Federal Register Watch: Q2 2026 Compliance Developments Every Small Firm Should Track

Keeping up with regulatory changes is a full-time job that solo attorneys and small firms don't have the bandwidth for. This is the first in a recurring series where we distill the Federal Register, SEC releases, and state regulatory actions into the developments that actually matter for practitioners with 1–20 attorneys.

This post covers Q2 2026 (April–June). We'll update quarterly, with interim posts when something breaks that can't wait.

HIPAA: Enforcement Shift Toward Small Providers

HHS OCR has signaled a renewed focus on smaller covered entities. Two trends to watch:

1. Right of Access enforcement continues to expand. OCR settled 5 right-of-access cases in Q1 2026, all involving practices with fewer than 50 employees. The fines ranged from $15,000 to $65,000. If your healthcare clients aren't responding to patient record requests within 30 days, they're exposed.

What to tell clients: Review your access request workflow. The 30-day clock starts when the request is received, not when it's processed. If you're outsourcing records management, confirm your vendor's SLA covers this timeline.

2. Security Risk Analysis remains the #1 finding. In 45 of 50 enforcement actions we tracked in 2025, OCR cited failure to conduct a thorough security risk analysis under §164.308(a)(1)(ii)(A). This isn't a new finding — but the pattern suggests OCR treats it as a near-automatic citation in every investigation.

What to tell clients: If your client doesn't have a documented, dated security risk analysis, that's the single highest-leverage compliance step they can take. It doesn't have to be expensive — HHS publishes a free Security Risk Assessment Tool.

CCPA/CPRA: Rulemaking on Automated Decision-Making

The California Privacy Protection Agency (CPPA) is advancing its rulemaking on automated decision-making technology (ADMT). The proposed rules would:

• Require businesses to provide consumers with access to the logic of significant ADMT decisions
• Create a new right to opt out of ADMT profiling
• Define "significant decisions" broadly enough to include automated legal document review

Why this matters for legal AI: If your firm uses AI tools that make or inform substantive legal decisions, and you serve California consumers (broadly defined), the ADMT rules could create disclosure obligations. The comment period closed in March 2026; final rules are expected by Q3.

What to watch: Whether "legal services" are carved out of the ADMT definition. Early drafts did not include such a carve-out.

SOX: PCAOB Focus on AI in Audits

The PCAOB issued Staff Guidance in February 2026 addressing auditors' use of AI tools in the audit process. Key points:

• AI-assisted audit procedures must be documented with the same rigor as manual procedures
• The auditor remains responsible for evaluating the output of any AI tool
• Firms must assess whether AI tools introduce new risks to audit quality

This doesn't directly regulate attorneys, but it signals how regulators are approaching AI-in-professional-services generally. If PCAOB requires auditors to document their AI tool usage and evaluate its output, state bars are likely to follow with similar expectations for attorneys.

What BarZero Is Doing About It

We built a regulatory monitoring feature directly into the compliance dashboard. Subscribe to any of our 7 supported frameworks (GDPR, HIPAA, SOX, CCPA, ISO 27001, SOC 2, PCI-DSS) and BarZero scans the Federal Register, EU Commission, and SEC daily for new notices. You'll see them in your compliance dashboard as they land — no manual checking, no missed deadlines.

The monitoring runs through Katzilla's natural-language router, which covers ~280 live federal and international data sources. When a notice mentions your watched framework, it shows up as an unread update with a link to the source document.

---

This post will be updated as Q2 develops. Subscribe to the compliance framework you care about in the BarZero dashboard and you'll get the same regulatory feed this post draws from — live, daily, and specific to your practice.