Picture this: A mid-sized medical billing company gets an email from one of its healthcare clients. The client’s attorney is on the line. There’s been a data breach in which patient records were exposed, and the billing company’s systems were the point of entry. Nobody had done a formal security review in years. Multi-factor authentication wasn’t in place. The vendor agreement hadn’t been updated since 2017. Now, everyone is scrambling.
This isn’t a hypothetical. Scenarios like this play out every day across healthcare and the industries that support it.
If your organization touches protected health information in any way, whether you’re a healthcare provider, a health insurance plan, or a vendor who handles patient data on someone else’s behalf, the rules governing how you protect that information are about to get more specific, more demanding, and more strictly enforced.
The Department of Health and Human Services (HHS) has proposed the most significant overhaul to HIPAA’s Security Rule in over a decade. While the rule has not yet been finalized, it is expected to be by mid-2026, with a compliance deadline likely following 180 days to one year after that. The direction is clear, the timeline is real, and the organizations that begin preparing now will be in a far stronger position than those that wait for the ink to dry.
This blog walks you through what’s being proposed, why it’s happening, what it will mean for your organization, and, most importantly, what you can do right now to get ahead of it.
HIPAA 101: A Quick Refresher
HIPAA, the Health Insurance Portability and Accountability Act, is a federal law passed in 1996. Originally designed to help workers keep health insurance between jobs, its privacy and security provisions became the law’s most consequential features over time.
At its core, HIPAA protects Protected Health Information (PHI), any information that can identify a patient and relates to their health, treatment, or payment for care. When stored or transmitted digitally, it’s called ePHI, and it carries its own set of security requirements.
HIPAA applies to two categories of organizations: Covered Entities (healthcare providers, health plans, and clearinghouses) and Business Associates, any vendor, contractor, or partner that handles PHI on a Covered Entity’s behalf. That includes IT vendors, billing companies, cloud providers, law firms, consultants, and many others. If you’re a Business Associate, HIPAA applies to you just as much as it does to the healthcare facilities you serve, a point many organizations still miss.
The Privacy Rule governs who can access and share health information. The Security Rule governs how ePHI must be protected technically, physically, and administratively. It’s the Security Rule that the 2026 updates overhaul most significantly, for the first time since the Omnibus Rule of 2013.
Why HIPAA Changes Are Happening Now
Healthcare has become one of the most targeted industries for cyberattacks. In 2023, over 133 million individuals were affected by reported healthcare breaches. The 2024 Change Healthcare ransomware attack disrupted billing and payment processing for thousands of providers nationwide and exposed the health information of more than 100 million Americans. These aren’t abstract statistics; they represent delayed prescriptions, interrupted patient care, and patients whose most sensitive information was exposed without their knowledge.
Several factors have driven healthcare’s vulnerability to these attacks:
- The explosion of digital health data: Electronic health records, telehealth platforms, remote patient monitoring devices, patient portals, and mobile health apps have created an enormous and complex digital ecosystem, one that didn’t exist when HIPAA was written.
- The rise of third-party vendors: Modern healthcare organizations rely on dozens (sometimes hundreds) of outside vendors who have access to patient data. Each one of those relationships is a potential entry point for attackers.
- Technology outpaced the rules: The Security Rule was last substantially updated in 2013. Cloud computing, ransomware, zero-day exploits, and sophisticated phishing attacks were not the landscape regulators were designing for. The rules simply hadn’t kept up.
In late 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that signaled a fundamental shift in regulatory intent: the era of vague, “addressable” security requirements is coming to an end. The proposed rule is expected to be finalized around May 2026, with compliance required approximately 180 days to one year after that, putting the likely compliance deadline in late 2026 to early 2027. The direction is unambiguous, and the window to prepare is open now.
What’s Proposed: The 2026 HIPAA Security Rule Updates, Broken Down
Here’s a plain-language breakdown of the most significant changes proposed under the 2026 HIPAA Security Rule updates. While the rule is not yet final, the proposals are detailed and specific, and HHS has made clear that finalization is expected around mid-2026. Organizations that treat these as working requirements today will be well ahead of the curve when the rule takes effect.
Risk Analysis Is Now a Defined, Required Process
Under the original Security Rule, organizations were required to conduct a “risk analysis,” but the guidance on what that actually meant was vague enough that many organizations either skipped it entirely or performed superficial reviews that wouldn’t stand up to scrutiny.
The proposed rule changes that. Risk analysis would become a clearly defined, mandatory process with specific requirements around scope, documentation, frequency, and the actions organizations must take based on the findings. Checking a box and moving on would no longer be acceptable. Risk assessments must be thorough, documented, and updated on a regular basis.
Technology Asset Inventory and Network Map
Before you can protect your environment, you have to know what’s in it. The proposed rule would require organizations to develop and maintain a complete inventory of their technology assets, every server, workstation, application, and device that touches ePHI, along with a network map that shows how that data flows through their electronic systems.
This would not be a one-time exercise. The proposal calls for ongoing maintenance, with a formal review and update at least every 12 months. It sounds like administrative work, and it is, but it’s also one of the most practically valuable things an organization can do. You cannot secure what you cannot see, and you cannot assess risk accurately without knowing what systems and data flows actually exist.
