Contact us
Home Understanding the Proposed Changes to HIPAA’s Security Rule

Insights & Resources

Understanding the Proposed Changes to HIPAA’s Security Rule

Filed under

HIPAA Security Rule 2026: What Healthcare Organizations Should Prepare For

A Brief History of HIPAA and its Security Rule

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted to address two primary objectives: protect health insurance coverage during job transitions or loss, and establish national standards for protecting sensitive health information.

Over the years, HIPAA has evolved to include additional Rules that reflect the growing digitization of healthcare, particularly through the Privacy Rule, Security Rule and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The Security Rule, specifically, was introduced to provide a framework for safeguarding electronic protected health information (ePHI).  It mandates that covered entities implement administrative, physical and technical safeguards to protect ePHI from breaches and unauthorized access.

Why the HIPAA Security Rule is Changing Now

Cyberattacks on healthcare organizations have surged in recent years, with data breaches affecting millions of patients and disrupting care.

According to the HIPAA Journal, over 85 million individuals were impacted by breaches in 2024. Between 2018 and 2023, reports of large breaches rose by 102%, affecting over 167 million individuals in the past year alone. These trends threaten not only patient privacy, but also patient safety, continuity of care, system resilience and public trust.

The Office for Civil Rights (OCR) has explained that the proposal is meant to modernize the Rule to better address the growing risks across the healthcare sector in today’s digital environment.

Key Proposed Changes to HIPAA’s Security Rule and Who They Impact

The proposed Rule contains several changes that would significantly impact organizations that utilities ePHI, which includes covered entities (CEs) such as health care providers, health plans and healthcare clearinghouses, and their business associates.

1. More Security Requirements Would Become Mandatory

One of the most significant proposed changes would remove the long-standing distinction between “required” and “addressable” implementation specifications, making all implementation specifications required except for limited exceptions. OCR also proposes requiring written documentation for all Security Rule policies, procedures, plans and analyses. Together, those changes would likely reduce flexibility in how organizations interpret and operationalize compliance obligations.

2. Asset Inventory and Network Mapping Would Become Core Compliance Expectations

The proposed changes would require organizations to develop and maintain a technology asset inventory and a network map showing how ePHI moves through the organization’s electronic information systems. This would need to be performed on an ongoing basis, at least once every 12 months, and also when a change in the organization’s environment or operations could affect ePHI.

3. Risk Analysis Would Become More Prescriptive

The current Rule already requires a risk analysis, but the OCR’s proposal would be much more specific about what that analysis must include. The proposed rule would require a written assessment that incorporates, among other things, the technology asset inventory and network map, reasonably anticipated threats to ePHI, potential vulnerabilities and predisposing conditions, and an assessment of risk level based on the likelihood that identified threats could exploit identified vulnerabilities.

For organizations that have historically approached HIPAA risk analysis at a high level, this proposal signals a move toward more detailed, repeatable and defensible methodology. This matters both for internal security planning and for demonstrating compliance in the event of an OCR investigation or audit.

4. Stronger Incident Response and Contingency Planning

The proposed changes would place greater emphasis on how organizations prepare for, respond to and recover from security incidents.

Organizations would be required to establish written procedures to restore the loss of certain relevant electronic information systems and data within 72 hours, determine restoration priorities based on system criticality, and maintain documented security incident response plans and procedures. The OCR also proposes requiring written procedures for testing and revising those plans.

In addition, organizations would be required to provide notice within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated.

5. Technical Safeguards Would Be More Specific

The proposal would require a more explicit set of technical controls, including encryption of ePHI at rest and in transit, multi-factor authentication, anti-malware protections, vulnerability scanning at least every six months, penetration testing at least annually, network segmentation and separate technical controls for backup and recovery. The OCR also proposes requirements tied to system configuration, such as removing extraneous software and disabling network ports in line with the organization’s risk analysis.

For many organizations, these controls may already exist in some form, but under the proposal, the challenge will be consistent deployment and formal documentation that safeguards are reviewed and functioning as intended.

6. Annual Compliance Audits and Business Associate Verification

CEs would be required to conduct a compliance audit at least once every 12 months. The OCR also proposes that business associates verify annually for covered entities that they have deployed certain required technical safeguards through a written analysis by a subject matter expert and a written certification that the analysis has been performed and is accurate.

That is significant because it would introduce a more formal compliance validation layer, particularly in third-party relationships. CEs may need to revisit how they collect evidence from business associates, and business associates may need to prepare for more structured scrutiny from clients and regulators alike.

Why This Matters for Healthcare Organizations

If finalized substantially as proposed, these changes would have implications across technology, compliance, legal, operations, governance and vendor management. CEs and business associates would likely need to spend more time documenting controls, testing safeguards, validating third-party compliance, modernizing legacy environments and aligning security programs with more formal regulatory expectations.

The greatest impact may not be one single requirement, but the cumulative effect of more specificity, more frequent testing, more documentation and more direct accountability. Even organizations with mature cybersecurity programs may need to reassess whether their current HIPAA documentation and governance structure would satisfy the level of detail contemplated by OCR’s proposal.

What Healthcare Organizations Should Do Now to Prepare for HIPAA’s Updated Security Rule

Although the Rule modifications are not yet final, organizations should not wait to evaluate their readiness. Once published in the Federal Register, the final Rule would take effect 60 days later, and HHS has proposed a compliance period of 180 days after the effective date. In practical terms, that would give regulated entities roughly eight months from publication to come into compliance — making advance planning especially important.

Priority next steps include:

  • Review your inventory of systems and assets tied to ePHI
  • Map how ePHI moves through your environment
  • Perform a gap assessment against the proposed requirements
  • Refresh your risk analysis to reflect current threats and vulnerabilities
  • Revisit incident response and contingency plans
  • Evaluate safeguards such as encryption, MFA, backup and recovery
  • Review vendor relationships and business associate obligations
  • Engage leadership on compliance planning and operational priorities

Taking these steps now can help organizations better understand their current state and be in a stronger position to respond once the final rule is issued.

How FD Can Help

Frazier & Deeter’s HIPAA risk analysis, consulting and compliance-based services have been meticulously aligned with the Security Rule, OCR guidance and other authoritative sources. Whether your organization is at the forefront of developing a HIPAA compliance program, seeking consultation to adopt these newly proposed changes, or in the midst of a breach investigation, our team can help identify practical next steps and support a more resilient approach to protecting ePHI. Reach out to our team to get started.

Contributors

Andrew Hicks, Partner, Frazier & Deeter Advisory, LLC
Jessie Sandell, Principal

Explore related insights

Explore Insights & Resources