The HIPAA Security Rule was last meaningfully updated in 2013. In cybersecurity years, that’s a geological era. iPhones didn’t have fingerprint readers. Ransomware was a curiosity, not a business model. Most healthcare groups were still figuring out how to go paperless.
On December 27, 2024, HHS dropped the biggest proposed overhaul of the Security Rule in its history. The Notice of Proposed Rulemaking (NPRM) landed in the Federal Register on January 6, 2025. The 60-day comment period closed March 7, 2025, with nearly 5,000 comments submitted. OCR has kept finalization on its rule-based agenda for May 2026.
Once the final rule publishes, you get 240 days to comply. If it lands in May 2026, your deadline falls around January 2027.
That is not a lot of time for what they’re asking.
The Headline Change: “Addressable” Is Dead
If you’ve spent any time with HIPAA rule-keeping, you know the distinction between “required” and “addressable” setup specs. Required means you do it. Addressable means you check whether it’s fair and right for your group.
In theory, addressable meant flexibility. In practice, it became a loophole. Thousands of groups written down that data scrambling or automatic logoff was “not fair” for their situation and moved on. OCR saw this pattern across years of enforcement actions and breach reviews. We wrote about why this matters in our deep dive on why “addressable” doesn’t mean “optional”.
The proposed rule eliminates the required/addressable distinction entirely. Every spec becomes required, with only narrow, namely defined exceptions. If a safeguard appears in the rule, you implement it.
This single change cascades through everything else in the rule.
The 7 Major HIPAA Security Rule Changes You Need to Know
1. MFA Required for All ePHI Access — No Exceptions
Multi-factor login checks moves from best practice to legal mandate. Under the proposed rule, every system containing digital health data requires MFA for access. Remote and on-site. Clinical and admin. No carve-outs for small habits.
MFA means at least two of: something you know (password), something you have (authenticator app, hardware key), or something you are (fingerprint, face scan). SMS-based codes technically qualify but are the weakest option — SIM-swapping attacks have made them unreliable. Both OCR and NIST recommend app-based authenticators like Microsoft Authenticator, Google Authenticator, or Duo.
Here’s the number that should convince anyone still on the fence: MFA blocks 99.9% of automated account compromise attacks, according to Microsoft’s security research.
The practical impact: if anyone in your group accesses ePHI with just a username and password today, that’s a breach once this rule takes effect. We wrote a full setup walkthrough in our plain-English MFA guide.
2. data scrambling Required — At Rest and In Transit
data scrambling of ePHI is no longer addressable. It’s required. Both at rest (stored data on servers, workstations, laptops, backup drives, USB drives, cloud storage) and in transit (data moving across any network).
The “in transit” piece is where most groups have gaps. If your practice emails patient records to referring providers without data scrambling, that’s noncompliant. If your EHR sends data to a clearinghouse over an unencrypted connection, that’s noncompliant. If a staff member texts patient information, that’s noncompliant.
Limited exceptions exist for situations where data scrambling is technically infeasible, but the group must record compensating controls and the bar will be high.
3. Risk Analysis Every 12 Months — With Teeth
The current rule requires a risk analysis but doesn’t specify frequency. Most groups do one at onboarding and update it sporadically. The proposed rule changes that — and incomplete risk reviews are already the number-one reason habits get fined.
Every 12 months, you must complete:
- A complete risk analysis identifying all reasonably anticipated threats
- A review and update of your technology asset list
- A review and update of your network map
- written records of every identified threat and weak spot with an assessed risk level
- An check of existing controls against each identified risk
This isn’t checking boxes on a template. The NPRM requires the risk analysis to reflect your actual setting — your specific systems, your specific vendors, your specific threat space. Cookie-cutter reviews that don’t reference your group’s real systems won’t pass muster.
4. Technology Asset Inventory and Network Mapping
Two new written records rules that support the risk analysis:
Technology asset list: Written written records identifying every technology asset that creates, receives, maintains, or transmits ePHI. Each entry must include the asset’s location, the person accountable for it, and its current version. Reviewed and updated at least every 12 months.
Network map: A diagram showing how ePHI moves through your digital systems — how it enters, exits, and is accessed from outside. This must include technology assets used by your business associates. Also reviewed annually.
For a five-physician practice, this might be manageable. For a hospital system with thousands of endpoints, this is a major written records undertaking. Either way, you can’t do it in a weekend.
5. 72-Hour System Restoration After a Cyberattack
The proposed rule requires written steps to restore key digital information systems and data within 72 hours of a disruption. You must also perform an analysis of which systems are most key to determine restoration priority.
This is a direct response to the ransomware epidemic. When Change Healthcare went down in February 2024, claims processing across the country ground to a halt for weeks — ultimately affecting 190 million patients and costing UnitedHealth Group over $2.9 billion. When hospitals get hit with ransomware, patient care suffers. HHS wants proof that you can get back on your feet in three days.
Meeting this rule means tested backups, written down recovery steps, and — in key ways — actually running recovery drills. A backup you’ve never tested is not a backup. If you want to know what the first three days after an attack actually look like, read our ransomware response guide.
