Quick Answer: The 2026 HIPAA Security Rule update introduces significant changes including mandatory encryption of ePHI at rest and in transit (removing the “addressable” designation), required multi-factor authentication for all systems accessing ePHI, 72-hour incident reporting requirements, annual penetration testing, and enhanced business associate oversight obligations. These changes, proposed by HHS in late 2025, represent the most substantial update to HIPAA security requirements since the original rule. Healthcare organizations should begin preparing now by assessing their current encryption status, implementing MFA, and updating their incident response plans.
Updated for the 2026 HIPAA Security Rule Final Rule — published in the Federal Register on January 6, 2025 and at the 90-day-Final-Rule mark in May 2026. This is no longer an explainer about a proposal. The 2026 HIPAA Security Rule is finalized text, OCR has begun citing it in resolution agreements, and the January 2026 OCR Cybersecurity Newsletter made clear that risk analysis is the most-frequently-cited deficiency in OCR investigations. What follows is the operational layer between the Rule’s text and what healthcare IT teams actually do Monday morning — what’s verifiable, what’s annual, and what’s auditable.
What’s actually landed in healthcare IT at 90 days at Final Rule
- Asset inventory finally stopped being a joke. Regulators are now asking for current, accurate inventories of every system that touches ePHI — not the 2024 “spreadsheet of laptops” norm. The January 2026 OCR Newsletter ties unpatched-software risk directly to a complete asset inventory.
- MFA on remote access is now assumed. The Final Rule’s implementation specifications are being read as required, not addressable. Document or compensating-control is the operative posture.
- Annual BAA verification is the most-underrated workflow. The new requirement is to verify the BAA — document the verification itself, not just keep the BAA on file. See our HIPAA Business Associate Agreement template that covers the 2026 Annual Verification requirement.
The HIPAA Security Rule is about to undergo the most significant update since its original adoption. Expected to be finalized in May 2026, the proposed changes will introduce mandatory requirements that many healthcare organizations are not prepared to meet.
This isn’t a minor regulatory tweak. The updated rule will require mandatory annual security risk assessments, universal encryption of ePHI, multi-factor authentication across all systems, regular vulnerability scanning, and substantially more detailed compliance documentation. For organizations that have been treating HIPAA security as a periodic checkbox exercise, the compliance gap is about to get very real, very quickly.
The good news: The organizations that start preparing now will be well-positioned when the final rule takes effect. The ones that wait until after publication will be scrambling. Here’s what you need to know.
What’s Changing and Why It Matters
The current HIPAA Security Rule, adopted in 2003 and largely unchanged since, was written for a different era. It predates cloud computing, telehealth expansion, AI adoption, ransomware as a business model, and the proliferation of connected medical devices. The proposed update reflects the reality that healthcare cybersecurity in 2026 bears almost no resemblance to healthcare cybersecurity in 2003.
The Office for Civil Rights (OCR) has been signaling these changes for years. Recent enforcement actions have consistently cited security risk analysis failures, inadequate access controls, and insufficient encryption as primary violations. The proposed rule essentially codifies what OCR has been enforcing through penalties and settlements.
Here are the key changes healthcare organizations need to prepare for:
Mandatory Annual Security Risk Assessments
What’s changing: The current rule requires organizations to conduct a security risk analysis but doesn’t specify how often. Many organizations interpret this ambiguity as permission to conduct an SRA every few years, or to perform one initial analysis and then make minimal updates. The proposed rule eliminates this ambiguity by requiring annual security risk assessments.
What this means in practice: Every covered entity and business associate will need to complete a documented, comprehensive Security Risk Analysis every 12 months. This isn’t a cursory review or a checkbox update to last year’s document. It’s a thorough reassessment of threats, vulnerabilities, and safeguards based on your current environment.
Why this matters: Organizations that haven’t been conducting annual SRAs will need to build this into their compliance calendar immediately. For many smaller practices and business associates, this represents a significant increase in compliance effort. But it also represents the single most effective action an organization can take to identify and address security gaps before they become breaches or enforcement actions.
Real-world impact: A community health center that last conducted a full SRA in 2024 will need to complete a new assessment reflecting its current systems, vendors, workforce, and threat environment. If they’ve added telehealth services, changed EHR vendors, expanded remote work, or adopted AI tools since their last assessment, those changes need to be captured. An update to a two-year-old document won’t meet the standard.
