HIPAA Security Rule 2026: What Is Changing and What You Need to Do?
Shikha Kumar
·
23 Jun, 2026
| QUICK ANSWER |
| HHS OCR published a proposed update to the HIPAA Security Rule on January 6, 2025. The proposal would eliminate the distinction between required and addressable controls, making encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation, annual risk assessments, and penetration testing mandatory for all covered entities and business associates. As of June 2026, the final rule has not been issued. OCR is still enforcing the current rule, with risk analysis failures as its top enforcement target. Organizations that prepare now will avoid a scramble when the 240-day compliance clock starts. |
For more than two decades, HIPAA security compliance allowed a workaround. If a control, such as encryption or multi-factor authentication, felt too expensive or complicated, an organization could write a document explaining why that control was not reasonable or appropriate for their situation, file it, and move on—no implementation required.
The proposed 2026 update is designed to end that. Almost entirely.
This piece covers everything you need to know: what the rule actually proposes, where the final rule stands today, what the Change Healthcare breach has to do with it, what it means if you build or run healthcare software, and what a practical preparation roadmap looks like.
If you work in healthcare IT, compliance, or product development, this is your reference for everything in one place.
What HIPAA is and Who it Covers?
HIPAA stands for the Health Insurance Portability and Accountability Act. It was signed into law in 1996, primarily to make it easier for workers to keep health insurance when changing jobs. The data protection provisions came later, as Congress recognized that digitizing health records created serious privacy and security risks.
Today, HIPAA is enforced through a set of rules.
The Privacy Rule governs who can access and share patient health information.
The Breach Notification Rule determines what organizations must do when patient data is exposed.
The Security Rule, which is what this article is about, sets the technical and administrative controls required to protect electronic protected health information, or ePHI.
| WHAT IS EPHI? |
| Electronic protected health information (ePHI) is any health data that can be linked to a specific individual and is created, stored, or transmitted electronically. This includes medical records, diagnoses, lab results, prescription history, insurance information, billing data, and appointment records. If your system stores, processes, or transmits any of this, HIPAA applies to you. |
HIPAA applies to two categories of organizations.
The first is covered entities: healthcare providers (hospitals, clinics, physician practices, pharmacies), health plans (insurers, HMOs, Medicare), and healthcare clearinghouses that process health data.
The second is business associates: any organization that handles ePHI on behalf of a covered entity. This includes software vendors, cloud providers, billing services, analytics platforms, EHR companies, and telehealth tools.
If you build or sell software to the healthcare industry and your product touches patient data in any form, you are almost certainly a business associate. That means the HIPAA Security Rule applies to your platform directly, not just to your customers. The 2026 proposed update tightens what that means in practice considerably.
Enforcement sits with the HHS Office for Civil Rights, or OCR. OCR investigates complaints, audits organizations, and issues civil monetary penalties for violations. It does not require a breach to open an investigation. A complaint from a patient, a tip, or a routine audit is enough.
What the Proposed Rule Actually Changes?
The HIPAA Security Rule was written in 2003. At the time, most health records were still on paper, cloud infrastructure did not exist, and ransomware was not a business model. The rule has had only minor updates since, while the threat environment has transformed completely.
In December 2024, HHS OCR published a 125-page Notice of Proposed Rulemaking that would be the first substantial rewrite of HIPAA security requirements in more than 20 years.
The NPRM was formally published in the Federal Register on January 6, 2025. HHS estimated year-one implementation costs across the industry at approximately $9 billion.
The core shift is simple to state, harder to absorb: compliance moves from being a documentation exercise to being a verification exercise. Writing a policy is no longer enough. Controls must be implemented, tested, and provable.
The Addressable Loophole Being Closed
| WHAT “ADDRESSABLE” HAS MEANT |
| Under 45 CFR 164.306, HIPAA implementation specifications are classified as either required (must be implemented exactly as written) or addressable (the organization may document why the control is not reasonable and appropriate and skip implementation). Encryption of ePHI, multi-factor authentication, and network segmentation have all been addressable, meaning organizations with documented justifications could legally avoid implementing them. |
The NPRM proposes to remove the addressable category for nearly all controls. Under the proposed rule, the only acceptable exceptions are narrow: legacy medical devices manufactured before March 2023 with FDA approval that cannot technically support a required control, and time-limited migration plans for genuinely incompatible legacy infrastructure.
What this means practically is that organizations that have been running with documented non-implementations for years will need to actually build these controls.
A past justification document does not carry forward. OCR has been clear: documentation without implementation will fail audits.
This is not new thinking from OCR. Enforcement actions for the past several years have consistently cited inadequate encryption, missing MFA, and weak access controls as primary violations.
The 2026 NPRM codifies what OCR has already been penalizing organizations for in settlement after settlement.
