The 2026 HIPAA Security Rule Overhaul: What Changes, What It Costs, and How to Prepare
> TL;DR: The 2026 HIPAA Security Rule update — the first major overhaul since 2013 — eliminates "addressable" safeguards, mandates multi-factor authentication and encryption, and requires annual technical risk assessments. The final rule is expected in May 2026 with a 180-day compliance window, meaning most healthcare organizations need to start preparing now to hit the late-2026 deadline. See how an integrated compliance platform closes the most common gaps before auditors find them.
The HIPAA Security Rule has not received a major structural update since 2013. In the intervening years, healthcare has migrated to the cloud, ransomware has become a billion-dollar industry, and telehealth has gone from niche to norm. The regulations, meanwhile, have stayed largely the same.
That is about to change.
In December 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) outlining sweeping changes to the HIPAA Security Rule under 45 CFR Part 164. The final rule is expected in May 2026. Once published in the Federal Register, it takes effect approximately 60 days later, with covered entities and business associates given a 180-day compliance window from the effective date.
That timeline is tighter than it sounds. If the rule is finalized in May 2026, organizations will need to be fully compliant by late 2026 or early 2027. For many healthcare organizations, that means the preparation window is now.
Here is what is changing, what it will cost, and what you should be doing today.
The Biggest Change: No More "Addressable" Safeguards
If you have worked with the HIPAA Security Rule for any length of time, you are familiar with the distinction between "required" and "addressable" implementation specifications under 45 CFR 164.306(d)(3). Required specifications must be implemented as written. Addressable specifications give organizations the flexibility to assess whether a particular safeguard is reasonable and appropriate for their environment, and if not, to document why and implement an equivalent alternative.
In practice, "addressable" has been widely misinterpreted as "optional." OCR has pushed back against this reading for years, but the confusion has persisted. Organizations have used the addressable designation to justify skipping encryption, avoiding multi-factor authentication, or deferring security measures indefinitely.
The 2026 rule eliminates this distinction entirely. Under the proposed changes, every implementation specification becomes mandatory, with only narrow, specifically defined exceptions. There is no more gray area. If the specification exists in the rule, you implement it. Full stop.
This is the single most consequential change in the rulemaking. It affects how organizations approach encryption, authentication, access controls, audit logging, and nearly every other technical and administrative safeguard. Compliance programs built around documenting why certain addressable specifications were not implemented will need to be fundamentally restructured.
Mandatory Multi-Factor Authentication (MFA)
Under the proposed rule, multi-factor authentication is required for all access to information systems that contain or process electronic protected health information (ePHI). Not just remote access. Not just administrative access. All access.
This is a significant expansion. Many healthcare organizations have implemented MFA for VPN connections and remote desktop sessions but have not extended it to local workstation logins, EHR access, or internal applications. The new rule closes that gap.
What This Means Practically
- Every user logging into a system that touches ePHI must authenticate with at least two factors (something they know, something they have, or something they are).
- Shared workstations in clinical areas, which are common in nursing stations and exam rooms, will need authentication workflows that support MFA without creating unacceptable delays in patient care.
- Legacy systems that do not support modern authentication protocols may require middleware, replacement, or compensating technical controls.
- Organizations will need to evaluate their identity and access management (IAM) infrastructure to ensure it can enforce MFA universally.
For large health systems, this is a substantial implementation effort. For small practices, it may be as straightforward as enabling MFA on their EHR platform and email provider. But regardless of size, no organization is exempt.
Encryption Required -- No Exceptions
Encryption of ePHI has been an addressable specification since the Security Rule was first published. Under the current framework at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), organizations can evaluate whether encryption is reasonable and appropriate, and if they determine it is not, document that decision and implement an alternative safeguard.
The proposed rule makes encryption a flat requirement. ePHI must be encrypted both at rest and in transit. There is no alternative analysis. There is no documented exception.
This change reflects the reality that encryption technology is now universally available, affordable, and built into most modern systems. The original "addressable" designation was written in an era when encryption imposed meaningful performance and cost burdens. That era is over.
Organizations that have been operating without full disk encryption on laptops and workstations, without TLS enforcement on internal network traffic, or without encryption on database storage will need to close those gaps before the compliance deadline. This is not a future aspiration under the new rule. It is a baseline requirement.
Annual Risk Assessments with Teeth
Risk assessment has always been a requirement under 45 CFR 164.308(a)(1)(ii)(A), and failure to conduct one remains the most frequently cited deficiency in OCR enforcement actions (Source: HHS OCR Enforcement Highlights, 2018-2025). The proposed rule strengthens this requirement in several important ways.
What Changes
- Explicit annual cadence. The current rule requires a risk assessment but does not specify how often. OCR guidance has long recommended annual assessments, but the rule itself was silent on frequency. The proposed rule codifies a 12-month cycle. Every covered entity and business associate must complete a comprehensive risk assessment at least once per year.
- Detailed documentation requirements. The proposed rule specifies what the risk assessment must contain, including an asset inventory, a threat identification analysis, a vulnerability assessment, a risk rating methodology, and a remediation plan with timelines and responsible parties. A high-level summary document will no longer suffice.
- Actionable remediation. Identifying risks is necessary but not sufficient. The rule requires that risk assessments produce documented, actionable remediation plans, and that those plans are tracked to completion. OCR wants to see that risks identified in one year's assessment are being addressed before the next cycle.
For organizations that have treated risk assessment as an annual checkbox, this is a significant shift. The new rule demands a process that is thorough, documented, and visibly connected to security improvements.
24-Hour Incident Reporting for Business Associates
The proposed rule introduces a 24-hour notification requirement for business associates. When a business associate discovers a security incident, it must notify the relevant covered entity within 24 hours of discovery.
