HIPAA Security Rule Update 2026: Everything Your Organization Needs to Know
The most significant overhaul of the HIPAA Security Rule in over two decades is approaching finalization. HHS published its Notice of Proposed Rulemaking in January 2025, and regulators aim to finalize the updates by May 2026. New mandatory requirements for encryption, multi-factor authentication, risk assessments, and 72-hour incident reporting will affect every covered entity and business associate.
With compliance deadlines potentially falling before the end of 2026, organizations that wait for the final rule to begin preparation will face a dangerously compressed timeline. This page is your comprehensive, actionable guide to what is changing and the concrete steps you can take now.
Download the Free 2026 Readiness Checklist275M+
Healthcare records breached in 2024
HHS OCR Breach Portal, HIPAA Journal 2024 Report
$9B
Estimated first-year compliance cost across all regulated entities
OCR estimate cited by Alston & Bird, November 2025
240 Days
Proposed compliance window after final rule publication
HHS NPRM, Federal Register, January 2025
4,745
Public comments received on the proposed rule
OCR Deputy Director Tim Noonan, HIPAA Summit 2025
Six Requirements That Will Reshape Your Compliance Program
The proposed HIPAA Security Rule update introduces specific, prescriptive mandates that replace years of flexible guidance. Each change below carries direct operational implications for covered entities and business associates.
Structural Change
No More "Addressable" vs. "Required"
The proposal eliminates the longstanding distinction between "required" and "addressable" implementation specifications. Under the update, organizations must meet both standards and specifications; the only flexibility is in how you implement controls, not whether you implement them.
This means security controls that many organizations documented as "not applicable" or replaced with alternative measures now become mandatory, auditable deliverables.
Source: HHS NPRM published in Federal Register, January 6, 2025
Technical Safeguard
Mandatory Encryption of All ePHI
Encryption of electronic protected health information becomes a universal requirement, at rest and in transit. The previous "addressable" loophole that allowed organizations to document alternative measures is eliminated entirely.
Organizations still running unencrypted ePHI on legacy systems will face a hard deadline to encrypt or replace those systems. Every file containing patient data must be encrypted end-to-end, whether on servers, in the cloud, or in transit.
Source: HHS Office for Civil Rights NPRM, 45 CFR 164.312
Access Control
Multi-Factor Authentication Required
MFA becomes mandatory for all access to ePHI and systems containing ePHI. This affects clinical workflows, vendor access, remote work setups, and legacy application access across every covered entity and business associate.
The stakes are clear: in 2024, 81% of healthcare breaches involved compromised credentials. MFA enforcement is one of the highest-impact controls any healthcare organization can implement today.
Credential statistic: HIPAA Journal, 2024 Healthcare Data Breach Report
Risk Management
Prescriptive, Written Risk Assessments
Risk assessments must follow a prescribed format: technology asset inventory, network map illustrating ePHI movement, threat identification for each asset, vulnerability assessment, and documented risk rating methodology.
The vague "conduct a risk assessment" standard becomes a detailed, auditable deliverable. Organizations need a systematic, repeatable process, not a one-time spreadsheet exercise. Annual compliance audits are also proposed as a distinct requirement.
Source: HHS NPRM, proposed 45 CFR 164.308 revisions
Vulnerability Management
Biannual Scans and Annual Penetration Tests
Covered entities must scan systems for security weaknesses at least twice per year and conduct annual penetration testing. Network segmentation is also proposed to isolate systems containing ePHI from general-purpose networks.
These requirements codify what many security frameworks already recommend, aligning HIPAA more closely with NIST Cybersecurity Framework standards and HHS's own Cybersecurity Performance Goals.
Source: HHS NPRM, proposed technical safeguard requirements
Incident Response
72-Hour Recovery and Faster Notification
Contingency plans must demonstrate the ability to restore critical systems within 72 hours of a ransomware attack or other disruption. Business associates must notify covered entities within 24 hours of activating their incident response plan.
In 2024, 725 large healthcare data breaches were reported to HHS, the third consecutive year with over 700 breaches. The Change Healthcare ransomware attack alone affected an estimated 192.7 million individuals.
Breach statistics: HIPAA Journal, 2024 Healthcare Data Breach Report (HHS OCR data)
Not sure where your organization stands on these six requirements?
Our free checklist maps each proposed change to specific actions you can take today, before compliance deadlines are finalized.
