The New HIPAA Security Rule Is Coming — What Healthcare Providers Need to Do Now
January 29, 2026
A major shift in healthcare cybersecurity is nearly here. After clearing White House review, the updated HIPAA Security Rule is scheduled for publication as a Final Rule in May 2026. While the final version may still change, one thing is certain:
Healthcare providers will soon face stricter, clearer, and enforceable cybersecurity requirements.
For years, vague regulatory language created confusion and inconsistency in how practices implemented security. Many organizations adopted only the bare minimum, and regulators struggled to enforce compliance. With healthcare now the most targeted industry for cyberattacks, regulators are closing loopholes and requiring real cybersecurity—not checkbox compliance.
The days of "good enough" are over.
Why the Rule Is Changing
The current HIPAA Security Rule, last updated in 2013, has been criticized for:
- Being too vague to enforce consistently
- Allowing significant variation in what providers considered "reasonable security"
- Creating loopholes that enabled minimal cybersecurity investment
- Being successfully challenged in court due to lack of clarity
At the same time, healthcare breaches continue to rise, often tracing back to:
- Weak or missing MFA
- Outdated systems
- Poor vendor oversight
- Incomplete risk analyses
- Insufficient backup and recovery planning
Congress and regulators are now pushing for stronger, enforceable requirements designed to reduce the enormous risks facing healthcare practices.
What the Updated Security Rule Will Require
While we won't know the exact final language until publication, the proposed rule gives healthcare providers a clear preview of what's coming.
1. Mandatory Technical Safeguards
Providers will be required to implement:
- Multifactor authentication (MFA) across systems
- Regular vulnerability scanning
- Scheduled penetration testing
- Stricter audit controls
These aren't optional recommendations anymore — they will be required.
2. Annual Testing & Documentation
Organizations must prove they are continuously protecting patient data. Expect annual requirements such as:
- Updated system inventories
- Data flow diagrams
- Formal risk analyses
- Incident response drills
- Backup and disaster recovery testing
- Policy and procedure reviews
For many small and midsized practices, this will represent a meaningful change in operations — and cost.
3. Stronger Oversight of Business Associates
This is one of the biggest changes.
Healthcare providers will be held directly accountable for the compliance of every vendor that handles or accesses PHI. This includes:
- MSPs and IT providers
- Billing companies
- Cloud services
- Medical transcription companies
And also less obvious vendors who may touch PHI:
- Lawyers
- Accountants
- Collection agencies
Providers must actively verify, document, and manage BA compliance — not simply collect a signed BAA.
Why This Matters for Your Practice
Let's be honest:
Many practices have historically invested as little as possible in IT security. Some installed only what was needed to "check the HIPAA box."
Under the new rule, that approach won't be possible anymore. The expectations will be:
- Clear
- Enforceable
- Auditable
- Required
Some providers may feel overwhelmed by the cost and complexity. Others may worry about disruptions. But the alternative — downtime, ransomware, and patient data exposure — is far worse.
This change is ultimately designed to protect your practice, your reputation, your patients, and your financial stability.
Industry Pushback Won't Save You
Healthcare lobbyists have argued that the new requirements may burden small practices or drive some out of business. This has created pressure to soften or remove certain requirements.
But even if parts of the rule are adjusted, the direction is clear:
👉 Security expectations for healthcare are rising dramatically — and permanently.
👉 Enforcement will become much more aggressive.
Providers who wait for the final rule to drop will be left scrambling.
What Healthcare Providers Should Do Right Now
1. Download the 2026 Fact Sheets
The update references two key resources that you should review:
- 2026 HIPAA Security Rule Fact Sheet for Covered Entities & Business Associates
- 2026 HIPAA Security Rule Fact Sheet for MSPs (share with your IT provider)
You can download both of these documents here.
2. Evaluate Your Current Compliance
Ask yourself:
- Do we have MFA everywhere?
- When was our last risk analysis?
- Are we performing annual backup and recovery testing?
- Do we maintain a complete system inventory and data flow diagram?
- Have we validated the compliance of ALL our Business Associates?
- Are we conducting vulnerability scans and pen tests?
Most practices will find gaps — and that's the point of preparing now.
3. Meet with Your IT Provider (or MSP)
Your IT partner should be ready to help you:
- Implement stronger controls
- Close compliance gaps
- Document systems and data flows
- Perform risk analysis and testing
- Manage vendor compliance
- Stay ahead of evolving requirements
If they aren't proactively discussing this update with you, that's a red flag.
4. Start Budgeting for Cybersecurity as a Core Requirement
Cybersecurity isn't an optional add-on anymore. It must become an integral part of your annual operational budget — just like insurance or medical equipment.
Final Takeaway
The updated HIPAA Security Rule represents the most significant change to healthcare cybersecurity in over a decade. While some providers may resist, this shift is necessary and long overdue.
By acting now — before the final rule is released — your practice can:
✨ Stay compliant
✨ Strengthen patient trust
✨ Avoid costly breaches and penalties
✨ Prevent operational downtime
✨ Reduce stress when enforcement ramps up
Healthcare organizations that prepare early won't just survive this change — they'll gain a competitive advantage.
