HIPAA Security Rule Update 2026: What Healthcare Organizations Need to Know

For organizations that handle electronic protected health information (ePHI), maintaining HIPAA compliance is non-negotiable. After extensive feedback on proposed HIPAA updates published in January 2025, the U.S. Department of Health and Human Services (HHS) is expected to finalize new HIPAA rules, though the timeline has shifted. This article outlines the latest HIPAA changes and what they mean for your organization.

What is the 2026 HIPAA Rule Update?

The HIPAA Security Rule Update 2026 represents one of the most significant overhauls to the HIPAA Security Rule since its introduction over two decades ago, and the first major Security Rule update since the 2013 HITECH Final Rule. The prior update to HIPAA, the 2024 HIPAA Privacy Rule for reproductive health care, focused on safeguarding reproductive health information privacy following Dobbs v. Jackson Women's Health Organization. However, in June 2025 a federal judge in the Northern District of Texas (Purl v. HHS) vacated that final rule nationwide, eliminating the reproductive health care definition and the attestation requirement before disclosure. The 2026 update is unrelated: it shifts focus to strengthening cybersecurity requirements across the healthcare ecosystem.

This new HIPAA security rule reflects the modern reality of digital healthcare, where electronic records, connected devices, and cloud platforms dominate the delivery of care. As cyber threats targeting healthcare organizations continue to rise, HHS is introducing stricter safeguards to protect patient data, address reasonably anticipated threats, and enforce stronger accountability among covered entities and business associates.

The proposed and expected finalized changes include:

• Universal Encryption: Mandatory encryption of ePHI at rest and in transit, with limited exceptions, removing the prior "addressable" flexibility
• Multi-Factor Authentication (MFA): Required for systems accessing ePHI, with limited exceptions
• Defined Testing Schedule: Vulnerability scans at least every 6 months and penetration testing at least every 12 months
• Contingency Timelines: 24-hour notification on contingency-plan activation and 72-hour data restoration
• Asset Inventory and Network Map: Maintained and reviewed at least every 12 months
• Expanded Documentation: More rigorous requirements for risk analysis and compliance documentation

Together, these new HIPAA regulations introduce more prescriptive cybersecurity controls, marking a shift from flexible guidance to enforceable standards.

What the Rule Update Changes

The latest HIPAA updates are designed to modernize healthcare cybersecurity across several core areas. Below is a detailed breakdown of what rules were added to HIPAA and how they reshape compliance expectations.

1. Encryption Becomes Mandatory

Historically, encryption requirements under the HIPAA security rule were classified as "addressable," meaning organizations could implement alternatives if deemed reasonable. Under the updated HIPAA security rule, encryption becomes mandatory for all ePHI, with limited exceptions:

• Data at rest: Stored patient records, databases, backups
• Data in transit: Emails, APIs, data exchange between systems

This shift eliminates ambiguity and ensures uniform protection across electronic protected health information environments.

For healthcare organizations, this means:

• Implementing enterprise-wide encryption policies
• Upgrading legacy systems that lack encryption capabilities
• Validating encryption across all relevant electronic information systems

2. Multi-Factor Authentication (MFA) Requirements

One of the most impactful HIPAA changes is the requirement for MFA across systems accessing ePHI, with limited exceptions. This includes:

• Electronic health record (EHR) systems
• Cloud-based platforms
• Remote access tools
• Administrative systems

MFA significantly reduces unauthorized access and strengthens defenses against credential-based attacks.

Organizations will need to:

• Deploy MFA across all user access points
• Ensure compatibility with existing systems
• Train users on MFA processes

3. Asset Inventory and Network Mapping

The new HIPAA regulations require regulated entities to develop and maintain a written technology asset inventory and an up-to-date network map showing how ePHI moves through all relevant electronic information systems. Both must be reviewed at least every 12 months and after any material change in the environment. This gives organizations the visibility needed to scope encryption, segmentation, and risk analysis accurately.

