Skip to content

Insights

2026 HIPPA Updates

Key Takeaways

  • Major HIPAA Modernization Underway: Proposed updates to the Security Rule (expected finalization in 2026) aim to strengthen protections in response to rising cybersecurity threats.
  • “Addressable” Safeguards Becoming Mandatory: Organizations will no longer be able to justify not implementing certain controls – key security measures will be required across the board.
  • Stronger Technical and Administrative Requirements: Expect mandated controls like MFA, encryption, asset inventories, network mapping, segmentation, and annual risk assessments/audits.
  • Increased Accountability for Business Associates: Vendors will face stricter oversight, including written attestations, incident planning requirements, and enhanced scrutiny.
  • Proactive Preparation Is Key: Organizations should begin gap assessments, update security controls, revise policies/contracts, and implement required NPP changes ahead of enforcement.

Since its inception in 2013 as a result of the Omnibus Rule, the HIPAA Security, Privacy, and Breach Notification Rules have mostly remained unchanged. As cybersecurity risks and threats continue to increase, ways to improve the security of HIPAA covered entities and business associates have been reviewed and updates are certainly in the pipeline.

HIPAA Is Changing in 2026

Back in December 2024, the OCR at the Department of Health and Human Services introduced proposed changes that will impact HIPAA. The Notice of Proposed Rulemaking (NPRM) seeks to modernize the HIPAA security rule and is expected to be finalized in May 2026 with compliance dates expected later in the year.

Security Rule Proposed Changes

When it comes to updates to the rules, these can be summarized into a few categories. The first update that is required and addressable will now be considered mandatory. This would eliminate the ability to justify non-implementation through documentation alone.

The second update is technical and administrative changes. Technical safeguard requirements, such as multi-factor authentication (MFA), encryption at rest and in transit, asset inventory, network mapping, and network segmentation, are some of the proposed changes. Annual risk assessment and compliance audits are also proposed.

The third category of the proposed update surrounds the accountability of business associates. This change would require written attestations, incidents and contingency planning, and increased scrutiny of vendors used to provide services.

Privacy Rule and Notice of Privacy Practices (NPP) Updates

For the Privacy Rule, changes were finalized in 2024 but partially vacated by a federal court in June 2025. Although some parts of the rule are still in the courts, other modifications to the Notice of Privacy Practices (NPP) are required and must be implemented by February 16, 2026. To ensure these updates are in place, organizations should review their NPPs and reflect the updated access and disclosure rights and remove vacated language while retaining enforceable updates.

Breach Notification and Enforcement Trends

The Breach Notification Rule itself remains unchanged, but enforcement trends continue to evolve. As there are requirements from the OCR that focus on timeliness, documents, and risk assessment, updates could be on the horizon after the Security Rule is finalized. Certain states also have mandatory notification timelines with civil penalties for failure to comply.

What Organizations Should Do Now

Although some of these changes are still in process, there are several actions covered entities and business associates can do to ensure an easier implementation of the requirements once they become mandatory. These can include:

  1. Treat all proposed safeguards as effective mandatory.
  2. Perform a security risk analysis to identify gaps.
  3. Create and maintain an asset inventory and network map.
  4. Ensure MFA, encryption, backups, and incident response are in place.
  5. Review and update any Business Associate contract language, review, and oversight.
  6. Update policies, procedures, and training to account for the proposed updates.

Although the OCR has received thousands of comments from the public, it is still believed that the rule will be finalized this year and enforceable by the end of the year. Even if the changes are not enforceable until 2027, acting early to implement these changes can help organizations improve their security posture and make it easier to comply with the requirements when they become mandatory.

For more information about HIPAA compliance and related audits, visit our HIPAA services page. McKonly & Asbury can assist clients in identifying and implementing the necessary safeguards to protect protected health information and pass a HIPAA compliance audit. Please contact us if you have questions about the process or are ready to move forward with a HIPAA assessment.

About the Author

Chris Fieger

Chris Fieger, CPA, CISA, CISM, CCSFP, CCP is a Senior Manager with the firm. He is a member of the firm’s System and Organization Controls (SOC) & Technology Practice, performing SOC 1, SOC 2, and SOC 3 engagements, as well as HITRUST an… Read more

Related Services

SOC & Technology Consulting

Subscribe to Our Newsletter

Related Insights

View All Insights
  Contact Us