RSS

2026 HIPAA Security Rule Update

mooreds4 pts0 comments

2026 HIPAA Security Rule Update: New Requirements to Prepare For | Medcurity

Skip to content

Login

Quick Answer: The 2026 HIPAA Security Rule update introduces significant changes including mandatory encryption of ePHI at rest and in transit (removing the "addressable" designation), required multi-factor authentication for all systems accessing ePHI, 72-hour incident reporting requirements, annual penetration testing, and enhanced business associate oversight obligations. These changes, proposed by HHS in late 2025, represent the most substantial update to HIPAA security requirements since the original rule. Healthcare organizations should begin preparing now by assessing their current encryption status, implementing MFA, and updating their incident response plans.

Updated for the 2026 HIPAA Security Rule Final Rule — published in the Federal Register on January 6, 2025 and at the 90-day-Final-Rule mark in May 2026. This is no longer an explainer about a proposal. The 2026 HIPAA Security Rule is finalized text, OCR has begun citing it in resolution agreements, and the January 2026 OCR Cybersecurity Newsletter made clear that risk analysis is the most-frequently-cited deficiency in OCR investigations. What follows is the operational layer between the Rule’s text and what healthcare IT teams actually do Monday morning — what’s verifiable, what’s annual, and what’s auditable.

What’s actually landed in healthcare IT at 90 days at Final Rule

Asset inventory finally stopped being a joke. Regulators are now asking for current, accurate inventories of every system that touches ePHI — not the 2024 "spreadsheet of laptops" norm. The January 2026 OCR Newsletter ties unpatched-software risk directly to a complete asset inventory.

MFA on remote access is now assumed. The Final Rule’s implementation specifications are being read as required, not addressable. Document or compensating-control is the operative posture.

Annual BAA verification is the most-underrated workflow. The new requirement is to verify the BAA — document the verification itself, not just keep the BAA on file. See our HIPAA Business Associate Agreement template that covers the 2026 Annual Verification requirement.

2026 HIPAA Security Rule Update: New Requirements Every Healthcare Organization Must Prepare For

The HIPAA Security Rule is about to undergo the most significant update since its original adoption. Expected to be finalized in May 2026, the proposed changes will introduce mandatory requirements that many healthcare organizations are not prepared to meet.

This isn’t a minor regulatory tweak. The updated rule will require mandatory annual security risk assessments, universal encryption of ePHI, multi-factor authentication across all systems, regular vulnerability scanning, and substantially more detailed compliance documentation. For organizations that have been treating HIPAA security as a periodic checkbox exercise, the compliance gap is about to get very real, very quickly.

The good news: The organizations that start preparing now will be well-positioned when the final rule takes effect. The ones that wait until after publication will be scrambling. Here’s what you need to know.

What’s Changing and Why It Matters

The current HIPAA Security Rule, adopted in 2003 and largely unchanged since, was written for a different era. It predates cloud computing, telehealth expansion, AI adoption, ransomware as a business model, and the proliferation of connected medical devices. The proposed update reflects the reality that healthcare cybersecurity in 2026 bears almost no resemblance to healthcare cybersecurity in 2003.

The Office for Civil Rights (OCR) has been signaling these changes for years. Recent enforcement actions have consistently cited security risk analysis failures, inadequate access controls, and insufficient encryption as primary violations. The proposed rule essentially codifies what OCR has been enforcing through penalties and settlements.

Here are the key changes healthcare organizations need to prepare for:

Mandatory Annual Security Risk Assessments

What’s changing: The current rule requires organizations to conduct a security risk analysis but doesn’t specify how often. Many organizations interpret this ambiguity as permission to conduct an SRA every few years, or to perform one initial analysis and then make minimal updates. The proposed rule eliminates this ambiguity by requiring annual security risk assessments.

What this means in practice: Every covered entity and business associate will need to complete a documented, comprehensive Security Risk Analysis every 12 months. This isn’t a cursory review or a checkbox update to last year’s document. It’s a thorough reassessment of threats, vulnerabilities, and safeguards based on your current environment.

Why this matters: Organizations that haven’t been conducting annual SRAs will need to build this into their compliance calendar immediately. For many smaller...

rule security hipaa update annual healthcare

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.