HIPAA Updates for 2026: What Healthcare Organizations Need to Know

The healthcare industry is heading into one of its most significant regulatory shifts in over a decade. With proposed changes to both the HIPAA Security Rule and Privacy Rule expected to be finalized in 2026, organizations that handle electronic protected health information (ePHI) need to understand what is changing, why it matters, and how to prepare before compliance deadlines arrive.

Whether you are a hospital system, a small physician practice, a business associate, or a senior care facility, these updates will reshape the way you approach cybersecurity and patient data protection. Here is a comprehensive breakdown of what is on the horizon.

Why Is the HIPAA Security Rule Being Updated in 2026?

The last major overhaul to the HIPAA Security Rule came in 2013 with the Omnibus Final Rule. In the years since, the healthcare sector has experienced a dramatic escalation in cyberattacks. In 2023 alone, 725 data breaches were reported, compromising more than 133 million records. Ransomware, phishing campaigns, and sophisticated threat actors have made healthcare one of the most targeted industries worldwide.

In response, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) published a proposed update to the HIPAA Security Rule in December 2024, with the draft added to the Federal Register on January 6, 2025. The stated goal is to align HIPAA's security requirements with modern cybersecurity best practices and strengthen protections for ePHI across the board.

According to the latest regulatory agenda, OCR is targeting May 2026 for a final rule, with an effective date likely in July or August 2026. Most provisions would need to be implemented within 180 days of publication, meaning compliance deadlines could land before the end of 2026 or in early 2027.

What Are the Major Changes to the HIPAA Security Rule?

The proposed revisions introduce sweeping changes that touch nearly every aspect of a healthcare organization's security program. Here are the key areas to watch:

All Safeguards Become Mandatory

One of the most notable shifts is the elimination of the distinction between "required" and "addressable" implementation specifications. Under the current rule, certain safeguards are labeled "addressable," leading some organizations to treat them as optional. The updated rule removes that ambiguity entirely. If it is in the rule, it is required, with only limited exceptions.

Multi-Factor Authentication and Encryption Requirements

Multi-factor authentication (MFA) will be mandatory for any system or user accessing ePHI. Encryption will be required for all ePHI, both at rest and in transit, using government-approved methods. For organizations still relying on legacy systems that do not support modern encryption protocols, this could mean significant technology upgrades.

MFA implementation in healthcare presents unique workflow challenges. Clinical environments demand rapid authentication across multiple devices and locations throughout a shift. Even small delays in reauthentication can impact patient care. Healthcare organizations will need to find solutions that balance strong security controls with clinical efficiency.

Annual Compliance Audits and Ongoing Testing

Covered entities and business associates will be expected to conduct formal security program audits at least every 12 months. Beyond audits, organizations must perform vulnerability scans at least every six months and penetration tests at least annually. Security measures must also be reviewed and tested annually.

Asset Inventory, Network Mapping, and Data Flow Documentation

Organizations must maintain an up-to-date inventory of all technology assets, including AI tools, that create, receive, maintain, or transmit ePHI. Detailed network maps illustrating how ePHI moves through the organization's electronic information systems will be required, with updates at least every 12 months. This level of documentation goes well beyond what many organizations currently have in place.

Stronger Risk Analysis and Disaster Recovery

Risk analyses and gap assessments will need to be performed annually, with requirements more specific than current standards require. Patch management policies must be reviewed and updated each year. Perhaps most critically, organizations will need to develop disaster recovery procedures capable of restoring lost systems and ePHI within 72 hours of a disruption.

Enhanced Business Associate Accountability

Business associates and their subcontractors must provide annual written verification that required technical safeguards are in place. They will also be required to notify covered entities within 24 hours when activating a contingency plan related to a security incident or when workforce access to ePHI changes or ends. Business Associate Agreements (BAAs) will need to be updated to reflect these new requirements.

What HIPAA Privacy Rule Changes Are Expected in 2026?

While the Security Rule changes have drawn the most attention, proposed updates to the HIPAA Privacy Rule are also moving forward. Originally proposed in December 2020, these changes have been pending for years. Recent signals suggest a final rule may be published in 2026, with a Tribal Consultation meeting on the proposed updates scheduled for February 2026.

Faster Access to Patient Records

One of the most impactful Privacy Rule changes would shorten the maximum time for providing patients access to their PHI from 30 days to 15 days, with extensions also reduced to 15 days. Given that OCR has imposed more than 50 penalties under its HIPAA Right of Access enforcement initiative, healthcare providers should take this change seriously and begin evaluating whether their current staffing and processes can handle the shorter turnaround.

Expanded Patient Rights and New Access Provisions

Patients would be allowed to inspect their PHI in person and take notes or photographs. Healthcare organizations will need to establish private areas where patients can review their records and implement safeguards to prevent unauthorized access to other patients' information. The definition of electronic health records is also being expanded to include billing records, which means responding to access requests may require pulling data from multiple systems.