6. Annual Compliance Audits
The proposed rule requires an annual rule-keeping audit assessing conformity with the Security Rule. This is separate from the risk analysis. The risk analysis asks “what threats exist?” The rule-keeping audit asks “are we actually doing what we’re supposed to?”
For groups that have been running informal self-reviews, this formalizes the process and creates written records that OCR can request during an review.
7. Business Associates Must Verify Compliance Annually
Business associates get greatly more clear ownership under the proposed rule:
- Annual written verification: Every 12 months, BAs must provide written confirmation that required tech protections are deployed. This analysis must be prepared by a subject matter expert and certified as accurate. A generic “we’re HIPAA in line” letter won’t satisfy this.
- 24-hour backup notice: If a BA activates their disaster recovery or business continuity plan in a way that affects your ePHI, they must notify you within 24 hours.
If you have 15 business associates, that’s 15 annual verifications you need to collect, review, and file. Start building that into your vendor management process now — and make sure you’re not making the common BAA mistakes that trip up most habits.
How Much Will HIPAA Security Rule Compliance Cost?
HHS estimates first-year rule-keeping costs at about $9 billion across the industry, with a five-year estimate of about $33 billion for years two through five.
Those are industry-wide numbers. What does it mean for an person practice?
For a small practice that already has MFA, data scrambling, and a current risk analysis, the incremental cost may be modest — primarily written records, asset list, and updated BAAs. Maybe $5,000-$15,000 in consulting and IT support.
For a practice that’s been skating by with minimal tech protections, the cost is greatly higher. Deploying MFA across all systems, encrypting all endpoints, implementing network segmentation, and building a written down recovery skill could run $25,000-$75,000 or more depending on practice size and existing systems.
Industry groups including CHIME and NHCA have pushed back hard on the cost burden, especially for smaller groups. HHS acknowledged the financial impact but maintains the rules are needed given the scale of healthcare cybersecurity failures — 710 large breaches were reported to OCR in 2025 alone, affecting tens of millions of patients.
There are no federal funds earmarked for HIPAA rule-keeping. This comes out of your operating budget. But consider the alternative: the average healthcare data breach cost $10.9 million in 2024, and HIPAA fines increased again in 2026. Compliance is the cheaper option.
The Political Variable
One important caveat: this NPRM was published in the final days of the Biden administration. The current administration has the authority to modify, delay, or withdraw the proposed rule.
However, as of early 2026, OCR has kept finalization on its official rule-based agenda. Healthcare cybersecurity has bipartisan support — ransomware attacks on hospitals don’t have a political party. Industry observers and legal analysts widely expect the rule to be finalized, potentially with some modifications based on the comment period feedback.
The smart play is to prepare as if it’s happening. If it gets delayed, you’ve strengthened your security posture. If it doesn’t, you’re ready.
What to Start Doing This Month
You don’t need to wait for the final rule. Everything on this list is either already required under current HIPAA rules or directly aligned with where the rule is headed:
Deploy MFA everywhere. Start with your EHR, then email, then billing software. Most platforms support it natively. Authenticator apps are free. This is the single highest-impact step you can take. Our MFA setup guide walks you through it step by step.
Audit your data scrambling. Find every place ePHI lives and moves. Verify it’s encrypted at rest and in transit. Document any gaps and fix them.
Build your asset list. List every device, system, and application that touches ePHI. Include location, owner, and version. This becomes a living record you update at all times.
Draw your network map. Show how ePHI flows through your systems and out to vendors. If you can’t draw it, you don’t understand it — and you can’t secure it.
Update your BAAs. Add the 24-hour backup notice clause and annual verification rule. Start with your most key vendors. Don’t make the BAA mistakes that leave you exposed when a vendor gets hacked.
Test your backups. Run an actual recovery drill. Time it. Can you restore key systems within 72 hours? If not, that’s your priority.
Budget now. Whatever this costs, it costs less than a breach. The rule-keeping investment is the cheap option compared to a $6.6 million fine year like 2025.
The Bottom Line
The 2026 HIPAA Security Rule update is the most major healthcare cybersecurity rule in over a decade. It eliminates the “addressable” loophole, mandates MFA and data scrambling, requires annual risk analyses and rule-keeping audits, and holds business associates to written down verification standards.
The timeline is tight: final rule expected May 2026, rule-keeping deadline about January 2027. groups that start preparing now will meet the deadline. groups that wait will scramble.
The rules are catching up to the threats. Make sure your practice keeps up with both.
Related Reading
- MFA Is About to Be Required for HIPAA — A Plain-English Guide
- Why “Addressable” Doesn’t Mean “Optional” — The HIPAA Myth That Gets Practices Fined
- How to Run a Risk review That Won’t Get You Fined
- The Change Healthcare Breach One Year Later — Lessons for Every Practice
- HIPAA Fines Just Went Up — New Penalty Amounts for 2026
Need help preparing for the new Security Rule? One Guy Consulting offers rule-keeping reviews, risk analysis services, and setup support starting at affordable for habits of all sizes. Get started risk assessment tool