Skip to main content
Patient Protect circular logo mark in purple and white used for site navigationPatient Protect

Free tool · Updated April 2026

2026 HIPAA Security Rule readiness framework.

OCR expects to finalize the 2026 Security Rule update this year. The NPRM eliminates “addressable” safeguards — encryption, MFA, penetration testing, and asset inventories become mandatory for every covered entity regardless of size. This framework maps 24 technical controls across 8security domains to both the current Security Rule and the NPRM’s enhanced requirements. Independent practices have limited runway.

Free·No login required·Progress saved locally·Current rule + NPRM mapped

24

Controls

Mapped to current Security Rule and 2026 NPRM provisions

8

Domains

Encryption, network, access, endpoint, monitoring, testing, vendors, governance

Weighted

Scoring

Critical controls weighted 3× — gaps where they matter most surface first

100%

Free

No login, no credit card, no trial expiration

The 2026 Security Rule NPRM changes the compliance baseline for every independent practice.

Controls previously classified as “addressable” — encryption, MFA, audit logging — become mandatory with no size exemption. This framework maps each control to both the current rule and the NPRM provision so your practice can prepare before enforcement, not after. Read the full 2026 rule breakdown →

2026 Security Rule readiness

0/24controls confirmed
0%

Weighted exposure score

0%coverage·High exposure

Critical controls weighted 3×, high 2×, standard 1×. 54 exposure points remaining.

Start with a free risk assessment

Encryption & Data Protection

How patient data is protected at rest, in transit, and in backup.

0/3
1.1Encrypt all ePHI at rest — full-disk, database, and removable media
CriticalCurrent: §164.312(a)(2)(iv)
1.2Enforce TLS 1.3 for all data in transit
CriticalCurrent: §164.312(e)(1)
1.3Encrypt and secure all backup data with offsite replication
CriticalCurrent: §164.312(a)(2)(iv), §164.308(a)(7)(ii)(A)

Network Security

Perimeter defenses, segmentation, and traffic control.

0/3
2.1Configure firewalls and intrusion detection systems
CriticalCurrent: §164.312(e)(1)
2.2Segment clinical, administrative, and guest networks
HighCurrent: §164.312(e)(1)
2.3Disable unnecessary services, ports, and default accounts
HighCurrent: §164.312(a)(1)

Identity & Access Control

Who can reach ePHI, how identity is verified, and how access ends.

0/4
3.1Enforce MFA on all accounts with ePHI access
CriticalCurrent: §164.312(d)
3.2Assign unique user IDs with immutable audit logging
CriticalCurrent: §164.312(a)(2)(i), §164.312(b)
3.3Enforce role-based access with least-privilege defaults
HighCurrent: §164.312(a)(1), §164.308(a)(4)
3.4Terminate access within 24 hours of role change or workforce separation
HighCurrent: §164.308(a)(3)(ii)(C)

Device & Endpoint Security

Mobile devices, workstations, and session management.

0/2
4.1Enforce session timeouts and progressive account lockout
StandardCurrent: §164.312(a)(2)(iii)
4.2Apply MDM and BYOD policies for all devices accessing ePHI
HighCurrent: §164.310(b), §164.310(c)

Monitoring & Threat Detection

Log visibility, malware defense, and patch management.

0/3
5.1Centralize security logs with anomaly detection and alerting
CriticalCurrent: §164.312(b)
5.2Deploy anti-malware on all systems processing ePHI
CriticalCurrent: §164.308(a)(5)(ii)(B)
5.3Patch critical vulnerabilities within defined timelines
HighCurrent: §164.308(a)(1)

Vulnerability & Penetration Testing

Proactive identification of exploitable gaps.

0/2
6.1Conduct penetration testing at least annually
HighCurrent: §164.308(a)(8)
6.2Perform automated vulnerability scans every six months
HighCurrent: §164.308(a)(8)

Vendor & Physical Security

Third-party risk management and physical safeguards.

0/2
7.1Validate vendor security standing and maintain current BAAs
CriticalCurrent: §164.308(b)(1), §164.314(a)
7.2Maintain physical security controls for all ePHI environments
StandardCurrent: §164.310(a)(1), §164.310(a)(2)(ii-iv)

Governance & Resilience

Asset inventory, policy management, continuity, and audit.

0/5
8.1Maintain a written technology asset inventory
HighCurrent: §164.308(a)(1)(ii)(A)
8.2Maintain an annotated network map, reviewed annually
StandardCurrent: §164.308(a)(1)(ii)(A)
8.3Document and review all security policies annually
StandardCurrent: §164.316(a), §164.316(b)(2)(iii)
8.4Maintain and test 72-hour system restoration capability
CriticalCurrent: §164.308(a)(7)(ii)(B-D)
8.5Conduct an annual compliance audit against the Security Rule
HighCurrent: §164.308(a)(8)

How to use this framework

Three ways to get value.

01

Self-audit

Work through each domain with your IT contact or office manager. Check the controls you can confirm are in place. The weighted exposure score shows where your highest-risk gaps are — not just how many boxes are unchecked.

02

Expand the details

Click any control to see four layers: why it matters, how Patient Protect handles it, the real breach that resulted from this gap, and what “confirmed” actually means beyond checking a box. Each control includes the current Security Rule citation and the NPRM reference.

03

Prioritize by weight

Critical controls (encryption, MFA, logging, vendor validation) are weighted 3× in the exposure score. Start there — those are what OCR examines first and attackers exploit most.

Why infrastructure matters

Compliance paperwork does not stop ransomware. Infrastructure does.

Most HIPAA compliance vendors focus on policies — documents that describe what should happen. The problem is that a policy does not encrypt a backup, enforce MFA, or segment a network. When the Office for Civil Rights investigates a breach, the first thing they examine is technical evidence: were safeguards in place, were they configured correctly, and were they monitored.

The 2026 NPRM makes this concrete. Controls that were previously “addressable” — meaning a practice could document why it chose not to implement them — become mandatory. Encryption at rest, MFA, penetration testing, technology asset inventories, 72-hour system restoration: these are no longer optional regardless of practice size, revenue, or patient volume.

This framework covers the 24 controls that separate a practice with a defensible infrastructure from one that is running on hope. Each control maps to a specific Security Rule provision and the corresponding NPRM enhancement, with real breach examples showing what happens when the control is missing.

Last updated: April 2026. Controls mapped to HHS NPRM “HIPAA Security Rule to Strengthen the Cybersecurity of Electronic Protected Health Information” (89 FR 980, Jan 6, 2025). This framework will be updated when the final rule is published.

2026 rule deep dive

2026 HIPAA Security Rule

The full breakdown of the NPRM’s six mandates — what changes, what it means for independent practices, and how Patient Protect is already built for it.

Read the Rule Analysis

Related tool

HIPAA Compliance Roadmap

This framework covers technical infrastructure. The Compliance Roadmap covers the full 17-step operational program — entity classification, risk assessment, policy management, vendor oversight, and breach response.

See the Full Roadmap

Get a full picture

Unified Risk Assessment

This framework shows infrastructure gaps. The Unified Risk Assessment scores your overall compliance readiness, entity classification, and ePHI data flow in one comprehensive evaluation.

Take the Free Assessment

Ready to close the gaps — not just document them?

The framework shows where your infrastructure is exposed. Patient Protect automates the controls — encryption, access management, monitoring, vendor tracking — so your practice meets the 2026 requirements without a security team.

See your HIPAA score — freeSee pricing