The Seven Mandatory Controls
Below is every significant new or changed technical requirement in the proposed rule, with enough detail to understand the implementation scope.
| Control | Status | What It Requires |
| Encryption of ePHI | Changed | Encryption at rest and in transit for all ePHI, aligned to NIST standards. Currently addressable for data at rest. Both become mandatory with no organization-size exceptions. Must be implemented, not claimed. |
| Multi-Factor Authentication | Changed | Required on every system that accesses ePHI, including on-site clinical workstations, administrative tools, and remote access. Not just external portals. Access must be revoked within one hour of employee termination. |
| Network Segmentation | New | ePHI environments must be logically isolated from general business networks, guest Wi-Fi, IoT devices, and non-clinical systems. Segmentation must prevent lateral movement during a breach. |
| Technology Asset Inventory | New | A current, accurate inventory of every system that creates, receives, maintains, or transmits ePHI must be maintained and updated annually, including third-party SaaS tools and medical devices. |
| Annual Security Risk Assessment | Changed | Currently required but without a specified frequency. The NPRM makes annual assessments mandatory with documented methodology, identified threats and vulnerabilities, risk ratings with rationale, and written verification of completion. Risks must be tracked through remediation. |
| Vulnerability Scanning and Pen Testing | New | Vulnerability scans are required every six months minimum. Annual penetration testing by qualified external professionals. Written findings must be documented and corrective actions tracked to completion. |
| 72-Hour System Recovery | New | Organizations must demonstrate the ability to restore critical systems within 72 hours following an incident. Business associates must notify covered entities within 24 hours of activating any contingency plan. |
The risk assessment change deserves extra attention. OCR has cited inadequate risk analysis as the single most common Security Rule deficiency in enforcement investigations for years.
Under the current rule, organizations often treat it as a one-time event. The NPRM makes it a continuous, documented process with specific deliverables.
If you do nothing else to prepare, run a current, documented risk assessment using NIST SP 800-30 methodology and remediate what you find.
Where the Final Rule Stands in June 2026?
| REGULATORY STATUS: JUNE 2026 |
| The final rule has not been published. HHS OCR published the NPRM on January 6, 2025. The public comment period closed on March 7, 2025. OCR received approximately 4,745 comments and is reviewing all of them. OCR’s May 2026 target date has passed without publication, and there is no confirmed finalization timeline. |
| A coalition of more than 100 hospital systems and provider organizations led by CHIME has formally asked HHS to withdraw the proposal, citing the estimated $9 billion year-one cost as unrealistic for safety-net providers. The proposal could be finalized as written, modified, delayed, or withdrawn. The current HIPAA Security Rule remains in full effect throughout. |
The important point for planning purposes: OCR is not waiting.
In 2026, OCR expanded its active enforcement initiative to cover risk management in addition to risk analysis. The agency closed 11 investigations of hacking incidents with financial penalties for risk analysis failures in 2025 alone.
Between 2018 and 2024, the rate of healthcare data breaches involving 500 or more records doubled, from one to two per day.
Preparing for the proposed controls does not mean gambling on a proposed rule. It means closing the gaps that OCR is already penalizing organizations for right now under the existing rule.
The Breach That Made This Inevitable
To understand why HHS proposed this update, you need to understand what happened to Change Healthcare in February 2024.
On February 12, 2024, attackers connected to the ALPHV/BlackCat ransomware group got into Change Healthcare’s network through a Citrix remote access portal. That portal had no multi-factor authentication. Nine days later, on February 21, they encrypted systems across an organization that processes roughly one in every three patient records in the United States and handles approximately 15 billion healthcare transactions per year.
The impact was catastrophic. An American Hospital Association survey of nearly 1,000 hospitals found that 74% reported direct patient care impact and 94% reported financial harm. One-third said the attack disrupted more than half of their revenue. The data exfiltrated ultimately affected 192.7 million individuals, making it the largest healthcare data breach in recorded history.
Every major control in the 2026 NPRM traces back to a specific 2024 breach failure. MFA maps to Change Healthcare. Network segmentation maps to the Ascension Health ransomware attack, where attackers moved laterally through poorly segmented infrastructure across 142 hospitals.
The 24-hour BA notification requirement maps to the MOVEit breach, which exposed records at 42 healthcare organizations with delayed cross-entity notification.
These are not precautionary requirements. They are forensically derived controls that regulators believe would have prevented, or significantly limited, the three largest healthcare cyberattacks of the past two years.
What This Means for Healthcare Software and Platforms?
If you build, maintain, or buy healthcare software, this section is for you. These are engineering and architecture requirements, not compliance department paperwork.
Encryption: “We Use HTTPS” Is Not Enough
Most healthcare platforms encrypt data in transit over TLS. That is not the same as encrypting data at rest, which is what becomes mandatory under the proposed rule.
Database-level encryption, storage-level encryption, and encrypted backups all need to be in place and verifiable.
