4) and ships the rule content as a versioned “content pack” so it can be updated without a redeploy. Not legal advice.
2. The ten mandates
These are the ten obligations the meter tracks. Each shows its CFR citation, its current rule status, and its severity (which determines how much it moves the meter — see section 5).
| # | Mandate | CFR | Status | Severity |
|---|---|---|---|---|
| G1 | Encryption everywhere (at rest & in transit) | 164.312(a)(2)(iv) & (e)(2)(ii) | Proposed | Critical |
| G2 | Multi-factor authentication (MFA) on all ePHI | 164.312(d) | Proposed | Critical |
| G3 | Removal of “addressable” — everything now required | 164.306(d) | Proposed | High |
| G4 | Vulnerability scans (every 6 months) & annual pen test | 164.308(a)(5)(ii)(B) | Proposed | High |
| G5 | Audit logging & activity review | 164.312(b) | Proposed | High |
| G6 | Asset inventory & network/data map | 164.308(a)(7)(ii)(E) | Proposed | High |
| G7 | Business associate verification | 164.308(b)(3) & 164.314(a)(2)(i) | Proposed | High |
| G8 | Tested backups & rapid recovery | 164.308(a)(7)(ii) | Proposed | High |
| G9 | Rapid breach handling (~72-hour expectations) | 164.404 / 164.410 | Proposed | Moderate |
| G10 | Annual written risk analysis & risk management | 164.308(a)(1)(ii)(A) & (B) | Final | Critical |
G10 is labeled Final because a current written risk analysis and active risk-management process are already required under the rule today — and OCR’s 2026 enforcement initiative expressly expands the focus from risk analysis to risk management. It is the single most-cited deficiency.
3. Ready / Partial / Gap / Not assessed
For each mandate, Ward looks at its linked assessment questions and assigns one of four statuses:
| Status | Means | Credit toward the score |
|---|---|---|
| ✓ Ready | All linked questions are answered “Yes — in place” or “N/A.” | Full credit. |
| ◐ Partial | Some linked questions are in place, but not all. | Half credit. |
| ✗ Gap | Linked questions are assessed but none are in place. | No credit. |
| — Not assessed | None of the linked questions have been answered yet. | No credit; counts toward “provisional.” |
The 2026 Readiness tab shows every mandate as a card with its status, its “X of Y questions in place” count, a plain-English summary, a “what to do,” and a button to jump straight to the related questions.
4. Proposed vs. final labels
Because the 2026 rule is not yet finalized, Ward is careful not to overclaim. Each mandate carries a label:
- Proposed (amber badge) — based on the December 2024 NPRM; may change before the final rule.
- Final rule (badge) — already in force today and expected to continue (currently only G10).
A banner at the top of the 2026 Readiness tab shows the content-pack version and the overall rule status, with a note that the final rule may differ. When OCR finalizes the rule, the content pack can be updated and individual mandates re-labeled “final” without changing the app.
5. Severity weighting
Not every mandate counts equally. A missed critical mandate (encryption, MFA, written risk analysis) should move the meter more than a moderate one. Ward weights each mandate by severity:
| Severity | Weight | Mandates |
|---|---|---|
| Critical | 3 | G1 (encryption), G2 (MFA), G10 (risk analysis & management) |
| High | 2 | G3, G4, G5, G6, G7, G8 |
| Moderate | 1 | G9 (rapid breach handling) |
6. How the percentage is computed
The meter is a severity-weighted score. The formula is:
Score = earned ÷ possible × 100, where:
- possible = the sum of every mandate’s weight (e.g. three criticals at 3 + six highs at 2 + one moderate at 1).
- earned = for each mandate: its full weight if Ready, half its weight if Partial, and zero if a Gap or Not assessed.
The result is rounded to a whole percent.
Worked example: suppose G1 (critical, weight 3) is Ready, G2 (critical, weight 3) is Partial, and everything else is a Gap. Earned = 3 + 1.5 = 4.5. Possible = 3+3+3 + 2×6 + 1 = 25. Score = 4.5 ÷ 25 = 18%.
The meter bar is color-coded: ≥ 80% green, 50–79% amber, under 50% red. The “X of Y new mandatory areas fully ready” line counts only mandates with a Ready status.
7. Top 2026 blockers
On the Dashboard, under the meter, Ward shows up to four Top 2026 blockers — the highest-severity mandates that are not yet Ready (Gaps and Partials). These are exactly what is costing you the most readiness right now. Critical blockers appear as red chips; click any chip to jump to the 2026 Readiness tab and start closing it.
8. Why it says “provisional”
If you haven’t answered every question, the Dashboard meter adds a note like “provisional — 14 questions left.” This is a reminder that some mandates are still “Not assessed” and earning no credit, so your real readiness could be higher (or lower) once you finish. Complete the assessment to remove the provisional flag.
9. How to raise your score
- Open the 2026 Readiness tab and find the mandates that are Gaps or Partials (they sort to the top, riskiest first).
- Click “Go to related questions.” Implement the control in real life, then change the answer to “Yes — in place.”
- For fixed-cadence mandates (G4 scans/pen-tests, G7 BA verification, G8 backups, G9 IR), also log the recurring evidence on the Scan/IR Cadence tab.
- Track each mandate to closure with its per-mandate POA&M (owner / target / status).
- Watch the meter climb live as Partials become Ready.
Roadmap note. The cadence tracker computes due dates and overdue reminders locally and surfaces them on the Dashboard, but completing a cadence artifact does not currently feed the readiness percentage directly — the meter is driven by your assessment answers. Wiring cadence status into the meter is a planned enhancement. Until then, answer the linked questions to move the meter, and use the cadence tab to keep the evidence current.