HIPAA Security Rule 2026: What to Expect When OCR Finalizes

Q: What is the difference between addressable and required safeguards?

Under the current Security Rule, addressable safeguards give organizations flexibility to implement a control, adopt an equivalent alternative, or document why it is not reasonable. Required safeguards must be implemented as written. The proposed rule would remove most of that addressable flexibility and make implementation specifications mandatory.

Updated June 2026 — status: proposed rule, not yet final.

As of June 2026, the 2026 HIPAA Security Rule update remains a proposed rule, not final law. The HHS Office for Civil Rights published its Notice of Proposed Rulemaking on January 6, 2025, and is still reviewing more than 4,700 public comments — and the original spring-2026 finalization target has passed with no final rule issued. This would be the first material overhaul of the Security Rule since the 2013 HIPAA Omnibus Rule, converting several previously "addressable" safeguards into "required" controls. Below is what is proposed, what is disputed, and how to prepare now without over-building for requirements that could still change.

What to Expect If OCR Finalizes the HIPAA Security Rule (Status: Still Proposed)

OCR placed the Security Rule update on its regulatory agenda with a spring-2026 finalization target, but that target has now passed with no final rule published. The comment period drew considerable industry pushback, and OCR is still working through the more than 4,700 comments it received. Until a final rule is published in the Federal Register, nothing in the proposal is binding — the current HIPAA Security Rule remains the law in force.

The Material Changes the Proposed Rule Would Make

Required (not addressable) MFA. Every system that accesses ePHI — EHR, billing, scheduling, imaging viewers, secure messaging, file storage with PHI — must enforce multi-factor authentication. The “implementation specification is addressable” out that has historically given organizations latitude goes away.

Required encryption at rest and in transit. Encryption becomes a required safeguard for ePHI both stored on disk and moving across networks. This affects email, file transfer, mobile devices, removable media, and cloud-storage exports.

Biannual vulnerability scanning and annual penetration testing. Set intervals replace the current “regular evaluation” requirement. Tests must be performed by qualified professionals; vulnerability scans must be at least every six months; penetration tests must be at least once every 12 months (more frequently if the entity’s risk analysis indicates).

24-hour business-associate incident reporting. Business associates would be required to notify the covered entity of any security incident within 24 hours of discovery — a major compression from the current effectively-undefined timeline. BAAs across the industry will need to be reissued.

Documented technology asset inventory. Every covered entity and business associate would be required to maintain a current inventory identifying each system creating, receiving, maintaining, or transmitting ePHI — hardware assets, software assets, data assets, and cloud-services-and-API connections.

Network segmentation. The proposed rule introduces explicit network-segmentation expectations for ePHI-handling systems, breaking flat networks that have historically been common in healthcare.

Expanded incident response and contingency planning. Incident response, data backup, disaster recovery, and emergency-mode operations all see expanded specification, with testing requirements.

What’s Disputed About the Proposed Rule

Most legal and trade-press explainers summarize the proposal’s text. What they under-cover is the active fight over it — which is exactly what determines whether, and in what form, these requirements ever become binding.

A 100+ provider-group withdrawal request. A broad coalition of hospitals, health systems, and provider associations has asked HHS to withdraw the proposal, arguing that the cost and prescriptiveness — mandatory MFA, encryption of essentially all ePHI, 72-hour data-restoration, and annual asset inventories and network maps — are unworkable for small and rural providers.

“Addressable” versus “required” is the core dispute. The proposal would remove the longstanding “addressable” flexibility that lets organizations tailor certain safeguards to their size and risk, making most implementation specifications mandatory. That single change drives the majority of the 4,700-plus comments OCR received.

Timing is genuinely uncertain. The spring-2026 target has already slipped, and under the current administration’s deregulatory posture the rule could be delayed, narrowed, or withdrawn. You can track the proposal’s status and timeline here — but the prudent move is not to re-architect your security program around an unfinalized mandate.

Implementation Timeline Once OCR Finalizes

If the rule is finalized as proposed, the effective date is 60 days after Federal Register publication, and most provisions are required within 180 days of the effective date. That means a May 2026 finalization gives covered entities and business associates approximately 240 days — roughly until late January or early February 2027 — to come into compliance. For a multi-site organization, 240 days is not a lot of runway: rolling out MFA across every ePHI-accessing system, encrypting endpoints that aren’t currently encrypted, standing up biannual scanning and annual pen-testing, completing a documented asset inventory, and re-issuing BAAs across the vendor footprint will easily consume that timeline.

What to Do Now (Before the Final Rule Drops)

Inventory now. The technology asset inventory is the foundation for every other proposed requirement. Start the inventory before the rule finalizes — the entities that already have it will have a massive head start.
Map your MFA coverage. For every system on the inventory, document whether MFA is currently enforced. The gaps are your implementation backlog.
Inventory your BAAs. Every business associate will need an updated BAA reflecting the 24-hour reporting timeline. Pull the BAA inventory now so renewal sequencing isn’t a fire drill in 2027.
Schedule a baseline vulnerability scan and penetration test now. Most organizations have not run one in the past 12 months. Establish a baseline so the first post-rule scan and pen test isn’t also the first one ever.
Refresh your SRA. A 12-months-stale Security Risk Analysis will not survive an OCR post-finalization audit. Get current.
Update workforce training plans. When the rule finalizes, training content must be updated and re-delivered. Identify the training vendor or platform that will handle the 2026 content refresh proactively.

None of these require waiting for a final rule. They are how you stay compliant under the HIPAA Security Rule that is already in force — and they position you for the proposal if it lands. The highest-leverage no-regret moves are a current, documented HIPAA risk assessment (the one control OCR cites in nearly every enforcement action), a completed security risk analysis, an up-to-date technology asset inventory, MFA on remote and privileged access, and annual business-associate agreement verification.

How Medcurity Is Handling the Security Rule 2026 Transition

Medcurity is tracking the OCR rule-making calendar in real time. The day the final rule publishes in the Federal Register, Medcurity will: (1) update every customer’s SRA template against the final-rule control set; (2) push updated policy library entries for MFA, encryption, vulnerability scanning, penetration testing, asset inventory, network segmentation, and BAA terms; (3) release updated workforce-training modules; and (4) provide every customer with a 60-day implementation runbook tuned to their organization size and complexity. For multi-site customers — FQHCs, CHCs, rural hospital systems, ambulatory surgery centers — the rollout sequencing is pre-mapped so the 240-day clock is paced rather than panicked.

Frequently Asked Questions

Is the 2026 HIPAA Security Rule final?

No. As of June 2026 it remains a proposed rule. OCR published the Notice of Proposed Rulemaking on January 6, 2025, the comment period closed March 7, 2025, and OCR is still reviewing more than 4,700 comments. The original spring-2026 finalization target has passed with no final rule issued.

When does the 2026 HIPAA Security Rule take effect?

There is no effective date yet because the rule is not final. If it is finalized as proposed, the effective date would be 60 days after publication in the Federal Register, with most provisions required within 180 days of that effective date.

What is the difference between “addressable” and “required” safeguards?

Under the current Security Rule, “addressable” safeguards give organizations flexibility to implement a control, adopt an equivalent alternative, or document why it is not reasonable. “Required” safeguards must be implemented as written. The proposed rule would remove most of that “addressable” flexibility and make implementation specifications mandatory — the change most contested in public comments.