The HIPAA Security Rule is about to undergo the most significant update since its original adoption. Expected to be finalized in May 2026, the proposed changes will introduce mandatory requirements that many healthcare organizations are not prepared to meet.

This isn’t a minor regulatory tweak. The updated rule will require mandatory annual security risk assessments, universal encryption of ePHI, multi-factor authentication across all systems, regular vulnerability scanning, and substantially more detailed compliance documentation. For organizations that have been treating HIPAA security as a periodic checkbox exercise, the compliance gap is about to get very real, very quickly.

The good news: The organizations that start preparing now will be well-positioned when the final rule takes effect. The ones that wait until after publication will be scrambling. Here’s what you need to know.

What’s Changing and Why It Matters

The current HIPAA Security Rule, adopted in 2003 and largely unchanged since, was written for a different era. It predates cloud computing, telehealth expansion, AI adoption, ransomware as a business model, and the proliferation of connected medical devices. The proposed update reflects the reality that healthcare cybersecurity in 2026 bears almost no resemblance to healthcare cybersecurity in 2003.

The Office for Civil Rights (OCR) has been signaling these changes for years. Recent enforcement actions have consistently cited security risk analysis failures, inadequate access controls, and insufficient encryption as primary violations. The proposed rule essentially codifies what OCR has been enforcing through penalties and settlements.

Here are the key changes healthcare organizations need to prepare for:

Mandatory Annual Security Risk Assessments

What’s changing: The current rule requires organizations to conduct a security risk analysis but doesn’t specify how often. Many organizations interpret this ambiguity as permission to conduct an SRA every few years, or to perform one initial analysis and then make minimal updates. The proposed rule eliminates this ambiguity by requiring annual security risk assessments.

What this means in practice: Every covered entity and business associate will need to complete a documented, comprehensive Security Risk Analysis every 12 months. This isn’t a cursory review or a checkbox update to last year’s document. It’s a thorough reassessment of threats, vulnerabilities, and safeguards based on your current environment.

Why this matters: Organizations that haven’t been conducting annual SRAs will need to build this into their compliance calendar immediately. For many smaller practices and business associates, this represents a significant increase in compliance effort. But it also represents the single most effective action an organization can take to identify and address security gaps before they become breaches or enforcement actions.

Real-world impact: A community health center that last conducted a full SRA in 2024 will need to complete a new assessment reflecting its current systems, vendors, workforce, and threat environment. If they’ve added telehealth services, changed EHR vendors, expanded remote work, or adopted AI tools since their last assessment, those changes need to be captured. An update to a two-year-old document won’t meet the standard.

Mandatory Encryption of ePHI

What’s changing: The current rule treats encryption as an “addressable” safeguard, meaning organizations can choose not to implement encryption if they document why an equivalent alternative measure is reasonable and appropriate. The proposed rule is expected to make encryption mandatory for ePHI at rest and in transit.

What this means in practice: Every system that stores or transmits ePHI must use encryption. This includes servers, databases, laptops, workstations, portable devices, backup media, email systems, messaging platforms, and cloud storage. The “addressable” workaround that allowed organizations to document reasons for not encrypting will no longer be available.

Why this matters: Encryption has been a best practice for years, and most modern systems support it by default. But there are still healthcare organizations running legacy systems that don’t support encryption, using unencrypted email for patient communications, storing ePHI on unencrypted portable devices, or maintaining backup systems without encryption. Each of these will become an explicit violation under the updated rule.

Real-world impact: A multi-location practice that still uses an older on-premises EHR system without database-level encryption will need to either upgrade the system, implement encryption at the storage level, or migrate to a platform that supports encryption natively. This isn’t a trivial undertaking, and organizations should start evaluating their encryption posture now.

Multi-Factor Authentication (MFA) Requirements

What’s changing: The proposed rule is expected to require multi-factor authentication for all systems that access ePHI. The current rule requires “person or entity authentication” but doesn’t specify MFA. The update will make MFA an explicit requirement rather than a recommended practice.