If you are on AWS, Azure, or GCP, audit that encryption is actually enabled and configured across every storage resource that touches ePHI, not just switched on as a default account setting.
Our team treats this as the first check in any healthcare engagement.
MFA: Every Access Point, Not Just the Portal
The Change Healthcare breach came in through a portal without MFA. A common response is to add MFA to public-facing portals and consider it done.
The NPRM is explicit: MFA is required on every system that accesses ePHI, including on-site clinical workstations, administrative dashboards, and any legacy tool.
Legacy applications that do not support SAML or OAuth natively will need wrapper authentication layers or accelerated replacement plans.
Access termination within one hour of employee separation requires automated provisioning workflows, not manual IT tickets.
If your platform was not built with these access patterns in mind, our engineering team can help you scope what that involves.
Network Segmentation: A Design Problem, Not a Network Policy
Meaningful segmentation means ePHI environments are isolated network zones with controlled, logged, and auditable access paths between them.
An EHR sharing infrastructure with building management systems, guest Wi-Fi, or IoT medical devices is not segmented in any useful sense.
This has direct implications for multi-tenant SaaS architectures, microservices deployments, and any platform that integrates third-party clinical tools.
This is a system design decision, not a firewall configuration. Starting the architecture conversation now matters because it is the longest lead time in the entire proposed rule.
Asset Inventory: If You Cannot List It, You Cannot Protect It
The NPRM requires a current, accurate inventory of every system that creates, receives, maintains, or transmits ePHI.
That includes SaaS analytics tools, third-party clearinghouses, cloud storage buckets, connected medical devices, billing integrations, and telehealth platforms.
Most organizations do not have a complete list. Building one is the prerequisite for every other control.
Here is where most organizations stand today versus where the proposed rule requires them to be:
| CURRENT STATE (COMMON) | REQUIRED STATE (UNDER NPRM) |
| Encryption in transit only; storage often unencrypted | Encryption at rest and in transit, implemented and verifiable |
| MFA on external portals; clinical workstations exempt | MFA on all ePHI-accessing systems without exception |
| Flat or lightly segmented networks with aging firewall rules | Segmented ePHI environments, tested at least annually |
| Risk assessments are done once or after incidents | Annual SRA with methodology, ratings, and tracked remediation |
| Asset inventory in a spreadsheet, rarely updated | Complete, living asset inventory updated whenever ePHI scope changes |
| BAAs signed at onboarding, never reviewed again | Annual BA verification with written attestation documented |
| Incident response plans are documented but untested | Tested contingency plans with 72-hour recovery capability demonstrated |
Business Associate Requirements
The proposed rule significantly tightens what covered entities must require from their business associates, and what business associates must do.
24-hour notification: Under the current rule, BAs must notify covered entities of a breach “without unreasonable delay.” The NPRM replaces that with a hard 24-hour window from the moment a BA activates any contingency or incident response plan. Subcontractors must notify BAs on the same timeline.
Annual compliance attestation: A signed BAA on file is no longer enough. Covered entities must verify that BAs are actually compliant each year, document that verification, and keep evidence of it. BAs must provide written attestation of their compliance status.
Practical impact: For organizations with large vendor ecosystems, this means building an active vendor compliance calendar. EHR vendors, cloud providers, billing services, analytics platforms, clearinghouses, and any other third party with ePHI access all need to be on a documented annual review cycle.
See how we handle this for healthcare clients in our case studies.
HIPAA Penalties in 2026
Civil penalties were inflation-adjusted effective January 28, 2026. These are the current amounts for violations occurring on or after November 2, 2015:
| Tier | Culpability | Per Violation | Annual Cap (OCR Discretion) |
| Tier 1 | No knowledge | $145 – $36,505.50 | $36,505.50 |
| Tier 2 | Reasonable cause | $1,461 to $73,011 | $146,053 |
| Tier 3 | Willful neglect, corrected | $14,602 to $73,011 | $365,052 |
| Tier 4 | Willful neglect, not corrected | $73,011 to $2,190,294 | $2,190,294 |
These caps apply per violation category, not per event. An organization found non-compliant in four areas can face four separate penalty tracks simultaneously.
The annual cap shown is OCR’s enforcement discretion cap under its 2019 policy, which remains in effect.
OCR’s 2026 enforcement focus is risk analysis and, new this year, risk management. That means documenting your risk assessment is necessary but not sufficient.
OCR now expects to see that you acted on what you found, tracked remediation to completion, and can demonstrate that risks were reduced to an acceptable level.
The largest HIPAA settlement in history was $16 million against Anthem Inc. following a breach affecting 78.8 million individuals.
Penalties of $350,000 have been imposed on a single radiology practice for a risk analysis failure. OCR does not scale enforcement to organization size.
90-Day Preparation Roadmap
This timeline is built around two principles.
