Thursday, February 26, 2026
ap7i.com
๐Ÿ›ก๏ธ
Adaptive Perspectives, 7-day Insights
Healthcare IT

The HIPAA Security Rule Is Getting Its Biggest Overhaul in 13 Years

HHS is finalizing sweeping changes to the HIPAA Security Rule that eliminate the 'addressable' loophole and mandate encryption, MFA, and 72-hour recovery. Here's what healthcare IT leaders should be watching.

By R.A.Parks 7 min read
The HIPAA Security Rule Is Getting Its Biggest Overhaul in 13 Years
Image generated by OpenAI GPT Image 1.5

This isn’t tailored to any specific organization. A vendor brought some of this to my attention today, and after digging into it, I realized the scope is bigger than some of us expected. If you’re responsible for healthcare IT like I am, this is the kind of regulatory shift that we should start preparing for now โ€” not when the final rule drops and we’re scrambling to comply within 180 days.

HHS is finalizing the most significant update to the HIPAA Security Rule since 2013. The Office for Civil Rights published a Notice of Proposed Rulemaking on January 6, 2025, and despite significant industry pushback โ€” including a coalition letter from over 100 hospital systems asking the Trump administration to rescind it entirely โ€” OCR has kept the rule on its regulatory agenda for finalization in May 2026.

Whether it lands in May or slips a few months, the direction is clear. The era of “good enough” HIPAA compliance is ending.

What’s Actually Changing

The single biggest structural change: the distinction between “required” and “addressable” safeguards is eliminated.

If you’ve worked in healthcare IT for any length of time, you know how this has played out in practice. The current rule has 22 “addressable” implementation specifications. Organizations can decline to implement them as long as they document why it’s not “reasonable and appropriate.” Many organizations โ€” some of them quite large โ€” have leaned on this flexibility for years to justify not encrypting data at rest, not implementing automatic logoff, or not testing their disaster recovery plans.

Under the proposed rule, every one of those 22 controls becomes mandatory. No exceptions, no documented justifications for skipping them.

In practical terms: security measures that have been treated as optional for over a decade become non-negotiable regulatory requirements.

The Requirements That Matter Most

I won’t reproduce the entire NPRM here โ€” HHS has a fact sheet for that. But here are the requirements that will force the most operational change for healthcare IT teams.

Encryption Everywhere

All ePHI must be encrypted at rest and in transit. Every database, file share, backup, and network transmission. No more documenting why encryption isn’t reasonable โ€” it’s required, full stop.

If you’ve been putting off encrypting legacy file shares or that one departmental database that predates your tenure, the clock is ticking.

MFA for Everyone

Multi-factor authentication is required for all ePHI access. Not just VPN. Not just remote access. Every person โ€” clinical and non-clinical โ€” who touches ePHI must use MFA. That includes EHR, PACS, email, and cloud systems.

This one will be politically painful in clinical environments. Clinicians already complain about authentication friction. But the rule doesn’t carve out exceptions for convenience.

72-Hour Recovery, 48-Hour Backups

Organizations must be able to restore mission-critical systems within 72 hours of an incident, and backups must be no more than 48 hours old. Daily backups are effectively the minimum.

After watching the Change Healthcare breach cripple claims processing across the country for weeks, and the ransomware attack on UMMC more recently, it’s hard to argue these targets are unreasonable. But meeting them consistently โ€” across every critical system, including legacy ones โ€” is a different story.

Vulnerability Scanning and Pen Testing on a Schedule

Vulnerability scans every six months. Penetration testing every twelve months. Annual compliance audits. Annual risk assessments tied to a documented asset inventory and network map.

The operative word is “documented.” Having a vulnerability scanner running is table stakes. Having written results, remediation plans, and evidence that you followed through is what the rule demands.

Patch Management with Teeth

Critical patches within 15 days. High-risk patches within 30 days. This applies to any “relevant electronic information system” โ€” workstations, servers, network devices, and anything else that touches ePHI. If you’ve ever tried to patch a clinical workstation or a production server on a 15-day timeline, you know this will require vendor cooperation that doesn’t always exist. But it’s what the rule says.

Physical Access Controls

Server rooms, network closets, IDF/MDF rooms โ€” any space housing ePHI systems must have auditable access controls. Badge readers or electronic locks with logging. Key-only locks without audit trails will likely be insufficient.

