Let’s be honest about something that doesn’t get said often enough in polite compliance conversations: the healthcare industry has been getting away with inadequate data security for a very long time.
Patients hand over their most sensitive personal information every time they walk through a clinic door, fill a prescription, or log into a patient portal. They share diagnoses, medications, mental health histories, Social Security numbers, and insurance details, and for most of them, there’s no real choice in the matter. Healthcare isn’t optional. Neither is trusting a provider with your data.
For years, many of the organizations holding that data have done the bare minimum to protect it. Not because they were malicious, but because the regulatory framework allowed it. The original HIPAA Security Rule, written in 2003 and last meaningfully updated in 2013, had a structure that let organizations explain their way out of implementing basic security controls. The framework distinguished between requirements that were truly “required” and those that were merely “addressable,” meaning an organization could document a reason why a control wasn’t reasonable or appropriate and simply move on. Predictably, a lot of organizations moved on.
The result has been more than a decade of escalating healthcare data breaches, with patients paying the price and organizations facing consequences that were, too often, modest enough to absorb without fundamentally changing how they operated.
That era is ending. The 2026 HIPAA Security Rule update represents a genuine shift: away from policy-based compliance toward real, testable, and enforceable security controls. Whether every organization is ready for it or not, the rules are finally reflecting the reality that patient data is valuable, targeted, and that protecting it requires actual effort.
Â
The Numbers That Made This Inevitable
The regulatory overhaul didn’t happen in a vacuum. It happened because the breach statistics became impossible to ignore.
In 2023 alone, there were 747 large data breaches at HIPAA-regulated entities, exposing more than 168 million records. To put that in perspective, that’s more than half the U.S. population’s healthcare information exposed in a single year. And then 2024 arrived and made it worse.
In 2024, the records of approximately 238 million U.S. residents were exposed across just the 14 largest breaches, roughly 70% of the entire U.S. population. The breach that defined the year was Change Healthcare, a UnitedHealth subsidiary that processes an almost incomprehensible volume of American healthcare transactions.
Change Healthcare ultimately notified OCR that 192.7 million individuals were impacted by the breach, making it the largest healthcare data breach in recorded history. The company’s CEO testified before Congress that its systems touch one in every three patient records in the United States. The data exposed wasn’t limited to names and addresses. Hackers potentially stole about a third of Americans’ protected health information and personally identifiable information, including Social Security numbers, medical records, test results, contact information, and information on active military personnel.
An American Medical Association survey conducted in 2024 revealed that 80% of physician practices lost revenue from unpaid claims, and 60% faced challenges verifying patient eligibility, because when the systems that process healthcare transactions go down, the entire system feels it, including patients waiting for prescriptions to be filled and providers trying to keep their doors open.
And critically, none of this was some exotic, sophisticated attack that no one could have anticipated. When you look at major incidents like the Change Healthcare breach, the pattern is obvious: no MFA on key systems, flat networks, and weak segmentation made it far easier for attackers to move around. That’s exactly the kind of gap a modern HIPAA Security posture is trying to close.
Basic controls. Missing.
Â
What the Old Framework Actually Permitted
To understand why the new rules matter, it helps to understand what the old ones allowed.
The HIPAA Security Rule has always required covered entities to implement “reasonable and appropriate” safeguards for electronic protected health information. On paper, that sounds rigorous. In practice, it created enormous wiggle room. The “addressable” standard meant that if an organization determined that a control, such as multi-factor authentication or encryption of data at rest, was not reasonable given its size or circumstances, it could document that conclusion and skip it. There was no external body verifying whether the documentation was credible. There was no test to confirm whether the actual systems were secure. Compliance was, in many cases, a paperwork exercise.
HHS has made it clear that those gaps directly contributed to the rise in ransomware and data breaches, and that documentation without implementation will fail audits under the new rules.
The enforcement picture tells a similar story. OCR launched a new risk analysis enforcement initiative in 2023 and, in its investigations of data breaches, found that the lack of a security risk analysis and the failure to implement security risk management plans were significant deficiencies that contributed to security incidents. OCR confirmed that 22 enforcement actions resulted in settlements or civil monetary penalties in 2024, making it one of the most active years of HIPAA enforcement to date. But even active enforcement under the old framework meant that organizations were frequently getting caught only after a breach had already occurred.
Regulators have clearly decided that reactive enforcement isn’t sufficient. The new rules are designed to prevent breaches, not just punish organizations after the damage is done.
Â
What’s Actually Changing
The 2026 Security Rule update, expected to be finalized in May 2026, dismantles the “addressable” structure and replaces it with mandatory, testable controls that apply to every covered entity and business associate regardless of size.
Under this update, multi-factor authentication becomes mandatory across the board. MFA must now apply to all access to ePHI, including EHR systems, cloud services, and third-party tools, and combining passwords with security tokens or biometric data is no longer optional. Credential theft remains the leading cause of healthcare breaches. Requiring MFA everywhere ePHI is accessed is one of the single most impactful changes in this update, and the fact that it wasn’t already universal is a sobering reminder of how long basic security practices have been treated as optional.