First, everything in weeks one through eight reduces your enforcement exposure under the current rule, regardless of whether the final rule is ever published.
Second, weeks nine through twelve address the controls that take the most lead time to implement properly.
| W1 | Run a current security risk assessment
This is the single highest-impact action you can take. Use NIST SP 800-30 methodology. Document identified threats, vulnerabilities, likelihood, and impact ratings with sign-off from qualified personnel. This is required under the current rule today, and OCR’s active enforcement initiative is focused on it. If you have not done one in the past year, you are already exposed. |
| W1 | Build your complete ePHI asset inventory
List every system, SaaS tool, medical device, vendor integration, and cloud resource that creates, receives, maintains, or transmits ePHI. This is a prerequisite for every other control. You cannot segment, encrypt, or assess risk against systems you have not identified. Include AI tools and analytics platforms, not just traditional clinical applications. |
| W3 | Audit encryption at rest across all ePHI storage
Verify that database encryption, storage-layer encryption, and backup encryption are enabled and configured across every system in your asset inventory. Document the verification. For cloud environments, check actual resource configurations, not just account-level defaults. |
| W4 | Map and close MFA gaps
Cross-reference your asset inventory against your MFA deployment. Identify every system with ePHI access that does not have MFA enforced. For legacy systems that cannot support modern MFA natively, document a remediation plan with a specific timeline. Prioritize EHR systems, remote access tools, and administrative dashboards first. |
| W5 | Audit and update all business associate agreements
Pull every BAA. Verify it is current and contains language covering 24-hour breach notification and security obligations aligned to the proposed requirements. Set up a compliance calendar for annual verification. Every vendor with ePHI access needs to be on it. |
| W7 | Establish vulnerability scanning
Set up recurring vulnerability scans across ePHI systems. The proposed rule requires scans every six months at a minimum. Run an initial scan, document findings, and begin remediation tracking. This creates the evidence trail OCR expects to see. |
| W9 | Start the network segmentation architecture review
This is the longest lead time in the proposed rule. Map current ePHI network flows using the asset inventory. Identify where ePHI environments share infrastructure with non-clinical systems. Begin the architecture conversation about isolation requirements. For most organizations, proper segmentation requires platform-level design changes, not just firewall rules. |
| W10 | Plan and schedule annual penetration testing
Identify a qualified external penetration testing firm. Define the scope based on your asset inventory. Lock a date. Having the vendor relationship established means you can execute immediately within the compliance window rather than scrambling to find a vendor after the rule finalizes. |
| W12 | Test incident response and document recovery capabilities
Run a tabletop exercise against your incident response plan. Document the results. The proposed rule requires demonstrating the ability to restore critical systems within 72 hours following an incident. Having a plan on file is not the same as having tested and documented your recovery capability. |
Organizations that start this process now will spend significantly less than those who wait for final rule publication and attempt emergency implementation in a 240-day window.
Planned implementation is both more reliable and more cost-effective than compressed, reactive implementation.
The Bottom Line
The 2026 HIPAA Security Rule update is not finalized. But the threat environment that produced it is very real, and OCR’s enforcement posture under the current rule is already aggressive.
The controls being proposed are the exact controls that, if Change Healthcare had implemented them, might have prevented 192.7 million Americans from having their health data exposed in a single attack.
Whether the final rule lands this year, next year, or in modified form, three things are already true right now. Risk analysis failures are the most cited deficiency in every OCR enforcement action. Encryption gaps and missing MFA have been appearing in settlements for years. And the 240-day compliance window after publication will not be enough time for any organization that starts from scratch.
The organizations that come out ahead are not the ones who wait for certainty. They are the ones who treat the proposed controls as a reasonable baseline for healthcare data security, start closing the gaps now, and build the documentation trail that protects them under either the current rule or the new one.
If you want a second set of eyes on where your platform stands, our team at LN Webworks works directly with healthcare technology teams on this kind of assessment. It is a 30-minute conversation that usually surfaces three or four things worth acting on before a rule ever finalizes.
FAQs
Frequently Asked Questions
What is HIPAA?
HIPAA is a U.S. federal law that protects patient health information. It applies to healthcare providers, health plans, and any vendor or software company that handles patient data on their behalf.
Has the 2026 HIPAA Security Rule been finalized?
No. The proposed rule was published in January 2025, and OCR’s May 2026 target has passed without a final rule. The current rule remains in force and is actively enforced.
What does the 2026 update actually change?
It removes the loophole that lets organizations document their way out of security controls. Encryption, MFA, network segmentation, and annual risk assessments all become mandatory with no exceptions based on size or cost.
What are the penalties for HIPAA non-compliance?
Up to $2,190,294 per violation category for willful neglect. Lesser violations start at $145. OCR applies penalties per category, so multiple gaps mean multiple fines running simultaneously.
Author