2026 HIPAA Security Rule Update: New Requirements Every Healthcare Organization Must Prepare For

Quick Answer: The 2026 HIPAA Security Rule update introduces significant changes including mandatory encryption of ePHI at rest and in transit (removing the “addressable” designation), required multi-factor authentication for all systems accessing ePHI, 72-hour incident reporting requirements, annual penetration testing, and enhanced business associate oversight obligations. These changes, proposed by HHS in late 2025, represent the most substantial update to HIPAA security requirements since the original rule. Healthcare organizations should begin preparing now by assessing their current encryption status, implementing MFA, and updating their incident response plans. Updated for the 2026 HIPAA Security Rule Final Rule — published in the Federal Register on January 6, 2025 and at the 90-day-Final-Rule mark in May 2026. This is no longer an explainer about a proposal. The 2026 HIPAA Security Rule is finalized text, OCR has begun citing it in resolution agreements, and the January 2026 OCR Cybersecurity Newsletter made clear that risk analysis is the most-frequently-cited deficiency in OCR investigations. What follows is the operational layer between the Rule’s text and what healthcare IT teams actually do Monday morning — what’s verifiable, what’s annual, and what’s auditable.

What’s actually landed in healthcare IT at 90 days at Final Rule

Asset inventory finally stopped being a joke. Regulators are now asking for current, accurate inventories of every system that touches ePHI — not the 2024 “spreadsheet of laptops” norm. The January 2026 OCR Newsletter ties unpatched-software risk directly to a complete asset inventory. MFA on remote access is now assumed. The Final Rule’s implementation specifications are being read as required, not addressable. Document or compensating-control is the operative posture. Annual BAA verification is the most-underrated workflow. The new requirement is to verify the BAA — document the verification itself, not just keep the BAA on file. See our HIPAA Business Associate Agreement template that covers the 2026 Annual Verification requirement.

The HIPAA Security Rule is about to undergo the most significant update since its original adoption.

Expected to be finalized in May 2026, the proposed changes will introduce mandatory requirements that many healthcare organizations are not prepared to meet.

This isn’t a minor regulatory tweak. The updated rule will require mandatory annual security risk assessments, universal encryption of ePHI, multi-factor authentication across all systems, regular vulnerability scanning, and substantially more detailed compliance documentation. For organizations that have been treating HIPAA security as a periodic checkbox exercise, the compliance gap is about to get very real, very quickly. The good news: The organizations that start preparing now will be well-positioned when the final rule takes effect. The ones that wait until after publication will be scrambling. Here’s what you need to know. What’s Changing and Why It Matters The current HIPAA Security Rule, adopted in 2003 and largely unchanged since, was written for a different era. It predates cloud computing, telehealth expansion, AI adoption, ransomware as a business model, and the proliferation of connected medical devices. The proposed update reflects the reality that healthcare cybersecurity in 2026 bears almost no resemblance to healthcare cybersecurity in 2003. The Office for Civil Rights (OCR) has been signaling these changes for years. Recent enforcement actions have consistently cited security risk analysis failures, inadequate access controls, and insufficient encryption as primary violations. The proposed rule essentially codifies what OCR has been enforcing through penalties and settlements. Here are the key changes healthcare organizations need to prepare for: Mandatory Annual Security Risk Assessments What’s changing: The current rule requires organizations to conduct a security risk analysis but doesn’t specify how often. Many organizations interpret this ambiguity as permission to conduct an SRA every few years, or to perform one initial analysis and then make minimal updates. The proposed rule eliminates this ambiguity by requiring annual security risk assessments. What this means in practice: Every covered entity and business associate will need to complete a documented, comprehensive Security Risk Analysis every 12 months. This isn’t a cursory review or a checkbox update to last year’s document. It’s a thorough reassessment of threats, vulnerabilities, and safeguards based on your current environment. Why this matters: Organizations that haven’t been conducting annual SRAs will need to build this into their compliance calendar immediately. For many smaller practices and business associates, this represents a significant increase in compliance effort.