This is one that catches organizations off guard. Many facilities have network closets secured with keyed locks that haven’t been rekeyed in years. The rule wants to know who accessed what space and when.

Business Associate Accountability

A signed BAA is no longer sufficient. Business associates must provide annual written verification that they’ve implemented all required safeguards. They must report security incidents within 24 hours. BAA language must be updated to specify the new requirements.

If you have dozens or hundreds of BAs โ€” and most healthcare organizations do โ€” this is a significant administrative lift.

Will It Actually Happen?

This is where it gets complicated.

The rule remains on OCR’s regulatory agenda for May 2026 finalization. But the Trump administration’s regulatory freeze, DOGE-driven HHS restructuring that reduced the workforce from 82,000 to 62,000, and nearly 4,750 public comments โ€” many of them hostile โ€” create real uncertainty.

A CHIME-led coalition of over 100 hospital systems, including Cleveland Clinic, Yale New Haven Health System, and the American Medical Association, wrote to HHS Secretary Kennedy requesting that the rule be rescinded outright. The Health Sector Coordinating Council proposed an alternative framework called “Forward Path 2025” arguing the NPRM is neither practical nor effective.

There’s also a competing legislative path: the bipartisan Health Care Cybersecurity and Resiliency Act of 2025 (S.3315), reintroduced in December 2025 by Senators Cassidy, Warner, Hassan, and Cornyn. It would modernize HIPAA cybersecurity requirements through legislation rather than rulemaking โ€” including mandatory MFA, encryption, and audits โ€” with grants for rural providers to offset costs.

My read: The May 2026 date is optimistic. The final rule may slip, and it may be slimmed down from the NPRM. But the core structural changes โ€” eliminating addressable vs. required, mandating encryption and MFA, requiring documented testing and risk assessments โ€” have broad bipartisan support and are consistent with everything HHS has signaled for the past two years. Whether it arrives via rulemaking or legislation, these requirements are coming.

The Cost Question

HHS estimated the industry-wide cost at roughly $9 billion in the first year and $6 billion annually thereafter. Industry groups say those numbers are understated.

For individual organizations, published estimates range from $20,000โ€“$50,000 for small practices to $500,000+ for large health systems. These include gap remediation, technology upgrades, staffing, testing, and documentation โ€” but not ongoing operational costs.

As someone who manages an IT budget in healthcare, I’ll say this: the costs are real, but so are the costs of not doing these things. The Change Healthcare breach cost UnitedHealth Group over $3 billion. A single ransomware event at a mid-size organization can easily exceed the entire compliance cost of this rule.

The argument that we can’t afford to comply is harder to make when the alternative is a breach that threatens the organization’s survival.

Also on the Radar: 42 CFR Part 2

A separate but related rule aligning 42 CFR Part 2 substance use disorder records with HIPAA protections had a compliance deadline of February 16, 2026 โ€” ten days ago. OCR has launched its civil enforcement program and is now accepting complaints. If your organization handles SUD records and hasn’t updated its Notice of Privacy Practices, that’s an immediate action item.

What I’d Do Now

If I were starting a gap assessment today, these are the areas I’d focus on first:

  1. Encryption coverage. Where is ePHI stored that isn’t encrypted at rest? File shares, local databases, backup media, legacy systems โ€” inventory all of it.
  2. MFA deployment. Which systems that touch ePHI don’t currently require MFA? What’s the rollout plan, and how long will it realistically take?
  3. Backup and recovery. Can you actually restore critical systems within 72 hours? Not theoretically โ€” have you tested it? When was the last DR tabletop exercise?
  4. Asset inventory and network map. Do you have a complete, written inventory of every technology asset that touches ePHI? Do you have a documented diagram showing how ePHI moves through your systems? This is typically one of the most time-consuming requirements.
  5. Physical access. Which server rooms and network closets have auditable access controls, and which are still on keyed locks?
  6. Business associate agreements. Do your BAAs reflect the new requirements? Have you started conversations with key BAs about their compliance readiness?

The compliance window is projected at 180 days from the effective date. That’s roughly six months to go from wherever you are today to full compliance. For most organizations, that’s not enough time to start from scratch โ€” which is exactly why starting now makes sense, even before the final rule is published.

The specifics may change. The direction won’t.