The U.S. Department of Health and Human Services (HHS) is preparing to roll out the biggest HIPAA overhaul in nearly two decades. Proposed updates to the HIPAA Security Rule, expected to take effect in 2026, will raise the bar for data protection, risk management, and compliance across the entire healthcare ecosystem.
If your organization handles protected health information (PHI) — whether you’re a covered entity or a business associate — now’s the time to prepare.
Why HIPAA Is Changing
The healthcare sector has become one of the most targeted industries for cyberattacks. In 2024 alone, data breaches exposed over 180 million patient records, driven largely by ransomware, phishing, and third-party vendor incidents.
The current HIPAA framework, last updated in 2013, has struggled to keep pace with these threats. HHS and the Office for Civil Rights (OCR) are responding with a proposed strengthening of the HIPAA Security Rule — introducing more prescriptive requirements, clearer accountability, and modern technical safeguards.
What’s in the Proposed 2026 HIPAA Update
The proposal focuses on three key areas: stronger technical safeguards, enhanced accountability, and more consistent enforcement.
Here’s a breakdown of what’s coming:
🔐 1. Enhanced Security Controls
- Encryption: PHI must be encrypted both in transit and at rest — with very limited exceptions.
- Multi-Factor Authentication (MFA): Required for all systems that access or store PHI.
- Network Segmentation: Systems containing PHI must be isolated from non-critical networks.
- Vulnerability Management: Semi-annual vulnerability scans and annual penetration testing will be mandatory.
These measures aim to shrink the attack surface and make it harder for threat actors to compromise patient data.
🧾 2. Annual HIPAA Security Audits
All covered entities and business associates will need to conduct a formal HIPAA Security Rule audit at least once per year.
This new requirement goes beyond the traditional self-assessment. Organizations must document:
- Their risk analysis process,
- Technical and administrative safeguards,
- Access controls, and
- Remediation actions taken since the last review.
Regular audits will make compliance an ongoing process — not a once-a-year checklist.
🧭 3. Risk Analysis & Asset Inventory
Under the new rule, organizations must:
- Maintain a complete inventory of all devices, systems, and applications that create, receive, or transmit PHI.
- Map how PHI moves across those systems.
- Include vendors and subcontractors in their risk analysis.
This will force many organizations to rethink how they track, document, and protect data as it flows through their environments — especially when using cloud or SaaS platforms.
👥 4. Workforce & Access Management
The proposal tightens control around access to PHI:
- Access termination must occur within one hour of an employee leaving or changing roles.
- Role-based access reviews must happen at least annually.
- Changes in access rights must be communicated to relevant entities within 24 hours.
These updates address one of healthcare’s biggest vulnerabilities: insider threats and abandoned user accounts.
🤝 5. Business Associate Oversight
HHS wants business associates to share more responsibility for compliance. The rule would require:
- Annual security attestations from each business associate,
- Updated Business Associate Agreements (BAAs) to reflect new obligations, and
- Notification within 24 hours if a vendor activates contingency or recovery plans after an incident.
This will close many of the third-party risk gaps that have plagued the healthcare industry.
⚙️ 6. Contingency Planning & Incident Response
The new rule demands faster, more structured responses:
- Critical PHI systems must be restorable within 72 hours after an outage or incident.
- Written incident response plans must be tested and updated regularly.
- Entities must have documented escalation and communication procedures.
In essence, healthcare organizations will be expected to behave more like cybersecurity companies when responding to incidents.
Why These Changes Matter
The goal of these reforms is clear: to protect patient data in a digital-first world. With the rise of telehealth, cloud services, AI integrations, and connected medical devices, the attack surface has exploded.
These new requirements push organizations to be proactive — to know where their data is, control who can access it, and prove their security posture through documentation and audits.
Preparing for the 2026 HIPAA Rule Changes
Here are steps organizations can take right now:
- Conduct a Gap Assessment — Compare your current policies and controls to the proposed requirements.
- Update Risk Analyses — Go deeper: include vendors, systems, and threat modeling.
- Build or Update Your Asset Inventory — Include endpoints, cloud apps, and data flow diagrams.
- Plan for Encryption & MFA Everywhere — Remove any exceptions now.
- Review Your BAAs — Ensure they reflect the new security and reporting expectations.
- Test Your Incident Response Plan — Aim to meet the 72-hour recovery window.
- Budget Early — Allocate funds for audits, tools, and training in 2025.
By starting now, you’ll avoid the scramble when enforcement begins.
The Bottom Line
The upcoming HIPAA updates represent a shift from flexibility to accountability. HHS is moving from “addressable” guidelines to required, auditable, and enforceable standards.
Organizations that take a proactive approach — strengthening their controls, documentation, and vendor oversight now — will be well-positioned to meet the 2026 compliance deadline and protect patient trust in the process.
✅ Need Help Preparing?
TEKZYS can help your organization navigate these upcoming HIPAA changes — from risk assessments and policy updates to managed security and compliance automation.