If you work in healthcare or support organizations that handle patient data, you’ve probably heard that HIPAA is changing in 2026. The short version is that this is the most significant overhaul to the Security Rule since it was first introduced in 2003, and the compliance clock is already running. Understanding what’s changing and why it matters is the first step toward getting ahead of it rather than scrambling to catch up.
A Quick Look at What’s Already in Effect
A key compliance deadline that has already passed is February 16, 2026, when all Notices of Privacy Practices (NPPs) were required to be revised. These updated NPPs need to clearly explain how patient information is protected, particularly around sensitive categories like substance use disorder treatment records. Covered entities must now include language describing how substance use disorder records protected under Title 42 of the Code of Federal Regulations Part 2 may be used and disclosed.
If your organization hasn’t updated its NPP yet, the deadline has passed, and you’re already out of compliance. It should be at the top of your to-do list immediately.
The Security Rule Overhaul: What’s Coming
The bigger story for most organizations is the proposed overhaul of the HIPAA Security Rule. For the first time since 2013, the U.S. Department of Health and Human Services Office for Civil Rights has proposed major updates to the Security Rule, with regulators aiming to finalize those updates by May 2026, along with a clear compliance timeline.
The changes are substantial and reflect how dramatically the threat landscape has evolved since the original rule was written. Healthcare has become one of the most targeted industries for ransomware and data theft, and the old framework, which allowed organizations to document why they chose not to implement certain controls, left too much room for inconsistency.
Under the 2026 HIPAA changes, the “addressable” flexibility is disappearing. The updated Security Rule is designed to standardize minimum cybersecurity controls across the healthcare sector, regardless of organization size, with regulators now expecting consistent, enforceable, and testable security controls rather than explanations for why they weren’t implemented.
The Specific Requirements to Know
Multi-Factor Authentication (MFA)
Multifactor authentication will become mandatory for all systems accessing electronic protected health information (ePHI), including EHRs, patient portals, billing software, and file-sharing platforms. This requirement extends beyond remote access logins; it applies to any system that touches ePHI. Organizations that have been delaying MFA deployment because it wasn’t technically “required” won’t have that option much longer.
Encryption of ePHI At Rest and In Transit
Most organizations already encrypt data moving across networks, but the 2026 HIPAA changes make encryption at rest mandatory as well, aligning encryption expectations with recognized NIST cybersecurity standards, including secure key management and access controls. The important distinction here is that encryption must be implemented and verifiable. Documentation alone won’t satisfy an audit.
Annual Risk Assessments and Penetration Testing
The revised rule requires risk assessments to be more detailed, thoroughly documented, conducted every 12 months, and designed to drive actionable security improvements. Alongside those risk assessments, routine penetration testing is expected to become a formal requirement. This aligns with how most mature security programs already operate, but for organizations that have only been running vulnerability scans, there’s a meaningful difference between scanning for known issues and testing whether those vulnerabilities can be exploited.
At MainNerve, we’ve been running penetration tests for healthcare-adjacent organizations for over two decades. One of the things we consistently see is that passing a compliance scan doesn’t mean you’re secure; it means you passed a scan. Real pen testing, the kind that chains vulnerabilities together the way an actual attacker would, uncovers an entirely different category of risk. The new HIPAA requirements are moving in that direction, and rightfully so.
Tighter Business Associate Agreements
The revised rule would require more specific language in Business Associate Agreements (BAAs), thereby eliminating covered entities’ ability to rely on certain blanket statements. BAAs would have to specify all new cybersecurity requirements, including MFA, data encryption, incident reporting timelines, vulnerability scanning, and penetration testing.
This is an area that often catches organizations off guard. A signed BAA is no longer enough to demonstrate vendor oversight. Covered entities must now obtain written verification at least annually confirming that business associates have implemented required technical safeguards. If you can’t confirm that your vendors are actually meeting these standards, you’re carrying their risk on top of your own.
Faster Breach Reporting
Business associates must report security incidents within 24 hours of discovery under the expected revisions. This tightens a window that has historically been measured in days or weeks. Organizations need to have incident response procedures in place that can meet that timeline, and those procedures need to be tested before an incident occurs.
System Recovery Within 72 Hours
The updated contingency plan standards require organizations to demonstrate the ability to restore critical systems within 72 hours following an incident, a requirement heavily influenced by HHS ransomware guidance that emphasizes recovery capability as a core security function. This moves disaster recovery from a theoretical plan in a binder to something that needs to be tested and documented regularly.
Why This Is Happening Now
Healthcare has been a prime target for ransomware and data breaches for years, and the numbers bear that out. The old framework’s flexibility, while well-intentioned, created uneven security practices across the industry. Healthcare organizations that relied solely on written policies, rather than on measurable controls and ongoing monitoring, faced a higher risk of cyberattacks and regulatory scrutiny. These changes shift HIPAA compliance from a checklist task to a proactive, measurable process that ultimately protects patient data and ensures operational continuity.
What to Do Before the Deadlines Hit
The organizations that will struggle most with these changes are those that wait for a final rule before taking any action. The proposed requirements aren’t a surprise. They reflect what good security hygiene looks like in 2026. If your organization is already running annual penetration tests, enforcing MFA across all systems, encrypting ePHI at rest and in transit, and verifying vendor compliance annually, you’re largely ahead of where these rules are heading.
If you’re not doing those things yet, the time to start is before regulators finalize the timeline, not after.
For organizations in the healthcare space, or businesses that support them as vendors or partners, this is a good time to take stock of your security program. A risk assessment can help identify the gaps between your current posture and the posture the new rules will require. A penetration test can tell you whether the controls you have in place are working.
MainNerve works with organizations across a range of industries on exactly this kind of security and compliance work. If you have questions about how the 2026 HIPAA changes might affect your organization, or you’re looking for a partner to help you get ready, contact us to set up a free consult..