Multi-Factor Authentication (MFA) Is Now Required for HIPAA
Under the proposed rule, MFA would be explicitly required for access to any system that contains or processes ePHI. Previously categorized as “addressable,” meaning organizations could opt out with documentation, it would become a hard mandate with no workaround.
For many organizations, implementing MFA across all relevant systems will be one of the most impactful near-term steps they can take and one of the fastest to show results.
Regular Vulnerability Scanning
The proposed rule would require organizations to conduct regular, documented scans of their IT environments to identify known vulnerabilities. Scanning gives you a continuous, up-to-date picture of your exposure, where the gaps are, which systems are at risk, and what needs attention. Think of it like a home inspection. You can’t fix the leaky roof you don’t know about, but once you know it’s there, you’re responsible for it.
Penetration Testing
Beyond scanning, the proposed updates raise expectations around proactive security testing, including penetration testing, a process where security professionals attempt to break into your systems the same way an attacker would, before a real attacker gets the chance. This type of testing goes beyond scanning for known vulnerabilities and helps uncover the weaknesses that automated tools alone can miss.
Patch Management and Software Hygiene
Finding a vulnerability is only half the job; fixing it promptly is the other half. The proposed rule would require organizations to have a defined, timely process for applying patches and software updates across their systems. “Timely” matters here: a known vulnerability that goes unpatched for weeks or months is an open invitation.
The proposals go further than just patching, too. Organizations would also be required to remove software that has no legitimate business purpose from systems that handle ePHI. Unnecessary applications that aren’t being used are still part of your attack surface since they can harbor vulnerabilities, provide access paths, and complicate security monitoring. If it doesn’t need to be there, it shouldn’t be.
Rounding out this cluster of “reduce your attack surface” proposals, unused network ports would be required to be disabled in accordance with the organization’s risk analysis. Open ports that serve no active function are another unnecessary exposure point. Closing them is a straightforward technical step, but one that many organizations have never formally addressed
Network Segmentation
Under the proposed rule, organizations would be required to logically separate their ePHI environments from the rest of their network. This practice, called network segmentation, limits the damage an attacker can do if they gain access to one part of your environment. Instead of a single breach potentially exposing everything, segmentation contains the blast radius.
This is a technical control that requires thoughtful planning and implementation, but it has become a recognized best practice and would become an expected standard under the new rule.
Technical Safeguards Extended to Portable Devices
The original HIPAA Security Rule focused its workstation security controls primarily on desktop computers. The proposed updates recognize the reality of how healthcare organizations actually operate today, with staff accessing ePHI from laptops, tablets, smartphones, and other portable devices regularly.
Under the proposed rule, the same technical controls required for workstations would explicitly apply to mobile and portable devices as well. That means screen locks, automatic logoff, device encryption, remote wipe capability, and access controls would all be required — not just encouraged — for any portable device that can access or store ePHI. For many organizations, especially those that haven’t formalized a mobile device management (MDM) policy, this represents a meaningful new compliance obligation.
Encryption is No Longer Optional for HIPAA Compliance
This is one of the most significant philosophical shifts in the proposed updates. Under the original Security Rule, encryption was listed as an “addressable” implementation specification, meaning organizations could choose not to encrypt data if they could document a reasonable alternative. In practice, this led many organizations to simply skip encryption.
Under the proposed rule, encryption of ePHI would be required, both when data is stored (at rest) and when it’s being transmitted (in transit). If a laptop containing patient records is stolen and the data is properly encrypted, the information cannot be read by the thief. This single control has prevented countless breaches from becoming reportable incidents. Under the proposed rule, it would become non-negotiable.
Data Backup and Recovery Controls
The proposed rule would establish specific, separate technical requirements for backing up and recovering ePHI and the systems that process it. This goes beyond having a general IT backup policy: organizations would need defined controls that ensure ePHI can be reliably recovered in the event of a system failure, ransomware attack, or other disruption.
Backup and recovery requirements are especially relevant in light of the ransomware epidemic targeting healthcare organizations. When attackers encrypt an organization’s systems and demand payment to restore access, a well-designed, regularly tested backup program is often the difference between a recoverable incident and a catastrophic one. The proposed rule would make this a formal, documented requirement rather than an implied good practice.
Incident Response Planning Must Be Documented and Tested
Every organization subject to HIPAA would be required to have a written incident response plan that specifies who is notified, who leads the response, what systems get isolated, and how patients are informed if an incident were to occur. And that plan must be tested. A document that’s never been practiced isn’t a complete plan. Regulators expect organizations to run exercises that expose gaps before a real attack does.
Stricter Business Associate Agreement (BAA) Requirements
Business Associate Agreements, the contracts that govern how vendors and partners handle PHI on behalf of Covered Entities, would need to meet more specific requirements under the proposed rule. Organizations would be expected to have current, comprehensive BAAs with all relevant vendors and to take reasonable steps to verify that their Business Associates are actually complying with HIPAA requirements, not just signing a form.
