Key items covered in this article:

  • Under the proposed rule, the 2026 HIPAA Security Rule updates will mandate multi-factor authentication (MFA) and stronger encryption standards for protecting electronic protected health information (ePHI).
  • Organizations are expected to conduct annual security audits, enhance Business Associate Agreements (BAAs), and implement detailed data flow mapping to ensure compliance with the new regulations.

The rules for protecting patient health information are about to get a major upgrade. The Health Insurance Portability and Accountability Act (HIPAA) has been the standard for healthcare data security since 1996, but significant updates to its Security Rule are expected. These new requirements will bring stricter cybersecurity standards for any organization that handles electronic protected health information (ePHI).

For healthcare providers and their business associates, this means it’s time to prepare for change. The updates focus on strengthening defenses against modern cyber threats and increasing accountability across the board. Here’s a summary of what you need to know and how to get ready.

A Quick Look at the Timeline

Current Department of Health & Human Services (HHS) guidance points to a final HIPAA Security Rule in early to mid-2026, followed by a phased compliance period. While that may seem distant, the scale of these updates makes early preparation essential.

As with all federal rulemaking, timelines remain subject to change until the final rule is published in the Federal Register. While timing may evolve, the direction of the proposed requirements is unlikely to materially change, making early preparation advisable.

Key Changes to the HIPAA Security Rule

The upcoming changes will impact nearly every aspect of your security program. While the final text may vary slightly, the proposed rule introduces several new mandates that build on existing requirements.

Mandatory MFA and Stronger Encryption

Two of the most significant technical updates are the requirements for multi-factor authentication (MFA) and enhanced encryption. Under the proposed rule, MFA would no longer be treated as an optional or ‘addressable’ control; it’s anticipated to be mandatory for any system or user accessing ePHI. Likewise, organizations must use strong, government-approved encryption methods to protect data both at rest (when stored) and in transit (when sent). This may require upgrading legacy systems that can’t support modern security protocols.

Increased Accountability for All

The new rule emphasizes shared responsibility and transparency. Organizations should plan for these requirements:

  • Annual Security Audits: Organizations are expected to be required under the proposed rule to conduct formal security program audits every 12 months.
  • Enhanced Business Associate Agreements (BAAs): BAAs will need to specify controls like MFA and encryption, and business associates must share their annual audit results with covered entities.
  • Tighter Incident Reporting: The definition of a “security incident” is expanding to include operational disruptions, even without a data breach. Business associates will have a 24-hour window to notify covered entities if they activate an incident response plan.

Deeper Risk Management and Documentation

Compliance is expected to be required under the proposed rule to include more thorough documentation and planning. Organizations must now maintain detailed data flow diagrams and network maps to track where ePHI is stored and how it moves. Risk assessments must become more detailed, moving beyond simple checklists to a comprehensive analysis based on frameworks like NIST.

Finally, workforce training is getting an overhaul. Generic annual training is no longer enough. The rule calls for ongoing, role-specific security education with a focus on testing its effectiveness.

How to Start Preparing Now

Waiting for the final compliance deadline is not a viable strategy. The best approach is to start evaluating your current security posture today.

  1. Conduct a Gap Analysis: Compare your current compliance program against the proposed changes. Identify missing policies, outdated technology, and weak procedures that need attention.
  2. Map Your Data: Start creating detailed diagrams of your network and data flows. Document every system, device, and third-party vendor that touches ePHI.
  3. Review Vendor Agreements: Begin conversations with your business associates about updating your BAAs to include the new security and reporting requirements.
  4. Plan for Upgrades: Work with your IT team to budget for and plan the rollout of MFA and stronger encryption across your environment. Address any legacy systems that will pose a compliance challenge.
  5. Strengthen Your Training: Move away from “check-the-box” training and develop a continuous, role-based security awareness program that prepares your team for real-world threats.

By taking these proactive steps, you can build a more resilient and audit-ready security program. These changes are not just about meeting regulations—they are about fundamentally strengthening your ability to protect patient data in an increasingly complex digital world.

Our team is here to help. If you have questions or would like to learn more, please contact Partner Antonina McAvoy or Senior Manager Reid Peterson.