HIPAA Security Rule Changes in 2026: What You Need to Know (and Do) Now

If you’ve been hearing rumblings about HIPAA changes and feeling uncertain about what’s coming, you’re not alone. Your inbox has probably been filling up with emails about the “biggest HIPAA update in a decade,” and maybe you’ve felt a flicker of anxiety. Is this going to require a complete overhaul? Will your organization suddenly be out of compliance? Will it cost a fortune?

Take a breath. We’re going to walk through exactly what’s changing, what it actually means for your organization, and most importantly, what you can do about it starting today. This isn’t a panic moment—it’s a planning moment.

The Big Picture: What’s Happening and Why

In December 2024, the Department of Health and Human Services (HHS) Office for Civil Rights published a Notice of Proposed Rulemaking (NPRM) with comprehensive updates to the HIPAA Security Rule. This is the first major overhaul since the rule was originally implemented in 2005—over two decades ago. The healthcare landscape has changed dramatically since then. Data breaches have become more sophisticated. Remote work is now the norm. Cloud computing is essential infrastructure, not a luxury.

The comment period for the NPRM officially closed, and HHS is reviewing feedback from healthcare providers, technology vendors, security experts, and patients. The final rule is expected to be published in May 2026, with a compliance deadline of approximately 240 days after publication. That puts full compliance somewhere around December 2026 or early 2027 for most organizations.

This timeline is important because it gives you roughly 10 months to prepare once the final rule drops—which means starting now with the proposed changes is exactly the right move.

The 9 Major Changes Coming to the HIPAA Security Rule

Let’s break down what’s actually changing. These aren’t abstract regulatory shifts; they’ll affect how you operate your systems, train your staff, and manage your security infrastructure.

1. Elimination of “Addressable” vs. “Required” Distinction

The Myth: “Our security measures are addressable, so we can skip them if we document a business decision.”

The Reality: Under the current rule (45 CFR § 164.312), many security requirements are marked “addressable,” meaning organizations can choose alternative implementations or document why they’re not feasible. The updated rule removes this distinction. Most requirements become mandatory.

What This Means: You can’t punt on decisions anymore. If the rule says it, you need to implement it or have a formal risk analysis documenting why it’s not applicable (and that documentation better be rock solid). There’s no “nice to have” category for security anymore.

What to Do Now:

• Audit your current compliance against all 45 CFR § 164.308-318 sections.
• Identify any areas where you’ve documented “addressable” exceptions.
• Develop implementation plans for those items—budget for the resources needed.

2. Mandatory Encryption of ePHI at Rest and in Transit

The Myth: “Encryption is too expensive and slows down our systems too much.”

The Reality: The proposed rule makes encryption of ePHI (electronic protected health information) at rest and in transit a mandatory requirement for all covered entities and business associates. This isn’t a suggestion in a risk analysis; it’s a “shall” requirement under 45 CFR § 164.312(a)(2)(ii).

What This Means: Every file containing patient data needs to be encrypted when stored and when traveling across networks. Your email with patient information? Encrypted. Your database backups? Encrypted. Data being transferred between your offices? Encrypted. Modern encryption tools are fast and transparent to users—this isn’t the data slowdown scenario from 2005.

What to Do Now:

• Conduct a thorough inventory of where ePHI is stored and transmitted.
• Assess your current encryption coverage (hint: it’s probably less complete than you think).
• Get quotes from vendors for encryption solutions for any unencrypted storage or transmission pathways.
• Plan phased implementation if budget requires it.

3. Multi-Factor Authentication for All System Access

The Myth: “MFA is annoying to users and slows down workflows.”

The Reality: The proposed rule mandates multi-factor authentication (MFA) for all access to systems containing ePHI. This applies to users, administrators, third parties, and remote access connections. There are minimal exceptions (and they’re narrow).

What This Means: Your staff members aren’t logging into systems with a password alone anymore. They’ll use a password plus a second factor—a code from an authenticator app, a hardware key, biometric verification, or similar. Yes, this requires a behavior change. But it’s also dramatically more secure than passwords alone, and users adapt surprisingly quickly once it’s implemented.