Download the Free 2026 Readiness ChecklistProof, not promises
Real results from real compliance teams
200+
Hours saved on ISO 27001 prep
Medtec used Priverion to cut through the documentation, evidence collection, and policy preparation that typically takes organizations 6 to 12 months manually.
Medtec customer result. Industry average ISO 27001 timeline: 3 to 12 months (Vanta, 2025).
60%
Lower cost vs. enterprise platforms
Predictable pricing based on company count and size, not per-user or per-module. No expansion traps, no six-figure surprises at renewal time.
Compared to median enterprise OneTrust deployments reaching mid to high six figures annually (Vendr, Feb 2026).
3 mo
Ahead on ISO 27001 readiness
Priverion's audit-ready evidence packages and policy templates compress months of preparation. Medtec reached readiness in a fraction of the typical timeline.
Medtec customer result. Typical certification: 6 to 9 months for most organizations (ISMS.online, 2026).
Built for mid-market reality, not enterprise complexity
With GDPR fines exceeding €7.1 billion and enforcement accelerating, you need a platform that gets you compliant fast. Not one that takes months to configure.
Priverion
Purpose-built for multi-entity privacy programs
-
Swiss data sovereignty, guaranteed
Swiss-built and Swiss-hosted. All data processing stays within Swiss infrastructure. Switzerland holds EU adequacy status, so your cross-border transfers are legally defensible by design.
-
Operational in weeks, not months
Clean, intuitive UX designed for DPOs and compliance leads. No dedicated implementation team required. Aircraft manufacturer saw a 60% reduction in compliance admin time within six months.
Aircraft manufacturer, first 6 months
-
Predictable, transparent pricing
Priced by number of companies and organizational size. Not per user, not per module. No expansion traps, no surprise renewal increases.
-
All-in-one privacy platform
ROPA, DPIA/TIA, vendor risk, incident management, DSR handling, data mapping, and AI Register for EU AI Act readiness. One platform, one price.
-
AI-assisted, human-controlled
AI helps draft DPIAs, score risks, and map regulations. Every output is reviewed before it becomes a compliance record. No customer data is ever used for model training.
OneTrust
Built for Fortune 500 scale and complexity
-
US-headquartered, multi-region hosting
OneTrust is a US-based company. While EU hosting options exist, the corporate structure means your data may be subject to US legal jurisdiction, including potential CLOUD Act requests.
-
Steep learning curve, long setup
Mid-market reviewers consistently cite weeks of configuration time and a cluttered interface. Implementation services add additional cost on top of licensing.
G2 and Capterra verified reviews, 2025-2026
-
Opaque, modular pricing
No published pricing. Each module is billed on its own metric, and costs can climb as your team or data footprint grows. OneTrust does not publish list prices; buyers should request a multi-year quote covering all modules and seats up front.
Vendr market data, February 2026
-
Modular: pay per capability
Five separate product lines, each with its own pricing tier. Mid-market organizations often end up in the low-to-mid six figures annually once they add the modules they actually need.
Vendr pricing analysis, February 2026
-
Broad scope, broad complexity
OneTrust covers ESG, ethics, cookie consent, and 300+ jurisdictions. If you need all of that, it is a strong choice. But if your priority is privacy program management across entities, much of that scope becomes overhead.
A note on fairness: OneTrust is a capable platform for global enterprises that need 300+ regulatory templates, ESG modules, and cookie consent management. We do not cover those areas. Priverion is purpose-built for organizations managing privacy programs across multiple subsidiaries, and that is where we focus our entire product investment.
Eight Steps to Prepare Before the Final Rule Drops
You do not need to wait for the final rule to start closing gaps. These eight actions map directly to the proposed requirements and will put your organization ahead of the 240-day compliance window.