Additionally, encryption of ePHI becomes non-negotiable. Most organizations already encrypt data moving between systems, but storing data unencrypted at rest has been a common practice. Now, that changes. Encryption of ePHI both at rest and in transit is now a hard requirement, aligned with NIST cybersecurity standards. Importantly, encryption must be implemented and verifiable, not just claimed.
And annual penetration testing becomes a formal requirement. Covered entities must perform vulnerability scanning at least every six months and penetration testing at least annually. This is where the shift from policy to proof becomes most tangible. A vulnerability scan identifies some known weaknesses in a system. A penetration test goes further. It determines whether those weaknesses can be exploited, and whether an attacker could chain multiple low-severity issues together into something catastrophic. Requiring annual penetration testing acknowledges that understanding your actual exposure requires more than running a tool and reviewing a list of findings.
As always, risk assessments must be thorough, documented, and recurring. However, under the revised rules, risk assessments must be more detailed, thoroughly documented, conducted every 12 months, and designed to drive actionable security improvements. The days of conducting a risk assessment once, putting it in a binder, and revisiting it only when an auditor asks are over.
But now, business associate oversight gets teeth. Covered entities have long been able to satisfy their vendor oversight obligations with a signed Business Associate Agreement. That’s no longer enough. Practice administrators must now obtain annual written verification from vendors confirming they have implemented required security controls. This evidence-based approach addresses the growing risk of third-party data breaches by requiring vendors to demonstrate, not just promise, their security capabilities.
Additionally, breach response timelines get dramatically tighter. Under the revised rules, breaches must be reported to HHS within 24 hours of discovery, affected individuals must be notified without unreasonable delay, and organizations must demonstrate the ability to restore critical systems within 72 hours following an incident. For organizations without documented, tested incident response plans, meeting that 24-hour reporting window will be a significant operational challenge.
Â
Why This Matters Beyond the Compliance Checkbox
There’s a version of this conversation that stays entirely in the regulatory lane, deadlines, penalties, and audit requirements. That version is real, and organizations need to take it seriously.
But the more important conversation is about what the data truly means to patients.
Financial data, such as credit card numbers, can be canceled and replaced. Medical records cannot. Diagnoses, treatment histories, medications, and test results are permanent parts of a person’s history, and exposure carries risks that extend beyond fraud. Stolen health information can be used to file fraudulent insurance claims, obtain prescription medications, or create leverage for extortion by threatening to expose sensitive medical conditions.
When a patient’s credit card number gets stolen, there are well-understood remedies. When their HIV status, psychiatric history, or addiction treatment records are exposed, there’s no remediation. That information is out. The consequences, such as discrimination in employment, stigma, damaged relationships, and leverage for manipulation, don’t come with a credit monitoring subscription.
Healthcare organizations have accepted enormous trust from the people they serve. The 2026 rules are, at their core, a regulatory statement that trust must be backed by actual security infrastructure, not by documentation strategies.
Â
The Cost Argument Deserves a Real Answer
Some organizations will push back on these requirements by pointing to the cost. Industry estimates suggest the first-year cost of full compliance with the new HIPAA Security Rule will be approximately $9 billion across all covered entities and business associates. That’s a significant number, and it’s worth acknowledging honestly.
But the comparison that matters is this: a typical data breach costs $11 million to $16 million per incident when you factor in notification costs, remediation, regulatory penalties, and lost patient trust. A single major breach could cost two to three years’ worth of compliance investment. And that estimate doesn’t capture the full cost to patients whose information was exposed, or the damage to the provider-patient relationship that takes years to rebuild, if it rebuilds at all.
The cost of doing nothing is not zero. It never was. The 2026 rules simply make the cost of inadequate security more visible by attaching enforceable consequences to it.
Â
What This Means If You’re a Covered Entity or Business Associate
If your organization handles protected health information, the window to prepare is open right now, but it won’t stay open indefinitely. The final rule is expected to be published in May 2026, with a compliance deadline of approximately 240 days after publication, putting full compliance somewhere around December 2026 or early 2027 for most organizations.
The organizations that will struggle most are the ones that wait for the final rule text before taking any action. The proposed requirements reflect practices that strong security programs already follow. If your organization isn’t conducting annual penetration tests, enforcing MFA across all systems that touch ePHI, encrypting data at rest and in transit, and verifying vendor compliance on a regular basis, you should work on addressing them now, before the compliance clock officially starts running.
A risk assessment is the right first step. It tells you where you are relative to where the new rules will require you to be. From there, you can build a prioritized remediation plan that gets ahead of the deadline rather than scrambling to meet it.
At MainNerve, we’ve spent over two decades helping organizations understand their real security posture, not just their compliance posture. If you’re in the healthcare space and want to understand what the 2026 HIPAA changes mean for your organization, we’re glad to have that conversation. Contact us today to schedule your FREE consultation.