What to Do Now:

4. Annual Security Risk Analysis (Formally Codified)

The Myth: “We did a risk analysis five years ago. That’s probably still good enough.”

The Reality: The proposed rule codifies an annual Security Risk Analysis requirement (45 CFR § 164.308(a)(1)(ii)(A)). This isn’t a new concept—it’s been in the rule since 2005—but it’s now explicitly required annually with documented methodology and scope.

What This Means: Every year, you must systematically assess your systems, identify vulnerabilities and threats, evaluate existing controls, and document the risk level of each threat. This must be repeatable and documented. You need to show your work.

What to Do Now:

• Establish a defined Security Risk Analysis methodology if you don’t have one.
• Document your current risk analysis process.
• Plan annual review cycles (many organizations do this in Q4 to prepare for the next year).
• Consider whether you’ll do this internally or bring in external expertise.

5. Network Mapping and Segmentation Requirements

The Myth: “We don’t need to formally map our network; our IT team knows what’s connected.”

The Reality: The proposed rule requires detailed network mapping and network segmentation to restrict unnecessary access to ePHI. You need to know what’s on your network, how systems connect, and why those connections exist.

What This Means: You’ll need a detailed network diagram showing all systems, data flows, and connections. You’ll also need network segmentation to ensure that, for example, a workstation in your billing department can’t access systems in your patient records that it doesn’t need. This is about the principle of least privilege: people and systems get access to exactly what they need, nothing more.

What to Do Now:

• Create a complete network topology map if you don’t have one.
• Document system interconnections and data flows.
• Identify segmentation opportunities (separate networks for different departments, isolated test systems, etc.).
• Prioritize implementation based on risk.

6. Vulnerability Scanning Every 6 Months, Penetration Testing Annually

The Myth: “Penetration testing is too expensive and disruptive. We’ll just do vulnerability scanning occasionally.”

The Reality: The proposed rule mandates vulnerability scanning at minimum every 6 months and annual penetration testing for all systems that handle ePHI (45 CFR § 164.308(a)(1)(ii)(B)).

What This Means: You need regular, scheduled security testing. Vulnerability scanning uses automated tools to identify weaknesses like outdated software, missing patches, misconfigurations, and known vulnerabilities. Penetration testing is where a trained specialist actually tries to break into your systems to see how a real attacker might do it. Both are non-negotiable now.

What to Do Now:

• Identify all systems and applications that handle ePHI
• Get quotes from penetration testing vendors (budget $10K-$50K+ depending on organization size)
• Implement a vulnerability scanning tool (many are subscription-based at $1K-$5K annually for smaller organizations)
• Set up a schedule: vulnerability scans at least every 6 months, pen tests annually
• Establish a remediation process for findings

7. 72-Hour System Restoration + 24-Hour Incident Reporting

The Myth: “A breach probably won’t happen to us, and if it does, we can take our time addressing it.”

The Reality: The proposed rule establishes strict timelines: ePHI must be restored within 72 hours of a breach discovery, and breaches must be reported to the HHS within 24 hours of discovery (45 CFR § 164.400).

What This Means: If your systems are compromised, your incident response needs to be swift and coordinated. You need a recovery plan, tested backups, and a communication protocol. The 24-hour reporting window is especially tight—it doesn’t give you much time to investigate, but you’re required to report based on what you know, not wait until the investigation is complete.

What to Do Now:

• Develop a formal incident response plan if you don’t have one.
• Test your backup and restoration procedures (don’t discover they don’t work during an actual breach).
• Identify who needs to be involved in incident response and ensure they know their roles.
• Create a breach notification template with all required elements.
• Consider cyber liability insurance and incident response retainer relationships with vendors.
• Conduct incident response drills at least annually.

8. Stricter BAA Requirements with Specific Cybersecurity Language

The Myth: “We have business associate agreements. That’s good enough.”

The Reality: The proposed rule strengthens Business Associate Agreement (BAA) requirements (45 CFR § 164.504(e)) with specific cybersecurity language, including requirements for encryption, MFA, vulnerability testing, breach notification, and incident reporting—and these must be explicitly stated in the BAA itself.