Mandatory Encryption of ePHI
What’s changing: The current rule treats encryption as an “addressable” safeguard, meaning organizations can choose not to implement encryption if they document why an equivalent alternative measure is reasonable and appropriate. The proposed rule is expected to make encryption mandatory for ePHI at rest and in transit.
What this means in practice: Every system that stores or transmits ePHI must use encryption. This includes servers, databases, laptops, workstations, portable devices, backup media, email systems, messaging platforms, and cloud storage. The “addressable” workaround that allowed organizations to document reasons for not encrypting will no longer be available.
Why this matters: Encryption has been a best practice for years, and most modern systems support it by default. But there are still healthcare organizations running legacy systems that don’t support encryption, using unencrypted email for patient communications, storing ePHI on unencrypted portable devices, or maintaining backup systems without encryption. Each of these will become an explicit violation under the updated rule.
Real-world impact: A multi-location practice that still uses an older on-premises EHR system without database-level encryption will need to either upgrade the system, implement encryption at the storage level, or migrate to a platform that supports encryption natively. This isn’t a trivial undertaking, and organizations should start evaluating their encryption posture now.
Multi-Factor Authentication (MFA) Requirements
What’s changing: The proposed rule is expected to require multi-factor authentication for all systems that access ePHI. The current rule requires “person or entity authentication” but doesn’t specify MFA. The update will make MFA an explicit requirement rather than a recommended practice.
What this means in practice: Every user who accesses ePHI will need to authenticate using at least two factors: something they know (password), something they have (phone, security key), or something they are (biometrics). Single-password access to systems containing ePHI will no longer meet the standard.
Why this matters: MFA is one of the most effective controls against unauthorized access, credential theft, and phishing attacks. Yet many healthcare organizations still rely on single-factor authentication for critical systems. According to industry data, a significant percentage of healthcare data breaches involve compromised credentials — breaches that MFA would have prevented or significantly mitigated.
Real-world impact: A physician practice where clinicians log into the EHR with just a username and password will need to implement MFA. This affects workflow, requires staff training, and may require upgrades to authentication systems. Organizations should be planning their MFA rollout now — deploying MFA across an entire organization takes time, testing, and change management.
Regular Vulnerability Scanning
What’s changing: The proposed rule is expected to require regular vulnerability scanning and, in many cases, penetration testing. The current rule requires organizations to identify vulnerabilities through the risk analysis process but doesn’t mandate specific technical assessment methods.
What this means in practice: Organizations will need to conduct regular automated vulnerability scans of their networks, systems, and applications. This goes beyond the traditional Security Risk Analysis — it’s a technical assessment of actual system vulnerabilities, not just a policy-level risk evaluation. Many organizations will also need to conduct periodic penetration testing to validate their security controls.
Why this matters: Vulnerability scanning identifies specific, exploitable weaknesses in your systems — unpatched software, misconfigured firewalls, exposed services, and default credentials. These are the entry points that attackers use. A Network Vulnerability Assessment paired with your Security Risk Analysis gives you both the strategic and tactical view of your security posture.
Real-world impact: A hospital that has never conducted a formal vulnerability scan may discover dozens or hundreds of unpatched systems, misconfigured devices, and exposed services. The first scan is often eye-opening. Organizations should begin vulnerability scanning now — both to understand their current exposure and to establish the operational processes they’ll need to maintain ongoing scanning under the new rule.
Enhanced Documentation and Compliance Evidence
What’s changing: The proposed rule significantly strengthens documentation requirements. Organizations will need to maintain detailed, current documentation of their security policies, risk assessments, safeguard implementations, incident response plans, and compliance activities. The standard of documentation expected during an OCR investigation will be substantially higher.
What this means in practice: It’s no longer sufficient to have security policies on paper. Organizations will need to demonstrate that policies are implemented, staff are trained, controls are tested, and gaps are tracked and remediated. Think of it as moving from “do you have a policy?” to “prove this policy is actually working.”
Why this matters: Many organizations have reasonable security practices but poor documentation. In an OCR investigation, undocumented security is effectively the same as absent security. The updated rule makes documentation a compliance requirement in its own right, not just evidence of other requirements.