What this means in practice: Every user who accesses ePHI will need to authenticate using at least two factors: something they know (password), something they have (phone, security key), or something they are (biometrics). Single-password access to systems containing ePHI will no longer meet the standard.

Why this matters: MFA is one of the most effective controls against unauthorized access, credential theft, and phishing attacks. Yet many healthcare organizations still rely on single-factor authentication for critical systems. According to industry data, a significant percentage of healthcare data breaches involve compromised credentials — breaches that MFA would have prevented or significantly mitigated.

Real-world impact: A physician practice where clinicians log into the EHR with just a username and password will need to implement MFA. This affects workflow, requires staff training, and may require upgrades to authentication systems. Organizations should be planning their MFA rollout now — deploying MFA across an entire organization takes time, testing, and change management.

Regular Vulnerability Scanning

What’s changing: The proposed rule is expected to require regular vulnerability scanning and, in many cases, penetration testing. The current rule requires organizations to identify vulnerabilities through the risk analysis process but doesn’t mandate specific technical assessment methods.

What this means in practice: Organizations will need to conduct regular automated vulnerability scans of their networks, systems, and applications. This goes beyond the traditional Security Risk Analysis — it’s a technical assessment of actual system vulnerabilities, not just a policy-level risk evaluation. Many organizations will also need to conduct periodic penetration testing to validate their security controls.

Why this matters: Vulnerability scanning identifies specific, exploitable weaknesses in your systems — unpatched software, misconfigured firewalls, exposed services, and default credentials. These are the entry points that attackers use. A Network Vulnerability Assessment paired with your Security Risk Analysis gives you both the strategic and tactical view of your security posture.

Real-world impact: A hospital that has never conducted a formal vulnerability scan may discover dozens or hundreds of unpatched systems, misconfigured devices, and exposed services. The first scan is often eye-opening. Organizations should begin vulnerability scanning now — both to understand their current exposure and to establish the operational processes they’ll need to maintain ongoing scanning under the new rule.

Enhanced Documentation and Compliance Evidence

What’s changing: The proposed rule significantly strengthens documentation requirements. Organizations will need to maintain detailed, current documentation of their security policies, risk assessments, safeguard implementations, incident response plans, and compliance activities. The standard of documentation expected during an OCR investigation will be substantially higher.

What this means in practice: It’s no longer sufficient to have security policies on paper. Organizations will need to demonstrate that policies are implemented, staff are trained, controls are tested, and gaps are tracked and remediated. Think of it as moving from “do you have a policy?” to “prove this policy is actually working.”

Why this matters: Many organizations have reasonable security practices but poor documentation. In an OCR investigation, undocumented security is effectively the same as absent security. The updated rule makes documentation a compliance requirement in its own right, not just evidence of other requirements.

Technology Asset Inventory and Network Mapping

What’s changing: The proposed rule is expected to require organizations to maintain a comprehensive, current inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map showing how these assets are connected.

What this means in practice: You’ll need to know, and document, every device, system, application, and connection point in your environment that touches patient data. This includes servers, workstations, laptops, mobile devices, medical devices, cloud services, network equipment, and IoT devices.

Why this matters: You can’t secure what you don’t know about. Asset inventory is foundational to every other security control — risk assessment, access management, vulnerability scanning, incident response, and encryption all depend on knowing what assets you have and where they are. Many organizations discover during their first comprehensive inventory that they have significantly more ePHI-touching assets than they realized.

What This Means for Different Healthcare Organizations

Small Practices and Clinics

The updated rule’s impact will be felt most acutely by smaller organizations that have been operating with minimal formal compliance programs. A five-physician practice that has relied on basic security measures and periodic risk assessments will need to implement annual SRAs, deploy encryption across all systems, implement MFA, conduct vulnerability scanning, and maintain substantially more documentation.