01
Complete a Technology Asset Inventory
- Identify every system, application, and device that creates, receives, maintains, or transmits ePHI
- Document the network location and data flows for each asset
- Flag legacy systems that lack encryption or MFA capability
02
Map ePHI Data Flows Across All Entities
- Create a network diagram showing how ePHI moves between systems, departments, and third parties
- Include cloud services, remote access pathways, and business associate connections
- Identify any unencrypted transmission paths
03
Upgrade Encryption to Cover All ePHI
- Encrypt all ePHI at rest and in transit, no exceptions under the proposed rule
- Prioritize legacy systems where encryption was previously classified as "addressable"
- Document encryption standards and key management procedures
04
Deploy Multi-Factor Authentication Everywhere
- Enable MFA on all systems containing ePHI, including EHR, email, VPN, and cloud applications
- Include vendor and third-party access points in your MFA rollout
- Plan for clinical workflow adjustments to minimize disruption
05
Conduct a Prescriptive Risk Assessment
- Follow the proposed format: asset inventory, network map, threat identification, vulnerability assessment, and risk ratings
- Move beyond one-time spreadsheets to a repeatable, documented methodology
- Schedule annual risk assessments and compliance audits proactively
06
Schedule Vulnerability Scans and Penetration Tests
- Plan for at least biannual vulnerability scans across all ePHI-connected systems
- Engage a qualified firm for annual penetration testing
- Evaluate network segmentation to isolate ePHI from general-purpose networks
07
Update Your Incident Response and Recovery Plan
- Validate that your contingency plan can restore critical systems within 72 hours
- Ensure business associate agreements include the proposed 24-hour notification requirement
- Run tabletop exercises simulating ransomware scenarios with realistic timelines
08
Review All "Addressable" Controls for Mandatory Compliance
- Audit every control currently classified as "addressable" in your compliance documentation
- Identify any controls marked "not applicable" or replaced with alternative measures
- Create an implementation plan to bring all specifications to full compliance
Get the full checklist as a downloadable PDF
Includes detailed action items, responsible parties, and priority rankings for each requirement. Built for compliance leads at multi-entity healthcare organizations.
Free PDF. No demo required. We will send it to your inbox.
The Compliance Leader's Guide to the 2026 HIPAA Security Rule Update
The proposed HIPAA Security Rule overhaul is the most significant update in over two decades, with finalization on the HHS regulatory agenda for May 2026. This guide breaks down exactly what compliance teams need to know and do before deadlines hit.
Inside the guide, you will learn:
- 1. What the elimination of "addressable" safeguards means for your controls: all implementation specifications become mandatory, with only narrow exceptions
- 2. New technical mandates at a glance, including mandatory encryption, MFA, network segmentation, annual penetration testing, and 72-hour system restoration requirements
- 3. How to prepare for the projected $9 billion first-year compliance cost across the industry, with a prioritized action plan for multi-entity healthcare organizations
- 4. Timeline scenarios and compliance deadlines, including the proposed 240-day implementation window and how it may shift before the final rule is published
Sources include the HHS HIPAA Security Rule NPRM published December 27, 2024, OCR enforcement data, and analysis of more than 4,700 public comments received during the rulemaking process.
Download the Free PDF
Get a clear, actionable breakdown of every proposed change, organized by priority for compliance teams at multi-entity healthcare organizations.
Free PDF. No demo required. We'll send it to your inbox.
Why this matters now:
OCR estimated first-year compliance costs at $9 billion across all regulated entities.
OCR estimate, per Alston and Bird analysis of proposed HIPAA Security Rule NPRM, 2025
If finalized as proposed, entities would have just 240 days to comply from the date of publication.
Based on proposed rule timeline, HHS OCR regulatory agenda, May 2026
The regulatory clock is ticking
Stop managing compliance in spreadsheets. Start managing it for real.
GDPR fines now exceed 7.1 billion euros, with 1.2 billion issued in 2025 alone. European data protection authorities receive 443 breach notifications every single day. Enforcement is no longer a background risk for legal teams to monitor quietly.
Source: DLA Piper GDPR Fines and Data Breach Survey, January 2026
Priverion gives multi-entity organizations a single platform for ROPA management, DPIA automation, vendor risk assessments, incident response, and audit-ready reporting across every subsidiary and jurisdiction. Swiss-built, Swiss-hosted, with AI that assists your decisions and never replaces them. Aircraft manufacturer cut compliance admin time by 60% in their first six months. Your team could be next.
60%
Less compliance admin time
Aircraft manufacturer, first 6 months
200+
Hours saved in audit prep
Medtec, ISO 27001
100%
ROPA recertification rate
AXA, fully automated
No per-user pricing. No per-module expansion. Operational in weeks, not months.
The Privacy Compliance Briefing
Monthly insights on GDPR enforcement, Swiss FADP updates, and automation strategies for DPOs and compliance teams.
