2026 HIPAA Cybersecurity: “Proposed” Rule Updates & Changes You Should Start Preparing for Now

Compliance News & Regulatory Updates,HIPAA Privacy & Security
Published On: January 2nd, 20264.2 min read

If your organization touches ePHI, early 2026 is the right moment to get practical—because the proposed HIPAA Security Rule update is aimed at making security controls real, configured, and provable, not just “we have a policy somewhere.” The Office for Civil Rights (OCR) issued the proposal on December 27, 2024, and it hit the Federal Register on January 6, 2025, with comments due March 7, 2025.

Meanwhile, the government’s Unified Agenda listing shows the rule in the Final Rule Stage with a target “Final Action” of May 2026 (listed as “05/00/2026”)—a target date that can shift, but it’s a useful planning signal.

One more near-term deadline (separate from the Security Rule proposal)

Covered entities also need to be aware that remaining HIPAA Notice of Privacy Practices (NPP) modifications are required by February 16, 2026. If you’re updating patient-facing notices anyway, it’s a great time to refresh internal training and documentation so your program doesn’t drift out of alignment.

What OCR is trying to do (in plain English)

OCR’s message is basically: “Cyber threats have changed—so the minimum expectations need to be clearer and stronger.” The proposed HIPAA Security Rule update is designed to reduce wide variation in Security Rule implementation and push organizations toward safeguards that are actually deployed and maintained—not just described on paper.

The 5 proposed changes that will drive most 2026 work plans

1) A real asset inventory + a real map of how ePHI moves

The proposal would require a written technology asset inventory and network map that shows how ePHI moves into, through, and out of your systems—and it must be reviewed and updated at least annually and upon meaningful changes.

Why you’ll feel this immediately: you can’t protect what you can’t find. Inventory + data flow mapping becomes the backbone of everything else.

2) Encryption becomes “default everywhere” (with narrow exceptions)

OCR proposes requiring regulated entities to encrypt all ePHI at rest and in transit, with limited exceptions and conditions.

Where organizations get surprised: backups, exports, legacy apps, file shares, endpoints, and third-party integrations—those are common “plain text” leak points.

3) MFA as a baseline—not a “nice to have”

The proposal would require multi-factor authentication (MFA) across relevant electronic information systems, including for actions that change privileges—plus specific, limited exceptions (like assets that don’t support MFA, with a written migration plan).

Practical takeaway: it’s not enough to have MFA on email/VPN. You’ll want it on admin consoles, remote access paths, and any access route that can touch ePHI.

4) Vulnerability scans at least every 6 months + annual penetration testing

The proposal would require automated vulnerability scans at least once every six months (or more often if your risk analysis demands it) and penetration testing at least once every 12 months (again, possibly more often depending on risk analysis).

What OCR will care about in practice: evidence. Not just that tests happened, but that findings were prioritized, remediated, and tracked to closure.

5) A potentially fast compliance runway after the final rule

OCR notes the standard approach: a final rule would typically become effective 60 days after publication, and the department proposes applying the usual HIPAA 180-day compliance period after the effective date (unless a longer period is specified for certain provisions).

Translation: even if “Final Action” lands around the Unified Agenda target, the time between “final rule published” and “you must comply” may feel short—especially if you haven’t already started inventorying, encrypting, and expanding MFA.

If you do only three things in January 2026, do these

1) Draw the map

  • List every system that stores/transmits ePHI (EHR, billing, imaging, portals, file services, email workflows, endpoint devices, cloud storage, integrations).
  • Document where ePHI enters, where it lives, and how it exits (and who can access it).
    This aligns directly with the proposed inventory and network mapping requirement.

2) Expand MFA where it matters most

  • Prioritize privileged/admin access and external access paths first.
    This matches the proposed MFA requirements and privilege-change coverage.

3) Prove encryption end-to-end

  • Confirm encryption at rest (databases, storage, backups, endpoints) and in transit (interfaces, APIs, SFTP, messaging, remote access).
    This aligns with OCR’s proposed “encrypt all ePHI at rest and in transit” approach.

A simple 30–60–90 day plan (early 2026)

Days 1–30: Get visibility

  • Inventory systems + create the ePHI movement map.
  • Assign an owner for each system and a place to store evidence (policies, screenshots, configurations, tickets, test results).

Days 31–60: Lock down access + encryption

  • Expand MFA coverage and document any exception + migration plan.
  • Validate encryption at rest/in transit and close obvious gaps.

Days 61–90: Make testing routine

  • Put vulnerability scans on a calendar (at least every 6 months) and set up a remediation workflow you can audit.
  • Schedule annual penetration testing and track findings to closure.

Bottom line

Even though these HIPAA Security Rule updates are still proposed, the direction is clear: know your assets, map your ePHI, encrypt by default, require MFA broadly, test regularly, and keep evidence that proves it’s working.

Click here to review the 2026 HHS changes and requirements on the official Federal Register.

Compliance note: This post is for general informational purposes and is not legal advice.

Share this article

Follow us

A quick overview of the topics covered in this article.

Contact us

Contact us today to learn how Evolve e-Learning can support your team.

Latest articles

Related Posts

April 9th, 2025HIPAA Privacy & Security
Online HIPAA Training: Privacy & Security Essentials
Continue Reading
January 10th, 2025HIPAA Privacy & Security
Essential Training and Awareness for Business Associates on HIPAA Security Policies
Continue Reading
December 8th, 2024HIPAA Privacy & Security
Empowering Teams Through Comprehensive HIPAA Compliance Training
Continue Reading
November 18th, 2024HIPAA Privacy & Security
Ensuring HIPAA Compliance: The Importance of Effective Training
Continue Reading
September 16th, 2024HIPAA Privacy & Security
Here’s How to Choose the Right Online HIPAA Training Program for Your Organization
Continue Reading
September 10th, 2024HIPAA Privacy & Security
Top Benefits of Comprehensive HIPAA Training for Healthcare Employees
Continue Reading
August 20th, 2024HIPAA Privacy & Security
Maximizing Savings and Compliance: HIPAA Training for Large Organizations
Continue Reading
August 16th, 2024HIPAA Privacy & Security
All You Need To Know About HIPAA Privacy and Security Awareness Training
Continue Reading
July 16th, 2024HIPAA Privacy & Security
Vital Role Of HIPAA Compliance Certification In Healthcare Industry
Continue Reading
July 16th, 2024HIPAA Privacy & Security
What Do You Need to Know About Online HIPAA Training?
Continue Reading