This is a significant increase in compliance burden for small organizations. But the rule doesn’t change based on organization size — the requirements apply equally to a solo practitioner and a major health system. The key for smaller organizations is finding efficient, scalable approaches to compliance. A dedicated compliance platform can make annual SRAs, documentation, and remediation tracking manageable even for small teams.

Hospitals and Health Systems

Larger organizations likely have many of these controls partially in place. The challenge will be ensuring completeness and consistency across the entire organization. MFA might be deployed for some systems but not all. Encryption might cover primary databases but not legacy systems. Vulnerability scanning might happen quarterly in the data center but not across all locations.

For health systems, the updated rule creates an opportunity to consolidate and standardize security practices that may have developed inconsistently across departments, locations, and acquisitions. Start by conducting a gap analysis against the proposed requirements to identify where your current program falls short.

Business Associates

Business associates — IT vendors, billing companies, EHR providers, cloud hosting companies, and every other entity that handles ePHI on behalf of covered entities — are subject to the same Security Rule requirements. The updated rule’s mandatory provisions apply to business associates just as they do to covered entities.

This matters because covered entities will increasingly expect their business associates to demonstrate compliance with the updated requirements. If you’re a business associate, your compliance posture will become a competitive differentiator. Organizations that can demonstrate robust security — annual SRAs, encryption, MFA, vulnerability scanning, and comprehensive documentation — will be preferred over those that can’t.

A Practical Preparation Timeline

The final rule is expected in May 2026, with implementation timelines likely providing 180 days to one year for compliance. That means organizations could be required to meet the new standards as early as late 2026 or early 2027. Here’s how to use the time you have now.

Now Through May 2026: Assessment and Planning

Conduct a gap analysis. Compare your current security posture against the proposed requirements. Where do you already meet the standard? Where are the gaps? Prioritize the gaps by risk and implementation complexity.

Complete your annual SRA. If you haven’t conducted a Security Risk Analysis in the past 12 months, do one now. This gives you a baseline and positions you to meet the annual requirement when it takes effect.

Inventory your assets. Create a comprehensive inventory of all systems, devices, and applications that store, process, or transmit ePHI. Map your network connections. This inventory is foundational to everything else.

Assess your encryption posture. Identify every system that stores or transmits ePHI and determine whether encryption is currently implemented. Flag systems that don’t support encryption or where encryption hasn’t been enabled.

Plan your MFA deployment. Identify all systems that access ePHI and evaluate MFA readiness. Many modern cloud systems support MFA natively. Legacy systems may require additional solutions. Start with the highest-risk systems and work outward.

May Through December 2026: Implementation

Deploy encryption where gaps exist. Upgrade or replace systems that don’t support encryption. Enable encryption on systems where it’s available but not activated. Verify encryption is functioning correctly through testing.

Roll out MFA. Implement MFA across all ePHI-accessing systems. Train staff. Address workflow impacts. Test thoroughly. Plan for exceptions and edge cases (shared workstations, emergency access scenarios).

Establish vulnerability scanning. Deploy vulnerability scanning tools or engage a service provider. Conduct your first comprehensive scan. Establish a remediation process for identified vulnerabilities. Set up recurring scans.

Update documentation. Review and update all security policies, procedures, and documentation to reflect the new requirements. Ensure documentation is specific, current, and evidence-based.

Train your workforce. Update HIPAA training to cover new requirements. Ensure all staff understand the changes and their responsibilities. Document training completion.

Ongoing: Maintain and Monitor

Annual SRA cycle. Build the annual security risk assessment into your compliance calendar. Assign ownership. Block time for your team. Use a consistent methodology that allows year-over-year comparison.

Continuous vulnerability management. Vulnerability scanning isn’t a one-time event. Establish a cadence: critical patches within 72 hours, regular scans at least quarterly, and rescans after significant system changes.

Compliance monitoring. Regularly audit MFA adoption, encryption status, access controls, and documentation currency. Build compliance checks into your operational rhythm rather than treating them as annual events.

