The Biggest HIPAA Update in a Decade
The HIPAA Security Rule hasn't seen a major overhaul since 2013. That's thirteen years of technological change — cloud migration, telehealth explosions, ransomware epidemics, and AI-driven phishing — while the regulatory framework stayed frozen in time. That changes in 2026.
In December 2024, HHS published a Notice of Proposed Rulemaking to modernize the Security Rule. The final rule is expected May 2026, with compliance deadlines likely hitting by late 2026 or early 2027. For healthcare practices that haven't started preparing, the window is closing fast.
The stakes are enormous. HHS estimates first-year compliance costs of $9 billion across all covered entities and business associates. But the cost of non-compliance — fines, breach remediation, reputational damage — will be far higher.
The End of "Addressable" Safeguards
Under the current rule, implementation specifications are categorized as either "required" or "addressable." If a specification is addressable, a covered entity can assess whether it's reasonable and appropriate — and potentially skip it with documented justification.
The new rule eliminates that distinction almost entirely. Most safeguards previously labeled "addressable" become mandatory. This is the single most consequential change in the proposal. It means no more writing your way out of security obligations. If the rule says implement MFA, you implement MFA. Period.
The shift from "addressable" to mandatory reflects a hard truth: healthcare organizations have spent years using the addressable designation as a loophole, and breaches have followed. OCR is closing the door.
Mandatory Technical Controls: What Changes
The proposed rule introduces several technical requirements that many practices currently lack:
- Multi-factor authentication (MFA) for all access to electronic Protected Health Information (ePHI), with very limited exceptions
- Universal encryption of ePHI both at rest and in transit — not just "when feasible"
- Network segmentation to isolate systems containing ePHI from general network traffic
- 72-hour data restoration procedures as part of mandatory contingency planning
If your practice still uses single-factor authentication for EHR access or transmits patient data over unencrypted channels, these changes alone represent significant infrastructure upgrades. And they're non-negotiable under the new rule.
Annual Assessments, Audits, and Testing
The current rule requires risk assessments, but enforcement has been inconsistent and many practices treat them as one-time checkbox exercises. The updated rule gets specific:
| Requirement | Frequency |
| Security risk assessment | Annually (mandatory) |
| Comprehensive asset inventory + network map | Annually (updated) |
| Security Rule compliance audit | Every 12 months |
| Vulnerability scans | Every 6 months |
| Penetration testing | Annually |
For small and mid-size practices, this means either building internal security capabilities or partnering with a managed IT provider who can deliver these services on a recurring basis. DIY compliance won't survive this level of scrutiny.
Stricter Business Associate Agreements
The updated rule doesn't just affect your practice — it extends deep into your vendor ecosystem. New Business Associate Agreement (BAA) requirements include:
- Explicit cybersecurity obligations defined in the BAA, not just general compliance language
- Subcontractor accountability — vendors must ensure their subcontractors meet comparable security standards
- 24-hour incident reporting — business associates must notify covered entities within 24 hours of discovering a security incident
This is a sea change. Many current BAAs are vague templates that haven't been updated in years. Under the new rule, you'll need to review, renegotiate, and potentially replace vendor relationships that can't meet these standards. Start auditing your BAAs now.
The 42 CFR Part 2 Deadline You May Have Missed
While the Security Rule overhaul dominates headlines, another compliance deadline may have already passed your practice by. February 16, 2026 was the deadline for updating your Notice of Privacy Practices (NPP) to reflect changes aligning 42 CFR Part 2 (Substance Use Disorder records) with HIPAA.
Key changes include simplified patient consent for SUD records, elimination of the requirement to segregate Part 2 records, and application of the HIPAA Breach Notification Rule to Part 2 data. If your NPP hasn't been updated to reflect these changes, you're currently out of compliance.
What Your Practice Should Do Right Now
Waiting for the final rule to land is a mistake. Here's a prioritized action plan:
- Deploy MFA immediately. This is the most impactful single control. It blocks 99.9% of automated attacks and will be mandatory regardless of how the final rule is structured.
- Encrypt all ePHI at rest and in transit. If your EHR, backup systems, or email aren't encrypted, start planning the migration now.
- Conduct a comprehensive risk assessment if you haven't done one in the past year. Document everything — the new rule demands it.
- Audit your BAAs. Identify which vendors meet the new requirements and which don't. Begin renegotiation conversations early.
- Update your NPP if you haven't already addressed the 42 CFR Part 2 changes.
- Budget for compliance. Between MFA deployment, encryption upgrades, vulnerability scanning tools, and staff training, this is a significant investment — but far cheaper than a breach or OCR fine.
Don't Go It Alone
The updated HIPAA Security Rule represents the most significant compliance shift healthcare organizations have faced in over a decade. The technical requirements are prescriptive, the documentation demands are extensive, and the vendor management obligations are unprecedented.
Most small and mid-size healthcare practices don't have the in-house expertise to navigate this alone. That's not a failure — it's a reality. The right managed IT partner can handle MFA deployment, encryption implementation, risk assessments, vulnerability scanning, BAA reviews, and ongoing compliance monitoring so you can focus on patient care.
UX Genius specializes in healthcare IT compliance and cybersecurity for medical practices. We help you build the security infrastructure the new rule demands — before the deadline, not after. Learn about our healthcare IT services or schedule a compliance assessment today.