Alignment with NIST Cybersecurity Framework
HHS has recognized the NIST Cybersecurity Framework (CSF) as a valid path to demonstrating Security Rule compliance. For organizations without a structured security framework, NIST CSF provides a clear roadmap that maps directly to HIPAA requirements and makes your compliance posture far easier to communicate to auditors, clients, and your own leadership.
Annual Compliance Audits and Testing of Security Measures
The proposed rule would introduce two closely related requirements that together form the foundation of an ongoing compliance program: formal Security Rule compliance audits and documented reviews and tests of security measures, both required at least every 12 months.
The compliance audit requirement would mean organizations can no longer treat HIPAA as a “set it and forget it” exercise. An annual audit involves a structured review of whether your policies, procedures, and controls meet current Security Rule requirements, and whether they’re being followed consistently.
The testing requirement goes hand in hand: it’s not enough to have security measures documented on paper. Organizations would be required to periodically verify that those measures are actually working as intended. Together, these proposals signal a clear regulatory expectation: compliance is a continuous process, not a one-time project.
A Note on Penalties
The proposed updates also reflect a more aggressive enforcement posture from HHS’s Office for Civil Rights (OCR). HHS has made clear that it intends to investigate not just breaches, but whether organizations were taking compliance seriously before one occurred. Even under current rules, OCR has been ramping up its enforcement activity. The proposed changes would give regulators sharper teeth and a clearer basis for action.
What the 2026 HIPAA Changes Mean for Your Organization
If you’re a Covered Entity: The updates raise the floor for what compliance means. Informal processes and outdated controls won’t hold up to scrutiny. You need to show your work: documented risk assessments, tested incident response plans, evidence of encryption, and current vendor agreements.
If you’re a Business Associate: This update cycle’s most important message may be for you. If you handle PHI for a healthcare client, your compliance is no longer your client’s problem to manage; you own it. A signed BAA is not a security program.
For everyone: A data breach in healthcare costs an average of over $10 million, according to IBM’s Cost of a Data Breach Report. A robust compliance program costs a fraction of that, and it protects your patients, clients, reputation, and business. Regulators are done accepting “we’ve never had a problem” as a substitute for preparedness.
The compliance window is real. Organizations that begin assessing their posture now will have time to address gaps systematically. Those that wait for the final rule will be starting the clock already behind.
A Practical Roadmap to Get Ahead of the 2026 HIPAA Changes
These requirements map to well-established security practices. For organizations without an in-house security team, working with experienced partners can turn a compliance checklist into a real security program. Here’s where to start.
Start with a Risk Assessment
You can’t build a compliance program on assumptions. A formal risk assessment tells you where your ePHI lives, what threats exist, and where your gaps are. Your technology asset inventory and network map are part of this foundation; you can’t assess what you haven’t documented. If your last assessment is more than a year old or has never been done by an outside party, start here.
Implement MFA
MFA is a high-impact, low-disruption security measure. Most systems support it natively, and it’s one of the first things auditors look for. Enable it across every system that touches ePHI. Read about MFA deployment best practices here.
Scan, Test, Then Clean Up
Vulnerability scanning gives you a continuous picture of your exposure. Penetration testing validates your real-world defenses. Then act on what you find: patch promptly, remove unnecessary software, disable unused ports, and make sure portable devices are covered. Many organizations have never formally addressed these hygiene steps, and the 2026 updates now require them.
Audit Your Vendor Agreements
Review every BAA and assess whether your third-party risk management program gives you genuine visibility into vendor compliance, not just signatures on file.
Align to NIST CSF
If you don’t have a structured security framework, NIST CSF is the right starting point for HIPAA-regulated environments. It gives your program structure, a common language, and a recognized path to demonstrating compliance.
Build and Test Your Incident Response Plan
The right Incident Response plan reflects your actual environment. Once written, run a tabletop exercise. You will find gaps, and that’s exactly the point. Find them in a conference room, not during a real incident.
Address Segmentation, Encryption, and Backups
These take the most planning and expertise. Network segmentation limits your blast radius. Encryption protects data wherever it lives. A tested backup program is your best defense against ransomware. Start early; these are projects, not checkboxes.
Make HIPAA Compliance Ongoing
Annual compliance audits and security testing are now required. The work above doesn’t end after implementation; it becomes an ongoing effort. Building a regular cadence of reviews and testing is what turns a compliance effort into a lasting security program. We help organizations build and maintain that cadence so it doesn’t fall through the cracks.
HIPAA Compliance Changes Are On the Horizon, Don’t Wait to Get Started
HIPAA compliance has never been about doing the minimum to avoid a fine. It’s about protecting the people whose most sensitive information you’ve been trusted to handle, and that responsibility doesn’t get lighter when the rules get stricter.
If you read through this and found yourself mentally flagging things your organization hasn’t addressed yet, you’re not alone. Most organizations have gaps. What separates the ones who weather this well from the ones who don’t is simply whether they chose to look before a breach forced them to.
You don’t have to figure this out on your own. Reach out to our team, and we’ll take an honest look at where you stand, tell you what we see, and help you build a path forward that’s realistic for your organization.
Contact us to schedule a no-obligation consultation.