Organizations will need to:

• Catalog every system, device, and application that creates, receives, maintains, or transmits ePHI
• Document data flows across the network
• Keep both documents current as the environment evolves

4. Network Segmentation

Among the more technical HIPAA changes, the updated HIPAA security rule requires regulated entities to implement and maintain policies and procedures that segment their networks so access to ePHI is limited in a reasonable and appropriate manner. Segmentation contains the blast radius of a breach, preventing attackers from moving laterally from a compromised endpoint to systems holding protected health information.

This pushes organizations to:

• Isolate systems that store or process ePHI
• Restrict access between network zones
• Limit lateral movement during a security incident

5. Faster Contingency Response: 24-Hour and 72-Hour Timelines

A common misconception about the new HIPAA rules is that they impose a 72-hour breach-notification deadline. They do not. The existing 60-day Breach Notification Rule remains unchanged. What the updated HIPAA security rule actually introduces are two new operational timelines tied to contingency planning:

• 24-hour notification: Business associates must notify covered entities (and subcontractors must notify business associates) upon activating their contingency plans, without unreasonable delay and no later than 24 hours after activation.
• 72-hour data restoration: Regulated entities must maintain written procedures to restore the loss of critical relevant electronic information systems and data within 72 hours, with restoration prioritized by criticality.

Key implications include:

• Developing and testing incident response and contingency plans
• Establishing clear escalation procedures across covered entities and business associates
• Ensuring rapid detection and recovery from security incidents involving ePHI

6. Defined Testing and Risk Analysis Schedule

The 2026 update replaces open-ended guidance with a concrete cadence:

• Vulnerability scans at least every 6 months
• Penetration testing at least every 12 months
• Regular risk analysis of identified threats and vulnerabilities
• Continuous monitoring of technical safeguards

Organizations must actively identify and address identified vulnerabilities, rather than relying solely on periodic reviews.

This requirement pushes healthcare providers to:

• Adopt proactive cybersecurity strategies
• Maintain a technology asset inventory tied to the risk analysis
• Conduct continuous risk analysis and remediation

7. Enhanced Oversight of Business Associates

Under the new HIPAA regulations, responsibility for compliance extends more deeply into third-party relationships. Business associates must meet stricter standards, and covered entities are required to:

• Strengthen business associate agreements
• Verify business associates' security measures at least once every 12 months, with a written analysis of the safeguards in place
• Ensure vendors meet cybersecurity requirements

Organizations can no longer assume compliance by association. They must actively validate it.

8. Expanded Documentation and Compliance Requirements

The updated HIPAA security rule significantly increases documentation expectations, including:

• Written procedures for all security measures
• Detailed risk analysis reports
• Documentation of security incidents and responses
• Compliance tracking for regulatory audits

This aligns with broader federal regulations emphasizing accountability and traceability.

9. Stronger Technical Safeguards

HHS is reinforcing technical safeguards across the healthcare system to address evolving cybersecurity risks. These include:

• Access controls, authentication measures, and audit logging
• Anti-malware protection across relevant electronic information systems
• Removal of extraneous software and disabling of unused network ports per the regulated entity's risk analysis
• Termination of a workforce member's access no later than one hour after their employment or work arrangement ends
• Secure system configurations and configuration management

Organizations must demonstrate they are actively defending against anticipated threats and maintaining secure systems.

Where the Rule Stands and the Compliance Timeline

It is important to be precise about status: these new HIPAA rules are still a proposed rule. HHS published the Notice of Proposed Rulemaking (NPRM) in the Federal Register on January 6, 2025, and the comment period closed March 7, 2025. A final rule was preliminarily expected in May 2026, but that date has slipped, and the current administration must still decide how to proceed, so no updated HIPAA security rule is in force yet.

Once finalized, the rule is expected to become effective 60 days after publication, with compliance required 180 days later, roughly 240 days in total, and business associate agreements updated within one year of the effective date. HHS estimates first-year compliance costs across regulated entities at approximately $9 billion. Organizations that begin aligning now will face far less pressure when the compliance date arrives.

How Companies Have Prepared

Many healthcare organizations began preparing for the HIPAA updates as early as 2025, particularly after the release of the proposed rule.

1. Strengthening Cybersecurity Infrastructure

Organizations have:

• Upgraded encryption protocols
• Implemented MFA systems
• Enhanced identity and access management

These efforts ensure readiness for the new HIPAA security rule requirements.

