2026 HIPAA Security Rule Update

Summary

Quick Answer: The 2026 HIPAA Security Rule update introduces significant changes including mandatory encryption of ePHI at rest and in transit (removing the “addressable” designation), required multi-factor authentication for all systems accessing ePHI, 72-hour incident reporting requirements, annual penetration testing, and enhanced business associate oversight obligations. These changes, proposed by HHS in late 2025, represent the most substantial update to HIPAA security requirements since the original rule. Healthcare organizations should begin preparing now by assessing their current encryption status, implementing MFA, and updating their incident response plans. Updated for the 2026 HIPAA Security Rule Final Rule — published in the Federal Register on January 6, 2025 and at the 90-day-Final-Rule mark in May 2026. This is no longer an explainer about a proposal. The 2026 HIPAA Security Rule is finalized text, OCR has begun citing it in resolution agreements, and the January 2026 OCR Cybersecurity Newsletter made clear that risk analysis is the most-frequently-cited deficiency in OCR investigations. What follows is the operational layer between the Rule’s text and what healthcare IT teams actually do Monday morning — what’s verifiable, what’s annual, and what’s auditable. What’s actually landed in healthcare IT at 90 days at Final Rule Asset inventory finally stopped being a joke. Regulators are now asking for current, accurate inventories of every system that touches ePHI — not the 2024 “spreadsheet of laptops” norm. The January 2026 OCR Newsletter ties unpatched-software risk directly to a complete asset inventory. MFA on remote access is now assumed. The Final Rule’s implementation specifications are being read as required, not addressable. Document or compensating-control is the operative posture. Annual BAA verification is the most-underrated workflow. The new requirement is to verify the BAA — document the verification itself, not just keep the BAA on file...