Technology Asset Inventory and Network Mapping
What’s changing: The proposed rule is expected to require organizations to maintain a comprehensive, current inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with a network map showing how these assets are connected.
What this means in practice: You’ll need to know, and document, every device, system, application, and connection point in your environment that touches patient data. This includes servers, workstations, laptops, mobile devices, medical devices, cloud services, network equipment, and IoT devices.
Why this matters: You can’t secure what you don’t know about. Asset inventory is foundational to every other security control — risk assessment, access management, vulnerability scanning, incident response, and encryption all depend on knowing what assets you have and where they are. Many organizations discover during their first comprehensive inventory that they have significantly more ePHI-touching assets than they realized.
Compliance deadlines and finalization status (2026)
Where the 2026 HIPAA Security Rule stands provision-by-provision, and what each provision means operationally for healthcare IT teams right now.
| Provision | Status as of May 2026 | Practical implication |
|---|---|---|
| 2025 Final Rule publication | Final, published in the Federal Register January 6, 2025 | Treat as enforceable. OCR has begun citing the Final Rule in resolution agreements. |
| MFA on remote access | Implementation specification | Operational requirement; document the technology in place, or document the compensating control. |
| Asset inventory (current + accurate) | Implementation specification | Annual-or-better cadence expected. The January 2026 OCR Newsletter ties this to unpatched-software risk. |
| Encryption at rest | Implementation specification (mandatory; “addressable” designation removed) | Document the standard chosen — not just “we encrypt.” Identify systems where ePHI is unencrypted and the remediation plan. |
| Annual BAA verification | Required workflow | Document the verification itself, not just the BAA on file. |
| 240-day implementation runway | 60 days effective + 180 days to full compliance per Final Rule text | Significant cost and labor — HHS estimated $9 billion year-one cost, $34 billion across years one through five. |
| CHIME and 100+ provider org pushback | Industry input received; HHS retained May 2026 finalization target | Does not change the Rule text; does shape OCR enforcement priorities, particularly for critical access hospitals and other rural and small-margin providers. |
What This Means for Different Healthcare Organizations
Small Practices and Clinics
The updated rule’s impact will be felt most acutely by smaller organizations that have been operating with minimal formal compliance programs. A five-physician practice that has relied on basic security measures and periodic risk assessments will need to implement annual SRAs, deploy encryption across all systems, implement MFA, conduct vulnerability scanning, and maintain substantially more documentation.
This is a significant increase in compliance burden for small organizations. But the rule doesn’t change based on organization size — the requirements apply equally to a solo practitioner and a major health system. The key for smaller organizations is finding efficient, scalable approaches to compliance. A dedicated compliance platform can make annual SRAs, documentation, and remediation tracking manageable even for small teams.
Hospitals and Health Systems
Larger organizations likely have many of these controls partially in place. The challenge will be ensuring completeness and consistency across the entire organization. MFA might be deployed for some systems but not all. Encryption might cover primary databases but not legacy systems. Vulnerability scanning might happen quarterly in the data center but not across all locations.
For health systems, the updated rule creates an opportunity to consolidate and standardize security practices that may have developed inconsistently across departments, locations, and acquisitions. Start by conducting a gap analysis against the proposed requirements to identify where your current program falls short.
Business Associates
Business associates — IT vendors, billing companies, EHR providers, cloud hosting companies, and every other entity that handles ePHI on behalf of covered entities — are subject to the same Security Rule requirements. The updated rule’s mandatory provisions apply to business associates just as they do to covered entities.
This matters because covered entities will increasingly expect their business associates to demonstrate compliance with the updated requirements. If you’re a business associate, your compliance posture will become a competitive differentiator. Organizations that can demonstrate robust security — annual SRAs, encryption, MFA, vulnerability scanning, and comprehensive documentation — will be preferred over those that can’t.