But it also represents the single most effective action an organization can take to identify and address security gaps before they become breaches or enforcement actions. Real-world impact: A community health center that last conducted a full SRA in 2024 will need to complete a new assessment reflecting its current systems, vendors, workforce, and threat environment. If they’ve added telehealth services, changed EHR vendors, expanded remote work, or adopted AI tools since their last assessment, those changes need to be captured. An update to a two-year-old document won’t meet the standard. Mandatory Encryption of ePHI What’s changing: The current rule treats encryption as an “addressable” safeguard, meaning organizations can choose not to implement encryption if they document why an equivalent alternative measure is reasonable and appropriate. The proposed rule is expected to make encryption mandatory for ePHI at rest and in transit. What this means in practice: Every system that stores or transmits ePHI must use encryption. This includes servers, databases, laptops, workstations, portable devices, backup media, email systems, messaging platforms, and cloud storage. The “addressable” workaround that allowed organizations to document reasons for not encrypting will no longer be available. Why this matters: Encryption has been a best practice for years, and most modern systems support it by default. But there are still healthcare organizations running legacy systems that don’t support encryption, using unencrypted email for patient communications, storing ePHI on unencrypted portable devices, or maintaining backup systems without encryption. Each of these will become an explicit violation under the updated rule. Real-world impact: A multi-location practice that still uses an older on-premises EHR system without database-level encryption will need to either upgrade the system, implement encryption at the storage level, or migrate to a platform that supports encryption natively. This isn’t a trivial undertaking, and organizations should start evaluating their encryption posture now. Multi-Factor Authentication (MFA) Requirements What’s changing: The proposed rule is expected to require multi-factor authentication for all systems that access ePHI. The current rule requires “person or entity authentication” but doesn’t specify MFA. The update will make MFA an explicit requirement rather than a recommended practice.

What this means in practice: Every user who accesses ePHI will need to authenticate using at least two factors: something they know (password), something they have (phone, security key), or something they are (biometrics). Single-password access to systems containing ePHI will no longer meet the standard. Why this matters: MFA is one of the most effective controls against unauthorized access, credential theft, and phishing attacks. Yet many healthcare organizations still rely on single-factor authentication for critical systems. According to industry data, a significant percentage of healthcare data breaches involve compromised credentials — breaches that MFA would have prevented or significantly mitigated. Real-world impact: A physician practice where clinicians log into the EHR with just a username and password will need to implement MFA. This affects workflow, requires staff training, and may require upgrades to authentication systems. Organizations should be planning their MFA rollout now — deploying MFA across an entire organization takes time, testing, and change management. Regular Vulnerability Scanning What’s changing: The proposed rule is expected to require regular vulnerability scanning and, in many cases, penetration testing. The current rule requires organizations to identify vulnerabilities through the risk analysis process but doesn’t mandate specific technical assessment methods. What this means in practice: Organizations will need to conduct regular automated vulnerability scans of their networks, systems, and applications. This goes beyond the traditional Security Risk Analysis — it’s a technical assessment of actual system vulnerabilities, not just a policy-level risk evaluation. Many organizations will also need to conduct periodic penetration testing to validate their security controls. Why this matters: Vulnerability scanning identifies specific, exploitable weaknesses in your systems — unpatched software, misconfigured firewalls, exposed services, and default credentials. These are the entry points that attackers use. A Network Vulnerability Assessment paired with your Security Risk Analysis gives you both the strategic and tactical view of your security posture. Real-world impact: A hospital that has never conducted a formal vulnerability scan may discover dozens or hundreds of unpatched systems, misconfigured devices, and exposed services. The first scan is often eye-opening. Organizations should begin vulnerability scanning now — both to understand their current exposure and to establish the operational processes they’ll need to maintain ongoing scanning under the new rule. Enhanced Documentation and Compliance Evidence What’s changing: The proposed rule significantly strengthens documentation requirements.