The HIPAA Security Rule last saw a major update in 2013. In cybersecurity terms, that feels like a geological era. At that time, iPhones did not have fingerprint readers. Ransomware was still a curiosity, not the major threat it poses to healthcare today. Most healthcare groups were still learning how to go paperless.
On December 27, 2024, HHS announced the largest proposed overhaul of the Security Rule to date. The Notice of Proposed Rulemaking (NPRM) appeared in the Federal Register on January 6, 2025. The 60-day comment period closed March 7, 2025, with nearly 5,000 comments submitted. OCR has kept finalization on its rule-based agenda for May 2026.
Once the final rule publishes, you get 240 days to comply. If it lands in May 2026, your deadline falls around January 2027.
That is not a lot of time for what they’re asking.
The Headline Change: “Addressable” Is Dead
If you’ve spent time with HIPAA compliance, you know the difference between “required” and “addressable” implementation specifications. Required means you do it. Addressable means you assess whether it is reasonable and appropriate for your group.
In theory, addressable meant flexibility. In practice, it became a loophole. Many groups wrote that encryption or automatic logoff was not reasonable for their situation and moved on. OCR saw this pattern across years of enforcement actions and breach reviews. We explain why this matters in our deep dive on why “addressable” doesn’t mean “optional”.
The proposed rule eliminates the required/addressable distinction entirely. Every specification becomes required, with only narrow, clearly defined exceptions. If you see a safeguard in the rule, you must implement it.
This single change cascades through everything else in the rule.
The 7 Major HIPAA Security Rule Changes You Need to Know
1. MFA Required for All ePHI Access — No Exceptions
Multi-factor login checks would change from a recommended practice to a legal requirement. Under the proposed rule, every system containing digital health data would require MFA for access. This includes remote and on-site access, clinical users, and admin users. The proposal does not create a small-group exception.
MFA means at least two of: something you know (password), something you have (authenticator app, hardware key), or something you are (fingerprint, face scan). SMS-based codes technically qualify but are the weakest option — SIM-swapping attacks have made them unreliable. Both OCR and NIST recommend app-based authenticators like Microsoft Authenticator, Google Authenticator, or Duo.
Here’s the number that should convince anyone still on the fence: MFA blocks 99.9% of automated account compromise attacks, according to Microsoft’s security research.
The practical impact: if anyone in your group accesses ePHI with just a username and password today, that’s a breach once this rule takes effect. We wrote a full setup walkthrough in our plain-English MFA guide.
2. Encryption Required: At Rest and In Transit
Encryption of ePHI is no longer addressable (see our detailed guide on mandatory encryption standards under the updated Security Rule). It is required for data at rest and data in transit. Data at rest includes servers, workstations, laptops, backup drives, USB drives, and cloud storage. Data in transit means data moving across any network.
The “in transit” piece is where many groups have gaps. If your practice emails patient records without encryption, that is noncompliant. If your EHR sends data to a clearinghouse over an unencrypted connection, that is noncompliant. If a staff member texts patient information, that is noncompliant.
Some exceptions may apply when encryption is not possible. The group must document compensating controls. Meeting that exception will be difficult.
3. Risk Analysis Every 12 Months — With Teeth
The current rule requires a risk analysis but doesn’t specify frequency. Most groups do one at onboarding and update it sporadically. The proposed rule changes that — and incomplete risk reviews are already the number-one reason practices get fined.
Every 12 months, you must complete:
- A complete risk analysis identifying all reasonably anticipated threats
- A review and update of your technology asset list
- A review and update of your network map
- written records of every identified threat and weak spot with an assessed risk level
- An check of existing controls against each identified risk
This isn’t checking boxes on a template. The NPRM requires the risk analysis to reflect your actual setting — your specific systems, your specific vendors, your specific threat space. Cookie-cutter reviews that don’t reference your group’s real systems won’t pass muster.
4. Technology Asset Inventory and Network Mapping
Two new written records rules that support the risk analysis:
Technology asset list: Written records identifying every technology asset that creates, receives, maintains, or transmits ePHI. Each entry must include the asset’s location, the person accountable for it, and its current version. Reviewed and updated at least every 12 months.
Network map: A diagram showing how ePHI moves through your digital systems — how it enters, exits, and is accessed from outside. This must include technology assets used by your business associates. Also reviewed annually.
A five-physician medical practice might find this manageable. A hospital system with thousands of endpoints faces a much larger records challenge. Either way, you cannot do it in a weekend.
5. 72-Hour System Restoration After a Cyberattack
The proposed rule requires written steps to restore key digital information systems and data within 72 hours of a disruption. You must also perform an analysis of which systems are most key to determine restoration priority.
This is a direct response to the ransomware epidemic. When Change Healthcare went down in February 2024, claims processing across the country ground to a halt for weeks — ultimately affecting 190 million patients and costing UnitedHealth Group over $2.9 billion. When hospitals get hit with ransomware, patient care suffers. HHS wants proof that you can get back on your feet in three days.
Meeting this rule means tested backups, documented recovery steps, and — in key ways — actually running recovery drills. A backup you’ve never tested is not a backup. If you want to know what the first three days after an attack actually look like, read our ransomware response guide.
6. Annual Compliance Audits
The proposed rule requires an annual compliance audit assessing conformity with the Security Rule. This is separate from the risk analysis. The risk analysis asks “what threats exist?” The compliance audit asks “are we actually doing what we’re supposed to?”