2. Conducting Comprehensive Risk Analyses

Healthcare providers are placing greater emphasis on:

• Identifying vulnerabilities
• Evaluating cybersecurity maturity
• Prioritizing high-risk areas

A strong regulated entity's risk analysis is now foundational to compliance.

3. Updating Policies and Procedures

Organizations are revising:

• Notice of privacy practices
• Incident response and contingency plans
• Internal security policies

This ensures alignment with evolving HIPAA compliance requirements.

4. Training Employees and Compliance Officers

Human error remains a major vulnerability. Companies are investing in:

• HIPAA training programs
• Cybersecurity awareness initiatives
• Role-specific compliance education

Educated staff are critical to maintaining compliance and preventing breaches.

5. Evaluating Third-Party Risk

Organizations are reassessing vendor relationships to:

• Strengthen business associate agreements
• Monitor third-party systems
• Reduce external risk exposure

How Your Organization May Be Impacted

The HIPAA Security Rule update 2026 will affect organizations differently depending on size, resources, and existing infrastructure, but all HIPAA covered entities and business associates will experience some level of impact regardless of size.

1. Increased Compliance Costs

Meeting new requirements may require:

• Technology upgrades
• Security audits
• External consulting support

HHS estimates the proposed rule will cost regulated entities approximately $9 billion in the first year alone, with several billion more annually thereafter. While costly upfront, these investments reduce long-term risk.

2. Operational Changes

Organizations will need to:

• Modify workflows to integrate MFA
• Implement stricter access controls
• Improve incident response capabilities

This may affect health care operations and require coordination across departments.

3. Greater Accountability

The new rule increases regulatory scrutiny from the Office for Civil Rights (OCR). Organizations must demonstrate:

• Clear compliance documentation
• Ongoing monitoring and improvements
• Proactive risk management

Failure to comply could lead to financial penalties and reputational damage.

4. Technology Modernization

Legacy systems may not meet new requirements. Organizations must:

• Upgrade outdated platforms
• Eliminate unsupported and extraneous software
• Ensure secure data exchange across systems

This drives broader digital transformation efforts.

5. Expanded Scope of Responsibility

Compliance now extends across the entire ecosystem, including:

• Vendors
• Partners
• Cloud service providers

Organizations must ensure all stakeholders meet new standards.

6. Faster Response Expectations

The new contingency timelines demand:

• Real-time monitoring
• Rapid threat detection
• Immediate response and recovery protocols

Organizations must shift from reactive to proactive security strategies.

How BD Emerson Can Help

Navigating the latest HIPAA updates requires expertise, planning, and execution. BD Emerson helps organizations prepare for and comply with the new HIPAA security rule through a comprehensive, strategic approach.

1. Risk Assessment and Gap Analysis

We conduct detailed assessments to:

• Identify vulnerabilities
• Evaluate current compliance posture
• Align with 2026 requirements

2. Policy Development and Documentation

Our experts help develop:

• Written procedures
• Risk analysis documentation
• Compliance frameworks

Ensuring your organization meets all documentation requirements.

3. Security Implementation Support

We assist with:

• MFA deployment
• Encryption implementation
• System security enhancements

4. Business Associate Compliance

We help strengthen:

• Vendor management processes
• Business associate agreements
• Third-party risk monitoring

5. Training and Awareness Programs

BD Emerson delivers tailored HIPAA training for:

• Employees
• Compliance officers
• Leadership teams

6. Ongoing Compliance Monitoring

Compliance is not one-time. We provide:

• Continuous monitoring
• Audit preparation
• Regulatory updates

Conclusion

The HIPAA Security Rule Update 2026 marks a major shift in how healthcare organizations approach cybersecurity and compliance. With stricter requirements, clearer mandates, and increased accountability, these new HIPAA rules demand proactive preparation, even as the final rule and its compliance date remain pending.

Organizations that act now, by strengthening security measures, upgrading systems, and refining compliance strategies, will be best positioned to protect patient data, avoid penalties, and thrive in an increasingly regulated healthcare environment.