This is a dramatic acceleration from current practice. The existing Breach Notification Rule at 45 CFR 164.410 requires business associates to notify covered entities of a breach "without unreasonable delay" and no later than 60 days after discovery. The proposed 24-hour window applies specifically to security incidents, which is a broader category that includes events that may not rise to the level of a reportable breach.
Impact on Business Associate Agreements
Every Business Associate Agreement (BAA) currently in effect will need to be reviewed and likely amended. If your BAA references the current notification timeline, it will be out of compliance with the new rule. Organizations should begin identifying all active BAAs now and planning for renegotiation.
Key provisions to address in updated BAAs include:
- The 24-hour notification window for security incidents
- Clear definitions of what constitutes a "security incident" triggering the notification obligation
- Designated points of contact and communication channels for incident reporting
- Documentation and evidence-sharing requirements during incident response
If you have dozens or hundreds of business associates, this review process alone is a substantial administrative undertaking. Starting early is not optional.
The $9 Billion Question
OCR's own regulatory impact analysis estimated that first-year compliance costs across all covered entities and business associates would reach approximately $9 billion, with recurring annual costs of roughly $6 billion thereafter (Source: HHS OCR NPRM Regulatory Impact Analysis, December 2024).
Those numbers generated significant industry pushback. Healthcare industry groups, including the American Hospital Association (AHA) and the College of Healthcare Information Management Executives (CHIME), raised concerns that the costs would disproportionately burden small and rural providers already operating on thin margins.
The cost concerns are real. But they need to be weighed against the cost of non-compliance. Consider the numbers on the other side of the equation:
- The average cost of a healthcare data breach reached $10.93 million in 2023, the highest of any industry for the thirteenth consecutive year (Source: IBM Cost of a Data Breach Report, 2023).
- OCR settlements and civil monetary penalties have ranged from tens of thousands to millions of dollars per enforcement action.
- Operational disruption from ransomware attacks has shut down hospital systems for weeks, diverted ambulances, and delayed patient care in ways that carry both financial and human costs.
Proactive compliance is expensive. Reactive breach response is more expensive. The $9 billion figure spread across the entire healthcare industry is a fraction of what the industry loses to breaches, penalties, and operational disruption each year.
Timeline: When You Need to Act
Understanding the regulatory timeline is essential for planning:
| Milestone | Expected Date | |---|---| | Final rule published in Federal Register | May 2026 | | Rule takes effect (60 days after publication) | July/August 2026 | | Full compliance required (180 days after effective date) | Late 2026/Early 2027 |
The 180-day compliance window sounds generous until you account for budget cycles, vendor procurement timelines, technology implementation, workforce training, and BAA renegotiation. Organizations that wait until the rule is finalized to begin planning will find themselves scrambling.
How to Prepare Now
The final rule has not been published yet, but the NPRM provides a clear roadmap of what is coming. Organizations that begin preparing now will be in a dramatically stronger position when the compliance clock starts. Here are five concrete steps to take today.
1. Run a Gap Assessment Against the New Requirements
Compare your current security posture against the specific requirements outlined in the NPRM. Identify where you already meet the proposed standards and where gaps exist. Prioritize those gaps by the level of effort and investment required to close them. This gives your leadership team a clear picture of the work ahead and the resources needed.
2. Audit Your MFA Coverage
Map every system that stores, processes, or transmits ePHI and determine whether MFA is currently enforced on each one. Pay particular attention to local workstation access, clinical applications, and legacy systems. For any system that does not currently support MFA, begin evaluating upgrade paths, replacement options, or compensating controls now, before vendor backlogs pile up.
3. Verify Encryption Across All Systems
Conduct a technical audit of encryption status for ePHI at rest and in transit across your entire environment. This includes databases, file servers, laptops, mobile devices, email, backups, and data transmissions between systems. Document any gaps and create a remediation plan with specific timelines.
4. Update Your BAAs with 24-Hour Reporting Language
Review every active Business Associate Agreement. Identify those that reference the current 60-day notification window or that lack specific incident reporting timelines. Begin drafting updated BAA language that reflects the 24-hour security incident notification requirement. Engage your business associates early. This is a two-party negotiation, and your vendors will need time to adjust their own incident response capabilities.
5. Schedule Your Annual Risk Assessment
If your last risk assessment was more than 12 months ago, or if it does not meet the level of documentation detail outlined in the NPRM, schedule a new one now. Use the proposed rule's requirements as your benchmark: asset inventory, threat identification, vulnerability assessment, risk ratings, and actionable remediation plans with assigned owners and deadlines.
Preparing Is the Strategy
The 2026 HIPAA Security Rule overhaul is the most significant regulatory change in healthcare data security in over a decade. The elimination of addressable specifications, mandatory MFA, universal encryption requirements, annual risk assessments with detailed documentation, and 24-hour incident reporting for business associates will collectively raise the compliance baseline for every covered entity and business associate in the country.
The organizations that come through this transition smoothly will be the ones that started preparing before the final rule was published. The ones that waited will face compressed timelines, competing vendor priorities, and the very real risk of non-compliance during an OCR enforcement environment that shows no signs of easing.
Live Compliance is built to help healthcare organizations stay ahead of exactly this kind of regulatory shift. Our platform continuously monitors your compliance posture, identifies gaps against current and emerging requirements, and provides the documentation and workflows needed to demonstrate audit readiness.
If you want to know where you stand today, start with our free 12-minute audit-readiness gap scan. It will identify your most critical exposure areas and give you a prioritized action plan before the new rule takes effect.
Get your free gap scan and start preparing now.