For groups that have been running informal self-reviews, this formalizes the process and creates written records that OCR can request during an review.
7. Business Associates Must Verify Compliance Annually
Business associates get greatly more clear ownership under the proposed rule:
- Annual written verification: Every 12 months, BAs must provide written confirmation that required tech protections are deployed. This analysis must be prepared by a subject matter expert and certified as accurate. A generic “we’re HIPAA in line” letter won’t satisfy this.
- 24-hour backup notice: If a BA activates their disaster recovery or business continuity plan in a way that affects your ePHI, they must notify you within 24 hours.
If you have 15 business associates, that’s 15 annual verifications you need to collect, review, and file. Start building that into your vendor management process now — and make sure you’re not making the common BAA mistakes that trip up many practices.
How Much Will HIPAA Security Rule Compliance Cost?
HHS estimates first-year compliance costs at about $9 billion across the industry, with a five-year estimate of about $33 billion for years two through five.
Those are industry-wide numbers. What does it mean for an individual practice?
For a small practice that already has MFA, encryption, and a current risk analysis, the incremental cost may be modest — primarily written records, asset list, and updated BAAs. Maybe $5,000-$15,000 in consulting and IT support.
For a practice that’s been skating by with minimal tech protections, the cost is greatly higher. Deploying MFA across all systems, encrypting all endpoints, implementing network segmentation, and building a documented recovery plan could run $25,000-$75,000 or more depending on practice size and existing systems.
Industry groups including CHIME and NHCA have pushed back hard on the cost burden, especially for smaller groups. HHS acknowledged the financial impact but maintains the rules are needed given the scale of healthcare cybersecurity failures — 710 large breaches were reported to OCR in 2025 alone, affecting tens of millions of patients.
No federal funds are set aside for HIPAA compliance. The expense comes from your operating budget. But consider the alternative: the average healthcare data breach cost $10.9 million in 2024, and HIPAA fines increased again in 2026. Compliance is the cheaper option.
The Political Variable
One important caveat: this NPRM was published in the final days of the Biden administration. The current administration has the authority to modify, delay, or withdraw the proposed rule.
However, as of early 2026, OCR has kept finalization on its official rule-based agenda. Healthcare cybersecurity has bipartisan support — ransomware attacks on hospitals don’t have a political party. Industry observers and legal analysts widely expect the rule to be finalized, potentially with some modifications based on the comment period feedback.
The smart play is to prepare as if it’s happening. If it gets delayed, you’ve strengthened your security posture. If it doesn’t, you’re ready.
What to Start Doing This Month
You don’t need to wait for the final rule. Everything on this list is either already required under current HIPAA rules or directly aligned with where the rule is headed:
Deploy MFA everywhere. Start with your EHR, then email, then billing software. Most platforms support it natively. Authenticator apps are free. This is the single highest-impact step you can take. Our MFA setup guide walks you through it step by step.
Audit your encryption. Find every place ePHI lives and moves. Verify it’s encrypted at rest and in transit. Document any gaps and fix them.
Build your asset list. List every device, system, and application that touches ePHI. Include location, owner, and version. This becomes a living record you update at all times.
Draw your network map. Show how ePHI flows through your systems and out to vendors. If you can’t draw it, you don’t understand it — and you can’t secure it.
Update your BAAs. Add the 24-hour backup notice clause and annual verification rule. Start with your most key vendors. Don’t make the BAA mistakes that leave you exposed when a vendor gets hacked.
Test your backups. Run an actual recovery drill. Time it. Can you restore key systems within 72 hours? If not, that’s your priority.
Budget now. Whatever this costs, it costs less than a breach. The compliance investment is the cheaper option compared to a $6.6 million fine year like 2025.
The Bottom Line
The 2026 HIPAA Security Rule update is the most major healthcare cybersecurity rule in over a decade. It eliminates the “addressable” loophole, mandates MFA and encryption, requires annual risk analyses and compliance audits, and holds business associates to documented verification standards.
The timeline is tight: final rule expected May 2026, compliance deadline about January 2027. Groups that start preparing now will be better positioned to meet the deadline. Groups that wait will have less time to close gaps.
The rules are catching up to the threats. Make sure your practice keeps up with both.
Key stat: The proposed 2026 Security Rule changes include mandatory encryption for all ePHI, 72-hour system restoration requirements, annual penetration testing, and technology asset inventories. If finalized, these represent the most significant expansion of HIPAA technical requirements since the Security Rule was first published in 2003.
Sources
Regulatory Updates
Key stat: The proposed 2026 Security Rule changes include mandatory encryption for all ePHI, 72-hour system restoration requirements, annual penetration testing, and technology asset inventories. If finalized, these represent the most significant expansion of HIPAA technical requirements since the Security Rule was first published in 2003.
Sources
Regulatory Updates
Related Reading
- MFA Is About to Be Required for HIPAA — A Plain-English Guide
- Why “Addressable” Doesn’t Mean “Optional” — The HIPAA Myth That Gets Practices Fined
- How to Run a Risk review That Won’t Get You Fined
- The Change Healthcare Breach One Year Later — Lessons for Every Practice
- HIPAA Fines Just Went Up — New Penalty Amounts for 2026
Need help preparing for the new Security Rule? One Guy Consulting offers compliance reviews, risk analysis services, and setup support for practices of all sizes. Get started risk assessment tool
Related: What Is HIPAA Certification? Why It Does Not Exist Under Federal Law