Quick Answer: The 2026 HIPAA Security Rule update makes encryption mandatory for all electronic protected health information (ePHI) both at rest and in transit. Previously, encryption was an “addressable” specification — organizations could use alternative measures if encryption wasn’t reasonable. That flexibility is gone. AES-256 encryption at rest and TLS 1.2+ in transit are now the baseline requirements.

What Changed: From Addressable to Required

Under the original HIPAA Security Rule, encryption was an “addressable” implementation specification. This meant organizations could assess whether encryption was reasonable and appropriate for their environment, and if not, document why and implement equivalent alternative measures. Many organizations used this flexibility to avoid implementing encryption, particularly on workstations and portable devices.

The 2026 Security Rule update eliminates the addressable designation entirely. Encryption is now a required specification — full stop. Every healthcare organization must encrypt all ePHI at rest and in transit, with very limited exceptions.

Encryption at Rest Requirements

All ePHI stored on any device, server, database, or storage medium must be encrypted using AES-256 or equivalent encryption standards. This includes data on servers and workstations, databases containing patient records, backup tapes and drives, portable devices (laptops, tablets, USB drives), cloud storage (S3 buckets, Azure Blob Storage, etc.), email archives containing PHI, and mobile devices used by staff.

Encryption in Transit Requirements

All ePHI transmitted over any network must be encrypted using TLS 1.2 or higher. This applies to data sent between systems within your network, data transmitted to external partners or business associates, email communications containing PHI, API calls between healthcare applications, telehealth and remote access connections, and data synced between on-premises and cloud environments.

Implementation Timeline

Organizations are expected to implement mandatory encryption within the compliance timeline established by the final rule — typically 180 days to one year depending on organization size and the specific requirement. Organizations that have been relying on the “addressable” designation to avoid encryption need to begin implementation planning now.

The Cost of Encryption Implementation

Implementing encryption across an organization involves software licensing, configuration effort, and potentially hardware upgrades for older systems that can’t handle encryption overhead. Learn more about overall HIPAA compliance costs including encryption implementation budgeting. For most small to mid-size practices, the encryption component represents a manageable portion of the overall compliance investment — and is far less than the penalties for non-compliance.

How Encryption Affects Your SRA

Your Security Risk Analysis must now evaluate encryption implementation across all systems handling ePHI. If your current SRA lists encryption as “addressable” with alternative measures, that assessment needs to be updated immediately. The SRA should document what encryption is in place, identify any gaps, and include a remediation plan with timelines for full implementation.

Frequently Asked Questions

Is HIPAA encryption required in 2026?

Yes. The 2026 Security Rule update makes encryption mandatory for all ePHI at rest and in transit. The previous “addressable” designation has been eliminated.

What encryption standard does HIPAA require?

HIPAA requires AES-256 encryption for data at rest and TLS 1.2 or higher for data in transit. These are the minimum standards — stronger encryption is always acceptable.

What happens if I don’t encrypt PHI?

Failing to encrypt ePHI under the 2026 rule is a direct HIPAA violation that can result in penalties ranging from $141 to over $2 million per violation, plus mandatory corrective action plans.