KapacyberKapacyber
Healthcare Practice Cybersecurity Guide·Overview·HIPAA Cybersecurity Requirements·The HIPAA Risk Analysis HHS OCR Actually Wants·How Much Does Cybersecurity Cost for a Medical or Dental Practice?·Dental Practice Cybersecurity·HIPAA Security Risk Assessment for Dental Practices·HIPAA Security Rule 2026 Changes·Business Associate Agreements·Ransomware Hit Your Practice
ComplianceHealthcare8 min read

HIPAA Security Rule 2026 Changes: What Practices Must Know

HHS has proposed the biggest overhaul of the HIPAA Security Rule in two decades — making MFA, encryption, asset inventories, and regular testing mandatory. Here's what's changing, what's still proposed, and how to get ahead of it now.

The HIPAA Security Rule 2026 changes are the most significant proposed update to the rule since it took effect in 2005. HHS's Office for Civil Rights issued a Notice of Proposed Rulemaking (NPRM) that would modernise the Security Rule for today's threat landscape — ransomware, cloud, and the reality that "we addressed it" has let too many practices skip basic controls.

What's changing

The proposal touches nearly every part of the Security Rule. The changes that matter most for a small or mid-size practice:

1

"Addressable" becomes "required"

The proposal removes the long-standing distinction between "required" and "addressable" safeguards. Controls many practices treated as optional (encryption, MFA) would become mandatory, with only narrow, documented exceptions.

2

Mandatory multi-factor authentication

MFA on systems that access ePHI would be explicitly required — closing the gap practices most often leave open on email and the practice-management system.

3

Mandatory encryption of ePHI

Encryption of ePHI both at rest and in transit would be required, not merely "addressed." Unencrypted laptops and back-office files are the most common failure point.

4

Asset inventory & network map

Practices would have to maintain a written technology asset inventory and a network map showing how ePHI moves — refreshed at least annually.

5

Stronger, annual risk analysis

A more prescriptive, written risk analysis tied to the asset inventory — the same SRA that's already the #1 cited deficiency, with more explicit expectations.

6

Vulnerability scanning & penetration testing

Regular vulnerability scanning (proposed every six months) and penetration testing (proposed annually) would move from best practice to expectation.

7

Tighter incident response & restoration

Written, tested incident response plans and a proposed timeframe to restore critical systems and data after an incident (reported around 72 hours).

Why it matters even before it's final

Two reasons not to wait for the final rule. First, OCR already enforces the currentSecurity Rule aggressively, and a missing risk analysis or unencrypted laptop is citable today. Second, cyber insurers have effectively already adopted this baseline — MFA, EDR, encryption, and tested backups are renewal conditions now, regardless of HIPAA's timeline. The practices that get ahead of this turn the final rule into a paperwork update instead of a capital project.

How to prepare now

Everything in the proposal is something a well-run practice should already be doing. Start here:

Get-ahead checklist

  • 1
    Turn on MFA everywhere ePHI is reachable — email, PMS, remote access, portals
  • 2
    Encrypt every laptop, tablet, and phone; enable encryption on file stores
  • 3
    Build (or refresh) a written asset inventory and a simple network/data-flow map
  • 4
    Complete a documented, dated Security Risk Assessment this year
  • 5
    Schedule vulnerability scanning; plan for an annual penetration test
  • 6
    Write and tabletop-test an incident response plan

The bottom line

The HIPAA Security Rule 2026 changes don't ask practices to do anything exotic — they make the security baseline mandatory and explicit. If your practice already runs MFA, encryption, a documented risk analysis, and tested backups, you're most of the way there. If it doesn't, the time to close those gaps is before the rule is final, not after an OCR letter.

Start with the assessment that anchors all of it — see the HIPAA security risk assessment for dental practices (the method applies to any practice) and HIPAA cybersecurity for small practices. For how we run this for you, see cybersecurity for healthcare practices.

This article is general information, not legal advice, and summarises a proposed rule that may change. Verify the current rule status with HHS or qualified counsel before relying on a specific requirement or date.

Healthcare

Free HIPAA Risk-Analysis Worksheet — the control the 2026 rule leans on hardest.

The fillable risk analysis OCR already wants and the proposed rule makes more explicit: ePHI inventory, threat mapping, risk rating, and a self-audit.

Get the free worksheet

Ready for the 2026 HIPAA changes?

A free 30-minute assessment maps your practice against the proposed baseline — MFA, encryption, asset inventory, risk analysis — and shows you the gaps to close first.

Get Free Assessment
← Back to Security Insights

Keep Reading

Healthcare · Pricing Guide7 min read

How Much Does Cybersecurity Cost for a Medical or Dental Practice?

Read More
Healthcare · Threat Alert8 min read

Dental Practice Cybersecurity: The 7 Threats Hitting Practices Right Now

Read More
Healthcare · Compliance8 min read

HIPAA Security Risk Assessment for Dental Practices

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More