HIPAA Security Rule Overhaul: The New Technical Safeguard Requirements Coming to Every Covered Entity and Business Associate

TL;DR

• The HIPAA Security Rule is getting its most significant technical update since 2013. The proposed final rule is expected in May 2026, with a compliance deadline approximately 240 days after publication.
• The core structural change: the “required” vs. “addressable” distinction at 45 CFR 164.306(d) is being eliminated. Encryption at rest, MFA, annual penetration testing, biannual vulnerability scans, and a technology asset inventory all become mandatory.
• Business associates face the same requirements as covered entities — and many are significantly underprepared.
• Start your gap assessment now. The 180-day compliance window after publication will move faster than you think.

The HIPAA Security Rule has been largely unchanged since 2013. In that time, your threat environment has been transformed by cloud migration, mobile device proliferation, ransomware-as-a-service, and the remote workforce. The rule that governed your ePHI security posture was written when the iPad was two years old.

That’s about to change. The HIPAA Security Rule NPRM published January 6, 2025, proposed the most sweeping update to the Security Rule since the original 2003 standard was written. The HHS Office for Civil Rights received nearly 5,000 public comments and has kept the final rule on its regulatory agenda for May 2026.

Whether the final rule lands this week or in the next few weeks, one thing is clear: the compliance window after publication is approximately 240 days. Organizations that wait for the final rule to start their gap assessment are already behind.

The Core Structural Change: Everything Becomes Mandatory

The current Security Rule distinguishes between “required” and “addressable” implementation specifications at 45 CFR 164.306(d). Required specs must be implemented as written. Addressable specs are different: organizations can implement them, implement a reasonable and appropriate alternative, or document why neither applies.

That flexibility has been widely used — and, in the OCR’s view, widely abused. Encryption at rest has been “addressable” for years, which is why many hospital systems run unencrypted databases on internal networks behind perimeter controls and call it compliant. The proposed final rule eliminates this distinction and makes virtually all safeguards mandatory, with narrow, documented exceptions.

This is not a tweak. It fundamentally changes the compliance calculus for every organization that has been relying on the addressable framework to defer difficult technical implementations.

The 7 Key Technical Safeguard Changes

1. Technology Asset Inventory and Network Map

Every covered entity and business associate must maintain a comprehensive, current inventory of all technology assets that create, receive, maintain, or transmit ePHI — including servers, workstations, laptops, mobile devices, medical devices, cloud services, network equipment, and IoT devices. The inventory must be accompanied by a written network map showing how ePHI moves through those systems.

Both must be reviewed and updated at least annually and whenever significant operational changes occur.

Most organizations that think they have an asset inventory will discover in this exercise that their inventory is partial, stale, or doesn’t include cloud services and shadow IT. The OCR has flagged this in breach investigations: organizations often don’t know what they have until after an incident. The inventory requirement forces that discovery before the breach.

2. Encryption of ePHI at Rest — Mandatory

Under the proposed final rule, encryption at rest becomes mandatory. The long-standing workaround — document that your perimeter controls are an equivalent alternative measure — goes away.

Healthcare organizations with legacy clinical systems, on-premise databases, and medical devices that don’t support encryption face the most significant implementation challenge here. The path forward typically involves:

• Encrypting at the volume or disk level where application-level encryption isn’t feasible
• Migrating ePHI to cloud storage with native encryption controls
• Retiring or air-gapping legacy systems that cannot be encrypted
• For medical devices: vendor firmware updates or network isolation

This is the requirement most likely to require capital investment, particularly for community hospitals and health systems with older infrastructure.

3. Multi-Factor Authentication for ePHI Access

MFA becomes mandatory for all access to electronic information systems containing ePHI — both remote and on-site. The proposed rule doesn’t mandate a specific MFA technology, but it requires the control to be in place and documented.

The practical challenge for healthcare organizations is not MFA in general — most have it for remote access already — it’s on-site clinical workflows. Nurses and physicians who share workstations and need rapid access to patient records have been the primary reason healthcare organizations have avoided or scoped out MFA for on-site access. The proposed rule does not carve out an exception for clinical workflows, which has generated significant industry pushback.

Acceptable MFA approaches include hardware tokens, authenticator apps, smart cards, and biometric authentication — organizations can choose what works for their clinical environment, but they must have it.

4. Vulnerability Scanning Every Six Months

The proposed rule requires vulnerability scanning of systems that contain or connect to ePHI at least every six months, with results documented and remediation tracked.

Most HIPAA-covered organizations already run some form of vulnerability scanning. The difference under the new rule is:

• Formal frequency requirement (biannual minimum)
• Documentation requirements for findings, remediation timelines, and exceptions
• Distinguishing between vulnerability scans and penetration tests (see below)

Organizations that have been doing ad-hoc or annual-only scanning will need to restructure their vulnerability management programs.