What This Means: Your BAAs with vendors, contractors, and service providers need to be updated with specific, detailed security requirements. You can’t use vague language. You need to explicitly require encryption, MFA, regular security testing, and incident notification. This applies to every third party that touches ePHI.

What to Do Now:

• Audit all existing BAAs (yes, go back and look at every vendor and contractor).
• Create a template BAA that includes all the new required language.
• Identify vendors who may not currently meet the new requirements.
• Plan vendor conversations and timelines for BAA updates.
• Consider hiring legal counsel familiar with HIPAA to ensure language is compliant.

9. Annual Compliance Audits with BA Reporting to Covered Entities

The Myth: “We’ll do a compliance audit every couple of years. That should be fine.”

The Reality: The proposed rule requires annual compliance audits and mandates that business associates (vendors, contractors) report their compliance status to covered entities annually (45 CFR § 164.308(a)(8)).

What This Means: You’re getting audited every year—and if you work with business associates, they’re reporting their compliance to you annually, which means you’re essentially responsible for tracking their compliance as well. This is a more intensive oversight model.

What to Do Now:

• Establish an annual compliance audit schedule.
• Decide whether you’ll conduct audits internally or hire external auditors.
• Create audit checklists based on the final rule once published.
• Implement a system for collecting and reviewing BA compliance reports.
• Budget for annual audit costs.

What This Means for Different Organization Sizes

The impact of these changes varies based on your organization’s size and complexity:

Small Practice (1-10 Clinicians)

Current State: You probably have basic security measures but maybe haven’t kept up with everything.

What Changes: The biggest impact is likely the formalization of previously “addressable” items and the requirement for annual testing. You’ll need to invest in encryption tools, MFA, vulnerability scanning, and formal documentation.

Cost Reality: Budget $15K-$40K for initial setup (encryption, MFA, tools), plus $5K-$15K annually for ongoing maintenance, scanning, and penetration testing.

Action: Start with MFA and encryption—these are foundational. Then formalize your processes.

Mid-Size Organization (11-100+ Clinicians)

Current State: You probably have a dedicated IT person or small team, but coordination across departments might be loose.

What Changes: You’ll need to formalize processes that might currently be informal. Network segmentation becomes important. Coordination with multiple business associates requires systematic tracking.

Cost Reality: Budget $50K-$150K for initial implementation, plus $20K-$50K annually. You might need to hire dedicated compliance staff if you don’t have them.

Action: This is where you consolidate scattered efforts into systematic processes. Start with your risk analysis to prioritize.

Enterprise Organization (100+ Clinicians/Multiple Sites)

Current State: You likely have documented security programs but may need updates.

What Changes: You’ll need to scale processes across multiple locations and systems. Business associate management becomes sophisticated. The annual audit requirement becomes operationally significant.

Cost Reality: Budget $200K-$500K+ for implementation depending on current maturity, plus $75K-$200K+ annually for ongoing compliance, auditing, and vendor management.

Action: Establish a formal compliance office or expand the existing one. Implement enterprise tools for continuous monitoring and vulnerability management.

The Cost Reality: What This Investment Actually Means

Let’s be honest about the money. Industry estimates suggest the first-year cost of full compliance with the new HIPAA Security Rule will be approximately $9 billion across all covered entities and business associates. That’s real. It’s significant. And it’s worth contextualizing.

A typical data breach costs $11 million to $16 million per incident when you factor in notification costs, remediation, regulatory penalties, and lost patient trust. Ransomware attacks against healthcare providers average $4.5 million in direct costs. Regulatory penalties from HIPAA violations range from $100 to $50,000 per violation, with violations often running into the thousands. A single major breach could cost 2-3 years’ worth of compliance investment.

Your organization isn’t investing in compliance to satisfy bureaucrats. You’re investing in security infrastructure that protects your patient data, protects your organization’s financial stability, and protects your reputation.