Common Mistakes Organizations Will Make

Waiting for the final rule before starting. The proposed requirements are well-documented and unlikely to change dramatically in the final rule. Organizations that wait until May to begin preparing will face implementation timelines that may be impossible to meet. Every requirement in the proposed rule is already a security best practice. Starting now isn’t premature — it’s prudent.

Treating compliance as a technology project. Encryption, MFA, and vulnerability scanning are technical controls, but compliance is an organizational capability. It requires policy development, staff training, vendor management, documentation, and ongoing monitoring. Technology is necessary but not sufficient.

Underestimating the documentation requirement. The updated rule’s documentation expectations will trip up organizations that have good security practices but poor records. Start documenting now: policies, configurations, training records, risk assessments, remediation plans, and audit results. If it’s not documented, it didn’t happen.

Ignoring business associate compliance. Your compliance doesn’t end at your organization’s boundaries. Evaluate your business associates’ readiness for the updated requirements. Update BAAs to reflect new expectations. Include vendor compliance in your risk assessment process.

Trying to do everything at once. The updated rule covers a lot of ground. Trying to implement everything simultaneously is a recipe for incomplete implementations and burned-out staff. Prioritize based on risk: start with your SRA (it identifies everything else you need to do), then address encryption and MFA as the highest-impact technical controls, followed by vulnerability scanning and documentation.

Frequently Asked Questions

Q: When will the final rule be published?

A: The final rule is expected in May 2026. Implementation timelines will be specified in the final rule, but industry expectations are 180 days to one year from publication.

Q: Will there be exceptions for small practices?

A: The proposed rule applies to all covered entities and business associates regardless of size. While the specific implementation may look different for a solo practice versus a hospital system, the requirements themselves are universal. Small practices will need to find efficient, right-sized approaches to meeting each requirement.

Q: We already conduct an SRA every year. What changes?

A: If you’re already conducting comprehensive annual SRAs, you’re ahead of most organizations. Review your current SRA process against the proposed requirements to ensure it covers the expanded scope — particularly AI systems, technology asset inventories, and vendor risk assessment. The standard for what constitutes an adequate SRA is expected to increase.

Q: What if we can’t meet all requirements by the compliance deadline?

A: Document your compliance roadmap. Show that you’ve assessed the gaps, prioritized remediation, allocated resources, and are making measurable progress. OCR has historically shown more leniency toward organizations that demonstrate good-faith compliance efforts than those that show no effort at all. A documented, phased implementation plan is far better than no plan.

Q: How much will compliance cost?

A: Costs vary significantly based on organization size, current security posture, and existing infrastructure. For organizations starting from a strong baseline, the incremental cost may be modest — perhaps formalizing practices that are already largely in place. For organizations with significant gaps, costs could be substantial. The key is to assess your gaps early so you can plan and budget appropriately. The cost of non-compliance — OCR penalties, breach remediation, and reputational damage — almost always exceeds the cost of compliance.

The Opportunity

Regulatory updates create urgency. But they also create opportunity. The organizations that meet the updated HIPAA Security Rule requirements won’t just avoid penalties — they’ll have genuinely stronger security programs. They’ll be better protected against the ransomware attacks, data breaches, and operational disruptions that are increasingly common in healthcare. They’ll earn the confidence of their patients, partners, and regulators.

The updated rule raises the floor for healthcare security. Organizations that have already been investing in security will find the transition manageable. Organizations that have been deferring security investments will face a more significant adjustment — but the result will be a stronger, more resilient organization.

Start with your Security Risk Analysis. It’s the foundation of every other requirement, and it’s the single best way to understand where you stand and what you need to do. Medcurity’s platform and compliance experts help healthcare organizations of all sizes conduct thorough, documented security risk assessments and build compliance programs that meet current and upcoming requirements. Whether you’re preparing for the updated rule or addressing existing compliance gaps, we can help you build a program that protects your organization and your patients.