Skip to main content
CoreFolioHIPAA
The 2026 rule

The 2026 HIPAA Security Rule: what changes for small practices

The proposed 2026 Security Rule update is the first major revision since 2013. Here is what is actually changing, what is not, and what small covered entities need to do before the rule finalizes.

5-minute read

On January 6, 2025, HHS published a Notice of Proposed Rulemaking (NPRM) in the Federal Register: HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information (90 Fed. Reg. 898). The comment period closed March 7, 2025. A final rule has not yet been published.

This is the first significant overhaul of the HIPAA Security Rule since 2013. For small covered entities — practices with fewer than 25 employees — the changes are meaningful but manageable if you understand what is actually being proposed.

What this is and what it is not

The 2026 rule is a proposed rule. It has not been finalized. Compliance deadlines will be set in the final rule, likely 180–365 days after publication for smaller covered entities.

This matters for planning: the existing 2013 Security Rule is still the law. You must comply with it now. The 2026 NPRM tells you where OCR is heading — but it does not replace your current obligations.

OCR's enforcement posture has not changed during the NPRM period. Risk Analysis Initiative settlements have continued, all under the 2013 rule.

The seven major proposed changes

1. Annual risk analysis, explicitly required

The 2013 rule requires risk analysis but does not specify a frequency. The 2026 NPRM would require a documented risk analysis at least annually for most covered entities, with additional reviews required when there are "relevant changes" to the environment.

This codifies what OCR already expects in practice — investigators consistently cite risk analyses older than 12 months as inadequate.

For small practices: If you are already doing an annual risk analysis, this change confirms what you should be doing. If not, start now — under the current rule, a current analysis is already expected.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.308(a)(1)(ii)(A)

2. Mandatory MFA for all systems touching ePHI

The 2013 rule lists multi-factor authentication (MFA) as an "addressable" specification — meaning covered entities can decide not to implement it if they document why an alternative is equivalent. The 2026 NPRM would make MFA required (not addressable) for any system that creates, receives, maintains, or transmits ePHI.

This is the largest operationally impactful change for small practices. Most EHRs already offer MFA; the gap tends to be in adjacent systems — email, remote access, billing software, cloud backup.

For small practices: Audit every system that touches ePHI. If any of them do not support MFA, that is a gap that will need to be addressed before the rule finalizes.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.312(d)

3. Mandatory encryption for ePHI at rest and in transit

The 2013 rule treats encryption as "addressable." The 2026 NPRM would make encryption required for ePHI both at rest (stored) and in transit (transmitted over networks).

Most cloud EHR vendors already encrypt at rest and in transit. The gap is typically in local backups, email transmission, and devices used by staff.

For small practices: Confirm with your EHR vendor that encryption is enabled by default. Check whether you transmit ePHI via unencrypted email (most standard email is not encrypted in transit for healthcare content). Review what happens to backup copies of patient data.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.312(a)(2)(iv) and § 164.312(e)(2)(ii)

4. 72-hour incident response documentation

Current HIPAA does not specify a timeline for internal incident response documentation (breach notification to HHS has separate timelines). The 2026 NPRM would require covered entities to restore critical systems within 72 hours of a security incident and document the restoration.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.308(a)(6)(ii)

5. Technology asset inventory, updated annually

The 2026 NPRM would require a formal technology asset inventory — a list of all hardware and software that create, receive, maintain, or transmit ePHI — maintained and reviewed at least annually.

Many practices have this informally. The proposal would make it a documented requirement, tied to the risk analysis process.

For small practices: The technology inventory is a natural input to the annual risk analysis. If you are building one for risk analysis purposes, the format can serve both requirements.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.308(a)(1)(ii)(A)(2)

6. Network segmentation

The proposed rule includes guidance (not a hard requirement in the NPRM) on network segmentation — separating systems that handle ePHI from general business or guest traffic.

This is more relevant to larger practices with complex networks. A small practice on a single cloud EHR without a local server rarely needs to segment. But practices with local servers, medical devices on the network, or mixed business-personal device use should assess this.

7. BAA requirements tightened

The 2026 NPRM would require covered entities to verify annually that their business associates have implemented required safeguards — not just execute a BAA and file it. This means periodic check-ins with your EHR vendor, billing company, and other covered service providers.

Citation: 90 Fed. Reg. 898, proposed 45 CFR § 164.308(b)(1)

What is not changing

The core structure of the Security Rule — administrative, physical, and technical safeguards, the risk analysis and risk management plan requirement, the BAA requirement for business associates — is unchanged. The 2026 NPRM builds on the existing framework; it does not replace it.

The Privacy Rule (which governs who can see and use patient information) is not affected by this NPRM.

What you should do before the final rule

Regardless of when the final rule is published:

  1. Complete your current-year risk analysis under the existing rule. Non-compliance with the 2013 rule is the current risk. OCR has not paused enforcement while the rulemaking is pending.

  2. Audit your MFA status across all systems that touch ePHI. This is the highest-impact operationally complex change. Lead time matters — getting your EHR vendor to enable MFA, migrating email to a compliant platform, or configuring remote access properly takes time.

  3. Inventory your technology assets as part of your risk analysis. This serves both the current requirement and the proposed new requirement.

  4. Review your BAAs with your primary vendors. Are they current? Do they include the security representations the 2026 rule will likely require?

  5. Watch the Federal Register for the final rule publication date. The compliance window starts from that date, not from today.

Sources: Notice of Proposed Rulemaking, HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information, 90 Fed. Reg. 898 (Jan. 6, 2025). Comment period closed March 7, 2025. The final rule has not been published as of 2026-05-12. Existing rule citations: 45 CFR §§ 164.308–164.312.