Regulatory update

The 2026 HIPAA Security Rule eliminates every loophole independent practices relied on.

The 2026 update is a significant shift that every HIPAA compliance vendor — ourselves included — is adapting to. “Addressable” safeguards are gone. Encryption, MFA, penetration testing, audit logging, and Business Associate verification all become mandatory. Here is what’s changing, what your existing compliance partner will likely cover, and where Patient Protect’s security-first approach helps close the gaps.

Check your readiness All regulatory updates

The change

What “addressable” meant — and why it’s gone.

Since the Security Rule was adopted in 2003, implementation specifications have been classified as either “required” or “addressable.” Required meant you must implement it. Addressable meant you must assess whether it’s reasonable and appropriate — and if you determine it is not, you can implement an equivalent alternative measure, or document why neither is necessary.

In practice, “addressable” became “optional.” Practices documented that encryption was too expensive, that MFA was too disruptive, that penetration testing was unnecessary for their size. Auditors accepted those justifications. The gap between what HIPAA intended and what practices actually did grew wider every year.

The 2026 rule eliminates the distinction entirely. Every specification becomes required. The documentation-as-defense era is over. What matters now is whether the control is implemented — not whether you wrote a paragraph explaining why it isn’t.

This rule affects every covered entity and Business Associate — regardless of size.

There is no small-practice exemption. A solo dentist and a hospital system face the same requirements. The difference is that the hospital has a CISO, a security team, and a seven-figure compliance budget. Most independent practices have none of those things — which is why this rule will hit them hardest.

The six mandates

What the rule requires — before and after.

Mandatory encryption of all ePHI

§164.312(a)(2)(iv), §164.312(e)(2)(ii)

AES-256 encryption at rest and TLS 1.3 in transit — no exceptions

Before (current rule)

Encryption was 'addressable' — practices could document why they chose not to encrypt and still be compliant. Most did exactly that.

After (2026 rule)

Every byte of ePHI must be encrypted at rest and in transit. No exceptions. No alternative measures. No documentation workarounds.

Multi-factor authentication for all ePHI access

§164.312(d)

MFA required for every user, every session, every system

Before (current rule)

MFA was not explicitly required. Password-only access was compliant. Shared logins were common in small practices.

After (2026 rule)

Every user accessing ePHI must authenticate with a second factor. Shared credentials become a violation. This applies to EHR, email, cloud storage, and every other system touching patient data.

Vulnerability scanning and penetration testing

§164.308(a)(8)

Vulnerability scans every 6 months, penetration testing annually

Before (current rule)

No specific scanning or testing frequency was mandated. Most independent practices have never conducted either.

After (2026 rule)

Vulnerability scans must be performed every six months. Full penetration testing must be performed annually. Results must be documented and remediation tracked.

Technology asset inventory and network map

§164.310(d)(1)

Written inventory of every system, device, and data flow touching ePHI

Before (current rule)

Practices were required to conduct risk assessments but not to maintain a formal asset inventory or network map.

After (2026 rule)

A written, up-to-date inventory of all technology assets — hardware, software, network infrastructure — and a data flow map showing where ePHI moves. This must be reviewed and updated as systems change.

Business Associate technical verification

§164.314(a)(2)

Verify that BAs actually implement the safeguards they promise

Before (current rule)

Having a signed BAA was sufficient. Practices were not required to verify that vendors actually implemented the controls they agreed to.

After (2026 rule)

Covered entities must verify — not just contractually require — that their Business Associates implement appropriate technical safeguards. Annual verification is expected.

72-hour incident notification

§164.408

Notify HHS within 72 hours of discovering a breach

Before (current rule)

60-day notification window for breaches affecting 500+ individuals. Smaller breaches reported annually.

After (2026 rule)

All breaches must be reported to HHS within 72 hours of discovery — regardless of size. This is a 95% reduction in the notification window.

What to do now

Six steps to prepare before the rule takes effect.

Verify encryption

Confirm AES-256 encryption is active on every system storing or transmitting ePHI — EHR, email, backups, cloud storage. If it's not, enable it or replace the system.

Implement MFA

Enable multi-factor authentication on every account with ePHI access. Start with EHR and email. Eliminate shared credentials entirely.

Inventory your assets

Document every device, application, and system that touches patient data. Map how ePHI flows between them. Our free ePHI Flow Mapper does this in 15 minutes.

Audit your vendors

Review every Business Associate Agreement. Verify — don't just trust — that your vendors implement the technical safeguards they promised.

Schedule your first pen test

Engage a qualified security firm for a penetration test. Plan for annual recurrence. Document results and remediation actions.

Update your incident response plan

Revise your breach notification timeline from 60 days to 72 hours. Train your team on the new procedures. Test the plan.

Patient Protect

We built for this rule before it was written.

Patient Protect’s v2 platform was architected specifically for the 2026 Security Rule update. Every mandate below is already operational. Whether you use Patient Protect alongside your existing compliance partner or as a standalone platform, these controls are ready today.

Encryption

AES-256-GCM at rest, TLS 1.3 in transit. Every session, every record, every backup.

Multi-factor authentication

SMS 2FA + Altcha challenge layer + browser fingerprinting. No shared credentials.

Penetration testing

Independent vulnerability scanning with zero Critical, High, or Medium findings.

Audit logging

Immutable per-session ePHI access logs retained 6+ years. Tamper-proof by architecture.

BA verification

Vendor Risk Scanner tracks BAA status and technical safeguard compliance in real time.

Asset inventory

ePHI Data Flow Mapper + technology asset tracking built into the compliance engine.

Start free trial See the full platform

Resources

Go deeper.

Blog

What the HIPAA Security Amendments Mean for Your Practice

Full analysis of every proposed change with practice-level action items.

Regulatory tracker

All HIPAA Regulatory Updates

Track proposed rules, final rules, and enforcement guidance as they develop.

Free tool

HIPAA Risk Assessment

See where your practice stands against the new requirements — 10 minutes, no login.

Related references

Continue across the regulation library.

Three companion pages for HIPAA regulatory work — high-level tracker, provision-level map, and the 2026 Security Rule deep dive. Each links to the others for navigation.

Live tracker

Regulatory updates

Active and proposed federal rules, ranked by practice impact. Pulls live from HIPAA Pulse for ongoing OCR enforcement and guidance.

Open

Provision map

Regulation map

Every Security, Privacy, and Breach Notification Rule provision mapped to platform modules. 147+ CFR citations including 2026 NPRM changes.

Open

This page reflects the HIPAA Security Rule amendments as proposed in the January 6, 2025 NPRM (89 FR 980). Final rule language may differ. Patient Protect will update this page when the final rule is published. This is not legal advice — consult a qualified HIPAA compliance professional for guidance specific to your practice.