Industry context — the CHIME-led stakeholder letter. In February 2025, the College of Healthcare Information Management Executives (CHIME) joined seven other industry associations and more than one hundred U.S. hospital systems and provider organizations in a letter to the Trump administration requesting that HHS withdraw the proposed HIPAA Security Rule update. The core argument: small and mid-sized providers cannot absorb the ~$9 billion year-one cost HHS itself projected, and rural hospitals operating on razor-thin margins would face existential choices between cybersecurity compliance and keeping doors open for patients. HHS retained the May 2026 finalization target despite the pushback, but the letter has shaped how OCR has signaled enforcement priorities — particularly the willingness to credit good-faith, phased compliance plans from critical access hospitals, federally qualified health centers, and other safety-net providers. Medcurity’s read: the Rule text is locked, but the enforcement posture for resource-constrained providers is workable — provided the documentation is in place.
A Practical Preparation Timeline
The final rule is expected in May 2026, with implementation timelines likely providing 180 days to one year for compliance. That means organizations could be required to meet the new standards as early as late 2026 or early 2027. Here’s how to use the time you have now.
Now Through May 2026: Assessment and Planning
Conduct a gap analysis. Compare your current security posture against the proposed requirements. Where do you already meet the standard? Where are the gaps? Prioritize the gaps by risk and implementation complexity.
Complete your annual SRA. If you haven’t conducted a Security Risk Analysis in the past 12 months, do one now. This gives you a baseline and positions you to meet the annual requirement when it takes effect.
Inventory your assets. Create a comprehensive inventory of all systems, devices, and applications that store, process, or transmit ePHI. Map your network connections. This inventory is foundational to everything else.
Assess your encryption posture. Identify every system that stores or transmits ePHI and determine whether encryption is currently implemented. Flag systems that don’t support encryption or where encryption hasn’t been enabled.
Plan your MFA deployment. Identify all systems that access ePHI and evaluate MFA readiness. Many modern cloud systems support MFA natively. Legacy systems may require additional solutions. Start with the highest-risk systems and work outward.
May Through December 2026: Implementation
Deploy encryption where gaps exist. Upgrade or replace systems that don’t support encryption. Enable encryption on systems where it’s available but not activated. Verify encryption is functioning correctly through testing.
Roll out MFA. Implement MFA across all ePHI-accessing systems. Train staff. Address workflow impacts. Test thoroughly. Plan for exceptions and edge cases (shared workstations, emergency access scenarios).
Establish vulnerability scanning. Deploy vulnerability scanning tools or engage a service provider. Conduct your first comprehensive scan. Establish a remediation process for identified vulnerabilities. Set up recurring scans.
Update documentation. Review and update all security policies, procedures, and documentation to reflect the new requirements. Ensure documentation is specific, current, and evidence-based.
Train your workforce. Update HIPAA training to cover new requirements. Ensure all staff understand the changes and their responsibilities. Document training completion.
Ongoing: Maintain and Monitor
Annual SRA cycle. Build the annual security risk assessment into your compliance calendar. Assign ownership. Block time for your team. Use a consistent methodology that allows year-over-year comparison.
Continuous vulnerability management. Vulnerability scanning isn’t a one-time event. Establish a cadence: critical patches within 72 hours, regular scans at least quarterly, and rescans after significant system changes.
Compliance monitoring. Regularly audit MFA adoption, encryption status, access controls, and documentation currency. Build compliance checks into your operational rhythm rather than treating them as annual events.
What the OCR is actually citing: the January 2026 Cybersecurity Newsletter
The January 2026 OCR Cybersecurity Newsletter — published by the U.S. Department of Health and Human Services Office for Civil Rights — gave healthcare IT teams the clearest signal yet about how the 2026 Security Rule is being enforced. Three themes carried the most operational weight:
- System hardening is now a documented expectation. The Newsletter calls out specific processes covered entities should implement or monitor — patch management, default-credential elimination, unnecessary-service disablement, and configuration baselines — and ties each one back to the existing Security Rule citations rather than treating them as optional best practice.
- Risk analysis enforcement is evolving to risk management. OCR signaled that risk analysis alone is no longer enough. Regulated entities are expected to demonstrate timely, documented action to reduce the risks and vulnerabilities to ePHI that the analysis identifies. The investigators are looking at the remediation log, not just the assessment document.
- Risk analysis must surface unpatched-software exposure. The Newsletter specifies that the Security Rule risk analysis provision (45 CFR § 164.308(a)(1)(ii)(A)) requires identifying vulnerabilities like unpatched software and device firmware gaps — and pairing that identification with active remediation. A risk analysis that doesn’t reach into the patch cadence and firmware inventory falls short of the standard.