5. Annual Penetration Testing

Separate from vulnerability scanning, the proposed rule requires annual penetration testing performed by qualified professionals. A penetration test is an active simulation of an attack, not just a passive scan for known vulnerabilities.

The distinction matters. Many organizations conflate vulnerability scans with penetration tests or use the terms interchangeably. A vulnerability scanner identifies known CVEs in software versions. A penetration test actively attempts to exploit vulnerabilities, move laterally through the network, and reach ePHI. They’re different exercises, different cost levels, and different risk-management values.

For smaller covered entities and business associates, the annual penetration testing requirement will require either contracting with a specialized firm or demonstrating that in-house resources meet the qualified professional standard the OCR will likely define in guidance.

6. Anti-Malware Protection and Network Segmentation

The proposed rule makes anti-malware protection explicitly mandatory for all workstations and servers handling ePHI — removing any ambiguity that existed under the addressable framework. Endpoint protection suites, behavior-based detection, and regular signature updates become required, not best practice.

Network segmentation — isolating ePHI systems from general-purpose networks and internet-facing systems — is similarly elevated. The Change Healthcare breach in February 2024, which affected an estimated 190 million individuals and resulted in one of the most significant healthcare data events in U.S. history, illustrated the consequence of insufficient segmentation: a single compromised credential reached production claims systems without meaningful network barriers.

7. Enhanced Incident Response Requirements

The proposed rule strengthens incident response obligations, including a requirement to notify HHS within 72 hours of discovering a breach affecting 500 or more individuals (aligning HIPAA breach notification more closely with GDPR’s 72-hour notification window).

Existing HIPAA breach notification required notification to HHS within 60 calendar days of discovery for large breaches. The proposed acceleration to 72 hours requires most organizations to significantly improve their breach detection and triage capabilities — you can’t notify HHS in 72 hours if it takes you two weeks to determine that a breach occurred.

See also: Cyber Incident Response Playbook: From Detection to Lessons Learned

What Business Associates Must Do Differently

Business associates — IT vendors, cloud hosting providers, billing services, law firms, analytics companies — face the same technical safeguard requirements as covered entities under the proposed rule. Many are significantly underprepared.

The most common gaps at business associates:

• No technology asset inventory scoped to ePHI systems
• Inconsistent MFA: enabled for remote access but not on-premise access to ePHI systems
• Annual scanning only: not meeting the proposed biannual frequency
• No penetration testing or using vulnerability scans as a substitute
• BAAs that don’t map to new requirements: business associate agreements signed before 2026 won’t reflect the updated obligations and will need amendment

Business associates who process ePHI for multiple covered entities are exposed to enforcement from both HHS OCR and their covered entity partners, who will be updating their vendor oversight requirements to reflect the new rule.

Running Your Gap Assessment Now

The organizations that will meet the compliance deadline are the ones running gap assessments before the final rule publishes — not after. The proposed requirements are clear enough from the NPRM that you can begin structured assessment today.

A practical gap assessment framework, by safeguard category:

The gaps will surface most acutely in three places for most organizations: on-site MFA for clinical workflows, encryption of legacy systems, and penetration testing where vulnerability scanning has been substituted.

For business associates, add a fourth column: are your current BAAs adequate? Most agreements signed before 2026 don’t reflect obligations for asset inventories, penetration testing, or 72-hour breach notification. Update them.

So What?

The 2026 HIPAA Security Rule update is not a compliance exercise about checking boxes that were already checked. It is a fundamental reassessment of whether your ePHI protection infrastructure is adequate for the threat environment of 2026, not 2003.

The organizations that will have the smoothest compliance experience are the ones that treat this as a technical security upgrade program, not a documentation project. The controls being mandated — MFA, encryption at rest, penetration testing, network segmentation — are what strong cybersecurity programs already do. If you’re doing these things already, your compliance gap is primarily documentation and frequency. If you’re not, the documentation gap is the least of your problems.

The enforcement signal from OCR is clear. The Change Healthcare breach investigation, covering 190 million affected individuals, is still active. Hospital systems have faced multi-million-dollar penalties for failure to conduct basic risk analyses under the existing rule. The new rule adds mandatory controls with no “addressable” escape hatch. Non-compliance exposure goes up substantially.

Start the gap assessment. Map your ePHI systems. Inventory your assets. Find out which systems can’t support encryption. Get a real penetration test scheduled. Those tasks take months to execute — and the compliance clock starts when the final rule publishes.

Related reading: Data Classification Policy Template: How to Tier Data Without 200 Categories · Cyber Incident Response Playbook: From Detection to Lessons Learned · Vendor Breach Response: What to Do When a Critical Supplier Reports an Incident

External references: HHS NPRM Federal Register (Jan. 6, 2025) · HHS OCR Security Rule NPRM Fact Sheet · HHS Security Rule Overview · Alston & Bird: HIPAA Security Rule Still on Track (Nov. 2025) · HIPAA Journal: 2026 Updates