What You Can Do Right Now (5 Immediate Action Items)

You don’t have to wait for the final rule to start preparing. Here are five things you can do this week:

1. Conduct a Readiness Assessment

Audit where your organization currently stands against the proposed requirements. Create a simple spreadsheet: Requirement | Current State | Compliant (Y/N) | Timeline to Comply. This takes 4-8 hours depending on organization size and gives you a clear roadmap.

2. Implement MFA Where It Matters Most

You don’t have to implement MFA everywhere on Day 1, but identify your highest-risk systems (patient record systems, email, admin portals) and get MFA in place there. Modern MFA solutions integrate with most systems. Start here.

3. Audit Your Encryption

Walk through your systems and ask: Where is ePHI stored? Is it encrypted? Where does ePHI travel? Is it encrypted in transit? You’ll probably find gaps. Document them.

4. Review and Update All Business Associate Agreements

Pull every BAA from the files. Create a checklist of new required language. Identify which ones need updating. Don’t update them yet (you’ll wait for the final rule for exact language), but know what you’re dealing with.

5. Establish a Timeline and Assign Accountability

Create a compliance implementation project with milestones, responsible parties, and deadlines. Who owns encryption? Who owns MFA? Who owns vendor management? Accountability drives action.

Frequently Asked Questions About HIPAA Changes in 2026

Q: When exactly does the final rule come out, and how long do we have to comply?

A: The final rule is expected in May 2026. Organizations will have approximately 240 days from publication to comply, putting the deadline around December 2026 or January 2027. Some requirements may have longer phase-in periods for vendors and larger implementations.

Q: Can we claim that implementing these requirements is “infeasible” and document our way around them?

A: The updated rule significantly limits this approach. While there may still be narrow circumstances where you can document why something isn’t feasible, this won’t be a general escape hatch. The burden of proof is on your organization to demonstrate genuine infeasibility, not just inconvenience or cost.

Q: Do these requirements apply to all covered entities and business associates, or just large organizations?

A: These are broad requirements applying to all covered entities (healthcare providers, health plans, healthcare clearinghouses) and their business associates, regardless of size. There are no exemptions for small organizations, though the implementation approach may differ.

Q: If we get breached, what exactly is the timeline for reporting?

A: You must report suspected breaches to HHS within 24 hours of discovery. You must notify affected individuals without unreasonable delay (typically within 30-60 days depending on circumstances). You must restore systems within 72 hours. These are tight timelines, so your incident response plan needs to be ready to execute immediately.

Q: How much will full compliance actually cost our organization?

A: It depends entirely on your current state and organization size. A small practice with moderate current security might spend $20K-$50K to get compliant. A mid-size organization might spend $75K-$200K. A large healthcare system could spend $500K or more. The key is starting now rather than scrambling in Q4 2026.

Your Next Steps: Turning Anxiety into Action

The HIPAA Security Rule changes coming in 2026 are significant, but they’re not insurmountable. They formalize practices that leading healthcare organizations are already implementing. They acknowledge the reality of modern threats and modern technology. And they protect what matters most: your patients’ data and your organization’s stability.

The healthcare organizations that will navigate these changes smoothly are the ones that start preparing now. Not in panic mode—in planning mode. Assess where you are. Identify gaps. Build a roadmap. Start with quick wins like MFA on critical systems. Layer in longer-term projects like network segmentation and formal processes.

This is exactly what Medcurity was built for. Our Security Risk Analysis, Network Vulnerability Assessment, and Policies & Procedures solutions are purpose-built to help healthcare organizations navigate exactly this kind of transformation—moving from reactive, ad-hoc security to systematic, compliant security infrastructure. Whether you need a complete overhaul or a focused assessment to get your roadmap, we’ve helped hundreds of organizations get compliant without the overwhelm.

The final rule will be published soon. The clock is ticking. But you’re ahead of the curve by learning about these changes now. Keep this guide handy, gather your leadership team, and start planning. Your patients—and your organization—will be better protected for it.

---

Have questions about how these changes apply to your specific situation? Reach out to our compliance team. We’re here to help you navigate this transition with clarity and confidence.