Streamlined Administrative Requirements

Not all changes add burden. The proposed rule would eliminate the requirement to obtain written acknowledgment that a patient received the Notice of Privacy Practices. It would also broaden the definition of healthcare operations to include care coordination and case management, and add a minimum necessary standard exception for individual-level care coordination.

Fee Transparency

Covered entities would be required to post estimated fee schedules on their websites for PHI access and disclosures, and provide individualized cost estimates to patients requesting copies of their records.

How Will 42 CFR Part 2 Alignment Affect Healthcare Organizations?

A final rule aligning 42 CFR Part 2, which governs substance use disorder (SUD) treatment records, more closely with HIPAA took effect in April 2024, with full compliance required by February 16, 2026. Key changes include allowing a single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations, and applying the HIPAA Breach Notification Rule to Part 2 records. Organizations that handle substance use disorder patient information should already be working toward full compliance with these requirements.

What Is Happening with HIPAA Enforcement in 2026?

OCR has made it clear that enforcement is a priority. In 2025, the agency levied more than $6.6 million in HIPAA fines, ranging from $80,000 to $3 million. Fines targeted a range of organizations, from small practices to large health systems, with many stemming from inadequate risk assessments, ransomware incidents, and weak technical safeguards.

Additionally, OCR confirmed in March 2025 that the third phase of its HIPAA compliance audit program is underway, with 50 covered entities and business associates being audited. These audits focus on risk analysis and risk management requirements and are expected to expand in scope.

Why Has the Healthcare Industry Pushed Back on the Proposed HIPAA Changes?

Not everyone in the industry is on board with the proposed updates. More than 100 healthcare organizations, led by the College of Healthcare Information Management Executives (CHIME), signed a letter asking HHS to reconsider the proposed Security Rule changes. Their concerns center on the cost and operational burden of compliance, particularly for smaller providers and rural hospitals that are already financially stretched.

Critics argue that the requirements impose rigid, prescriptive technical controls that may conflict with how modern healthcare IT environments actually operate. The concern is that unfunded mandates could drive up costs, require extensive infrastructure overhauls, and divert resources away from patient care. Despite this pushback, OCR has kept the rule on its regulatory agenda, signaling it intends to move forward, though potentially in a slimmed-down form.

How Should Healthcare Organizations Prepare for HIPAA Changes in 2026?

Regardless of whether the final rule includes every proposed change, the direction of travel is clear. Here are the practical steps organizations should take now.

• Conduct a thorough gap analysis. Compare your current security program against the proposed requirements. Identify missing policies, outdated technology, and procedural weaknesses that require attention.

• Build and maintain a complete asset inventory. Document every system, device, and third-party vendor that touches ePHI. Create or update network maps and data flow diagrams that show how ePHI moves through your environment.

• Evaluate your MFA and encryption readiness. Work with your IT team to plan and budget for MFA deployment and encryption upgrades. Identify any legacy systems that will need to be replaced or updated to support modern protocols.

• Update Business Associate Agreements. Start conversations with your vendors and business associates about the new security and reporting requirements. BAAs will need to reflect MFA, encryption, annual audit, and 24-hour notification obligations.

• Strengthen workforce training. Move beyond generic annual training sessions. Develop ongoing, role-specific security education programs that prepare staff for real-world threats and regularly test their effectiveness.

• Review disaster recovery and incident response plans. Ensure your organization can restore critical systems and ePHI within 72 hours. Document and rehearse your incident response procedures so they work under pressure.

• Monitor regulatory developments. Stay informed as the rulemaking process progresses. Be prepared to adjust your compliance strategy once the final rule is published.

The Bottom Line on HIPAA in 2026

The proposed HIPAA updates represent the most significant changes to healthcare data security regulation in over a decade. While timelines may shift and some provisions may be adjusted based on industry feedback, the core direction is unlikely to change. Healthcare organizations, business associates, and anyone handling patient data should treat 2026 as a critical year for compliance readiness.

The cost of inaction is not just regulatory penalties. It is the risk of a preventable breach that disrupts patient care and erodes the trust on which healthcare depends. The organizations that start preparing now will be the ones best positioned to meet whatever the final rule requires.

How Compass IT Compliance Can Help

Navigating these HIPAA changes does not have to be overwhelming. Compass IT Compliance works with healthcare organizations of all sizes to assess their current security posture, identify compliance gaps, and build practical roadmaps for meeting new requirements. From risk assessments and policy development to penetration testing, workforce training, and virtual CISO support, our team brings the cybersecurity and compliance expertise needed to help you stay ahead of the 2026 deadlines. If you are unsure where your organization stands, contact us today to start the conversation.