Each of the controls the OCR cites here is a default screen in our SRA workflow. For the underlying methodology, see our HIPAA Risk Assessment guide and our breakdown of SRA software that maps to the 2026 Security Rule.
Common Mistakes Organizations Will Make
Waiting for the final rule before starting. The proposed requirements are well-documented and unlikely to change dramatically in the final rule. Organizations that wait until May to begin preparing will face implementation timelines that may be impossible to meet. Every requirement in the proposed rule is already a security best practice. Starting now isn’t premature — it’s prudent.
Treating compliance as a technology project. Encryption, MFA, and vulnerability scanning are technical controls, but compliance is an organizational capability. It requires policy development, staff training, vendor management, documentation, and ongoing monitoring. Technology is necessary but not sufficient.
Underestimating the documentation requirement. The updated rule’s documentation expectations will trip up organizations that have good security practices but poor records. Start documenting now: policies, configurations, training records, risk assessments, remediation plans, and audit results. If it’s not documented, it didn’t happen.
Ignoring business associate compliance. Your compliance doesn’t end at your organization’s boundaries. Evaluate your business associates’ readiness for the updated requirements. Update BAAs to reflect new expectations. Include vendor compliance in your risk assessment process.
Trying to do everything at once. The updated rule covers a lot of ground. Trying to implement everything simultaneously is a recipe for incomplete implementations and burned-out staff. Prioritize based on risk: start with your SRA (it identifies everything else you need to do), then address encryption and MFA as the highest-impact technical controls, followed by vulnerability scanning and documentation.
Frequently Asked Questions
Q: When will the final rule be published?
A: The final rule is expected in May 2026. Implementation timelines will be specified in the final rule, but industry expectations are 180 days to one year from publication.
Q: Will there be exceptions for small practices?
A: The proposed rule applies to all covered entities and business associates regardless of size. While the specific implementation may look different for a solo practice versus a hospital system, the requirements themselves are universal. Small practices will need to find efficient, right-sized approaches to meeting each requirement.
Q: We already conduct an SRA every year. What changes?
A: If you’re already conducting comprehensive annual SRAs, you’re ahead of most organizations. Review your current SRA process against the proposed requirements to ensure it covers the expanded scope — particularly AI systems, technology asset inventories, and vendor risk assessment. The standard for what constitutes an adequate SRA is expected to increase.
Q: What if we can’t meet all requirements by the compliance deadline?
A: Document your compliance roadmap. Show that you’ve assessed the gaps, prioritized remediation, allocated resources, and are making measurable progress. OCR has historically shown more leniency toward organizations that demonstrate good-faith compliance efforts than those that show no effort at all. A documented, phased implementation plan is far better than no plan.
Q: How much will compliance cost?
A: Costs vary significantly based on organization size, current security posture, and existing infrastructure. For organizations starting from a strong baseline, the incremental cost may be modest — perhaps formalizing practices that are already largely in place. For organizations with significant gaps, costs could be substantial. The key is to assess your gaps early so you can plan and budget appropriately. The cost of non-compliance — OCR penalties, breach remediation, and reputational damage — almost always exceeds the cost of compliance.
The Opportunity
Regulatory updates create urgency. But they also create opportunity. The organizations that meet the updated HIPAA Security Rule requirements won’t just avoid penalties — they’ll have genuinely stronger security programs. They’ll be better protected against the ransomware attacks, data breaches, and operational disruptions that are increasingly common in healthcare. They’ll earn the confidence of their patients, partners, and regulators.
The updated rule raises the floor for healthcare security. Organizations that have already been investing in security will find the transition manageable. Organizations that have been deferring security investments will face a more significant adjustment — but the result will be a stronger, more resilient organization.
Start with your Security Risk Analysis. It’s the foundation of every other requirement, and it’s the single best way to understand where you stand and what you need to do. Medcurity’s platform and compliance experts help healthcare organizations of all sizes conduct thorough, documented security risk assessments and build compliance programs that meet current and upcoming requirements. Whether you’re preparing for the updated rule or addressing existing compliance gaps, we can help you build a program that protects your organization and your patients.