HIPAA Security Rule Update Get ahead of the rule.

    Loading...

    The Proposed HIPAA Security Rule Overhaul: What Changes, What It Costs, and How to Prepare

    > TL;DR: The proposed HIPAA Security Rule update — the first major overhaul since 2013 — would eliminate "addressable" safeguards, mandate multi-factor authentication and encryption, and require annual technical risk assessments. It was published as a Notice of Proposed Rulemaking on January 6, 2025; a final rule has not been issued as of 2026, and the current Security Rule stays in effect in the meantime. When a final rule does publish, organizations would have a 180-day compliance window — so preparing now is the safe move. See how an integrated compliance platform closes the most common gaps before auditors find them.

    The HIPAA Security Rule has not received a major structural update since 2013. In the intervening years, healthcare has migrated to the cloud, ransomware has become a billion-dollar industry, and telehealth has gone from niche to norm. The regulations, meanwhile, have stayed largely the same.

    That is about to change.

    On January 6, 2025, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) outlining sweeping changes to the HIPAA Security Rule under 45 CFR Part 164. The public comment period closed March 7, 2025. As of 2026, OCR has not issued a final rule and there is no confirmed publication date — the current Security Rule remains in effect in the meantime. Once a final rule is published in the Federal Register, it would take effect approximately 60 days later, with covered entities and business associates given a 180-day compliance window from the effective date.

    That timeline is tighter than it sounds. Once a final rule is published, organizations would have roughly eight months total to reach full compliance. For many healthcare organizations, that means the preparation window is now — even though the rule is not yet final.

    Here is what is changing, what it will cost, and what you should be doing today.

    The Biggest Change: No More "Addressable" Safeguards

    If you have worked with the HIPAA Security Rule for any length of time, you are familiar with the distinction between "required" and "addressable" implementation specifications under 45 CFR 164.306(d)(3). Required specifications must be implemented as written. Addressable specifications give organizations the flexibility to assess whether a particular safeguard is reasonable and appropriate for their environment, and if not, to document why and implement an equivalent alternative.

    In practice, "addressable" has been widely misinterpreted as "optional." OCR has pushed back against this reading for years, but the confusion has persisted. Organizations have used the addressable designation to justify skipping encryption, avoiding multi-factor authentication, or deferring security measures indefinitely.

    The proposed rule would eliminate this distinction entirely. Under the proposed changes, every implementation specification would become mandatory, with only narrow, specifically defined exceptions. There would be no more gray area. If the specification exists in the rule, you implement it. Full stop. (This applies once the rule is finalized; the addressable/required distinction still governs today.)

    This is the single most consequential change in the rulemaking. It affects how organizations approach encryption, authentication, access controls, audit logging, and nearly every other technical and administrative safeguard. Compliance programs built around documenting why certain addressable specifications were not implemented will need to be fundamentally restructured.

    Mandatory Multi-Factor Authentication (MFA)

    Under the proposed rule, multi-factor authentication is required for all access to information systems that contain or process electronic protected health information (ePHI). Not just remote access. Not just administrative access. All access.

    This is a significant expansion. Many healthcare organizations have implemented MFA for VPN connections and remote desktop sessions but have not extended it to local workstation logins, EHR access, or internal applications. The proposed rule would close that gap.

    What This Means Practically

    For large health systems, this is a substantial implementation effort. For small practices, it may be as straightforward as enabling MFA on their EHR platform and email provider. But regardless of size, no organization is exempt.

    Encryption Proposed as Required -- No Exceptions

    Encryption of ePHI has been an addressable specification since the Security Rule was first published. Under the current framework at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), organizations can evaluate whether encryption is reasonable and appropriate, and if they determine it is not, document that decision and implement an alternative safeguard.

    The proposed rule makes encryption a flat requirement. ePHI must be encrypted both at rest and in transit. There is no alternative analysis. There is no documented exception.

    This change reflects the reality that encryption technology is now universally available, affordable, and built into most modern systems. The original "addressable" designation was written in an era when encryption imposed meaningful performance and cost burdens. That era is over.

    Organizations that have been operating without full disk encryption on laptops and workstations, without TLS enforcement on internal network traffic, or without encryption on database storage will need to close those gaps before any compliance deadline. Under the proposed rule this would be a baseline requirement rather than a future aspiration — and OCR already expects encryption in practice today.

    Annual Risk Assessments with Teeth

    Risk assessment has always been a requirement under 45 CFR 164.308(a)(1)(ii)(A), and failure to conduct one remains the most frequently cited deficiency in OCR enforcement actions (Source: HHS OCR Enforcement Highlights, 2018-2025). The proposed rule strengthens this requirement in several important ways.

    What Changes

    For organizations that have treated risk assessment as an annual checkbox, this would be a significant shift. The proposed rule would demand a process that is thorough, documented, and visibly connected to security improvements.

    24-Hour Incident Reporting for Business Associates

    The proposed rule introduces a 24-hour notification requirement for business associates. A business associate would have to notify the relevant covered entity within 24 hours of activating its contingency (incident response) plan in response to a security incident.

    This is a dramatic acceleration from current practice. The existing Breach Notification Rule at 45 CFR 164.410 requires business associates to notify covered entities of a breach "without unreasonable delay" and no later than 60 days after discovery. The proposed 24-hour window applies specifically to security incidents, which is a broader category that includes events that may not rise to the level of a reportable breach.

    Impact on Business Associate Agreements

    Every Business Associate Agreement (BAA) currently in effect will need to be reviewed and likely amended. If your BAA references the current notification timeline, it will be out of compliance with the new rule. Organizations should begin identifying all active BAAs now and planning for renegotiation.

    Key provisions to address in updated BAAs include:

    If you have dozens or hundreds of business associates, this review process alone is a substantial administrative undertaking. Starting early is not optional.

    The $9 Billion Question

    OCR's own regulatory impact analysis estimated that first-year compliance costs across all covered entities and business associates would reach approximately $9 billion, with recurring annual costs of roughly $6 billion thereafter (Source: HHS OCR NPRM Regulatory Impact Analysis, published January 6, 2025).

    Those numbers generated significant industry pushback. Healthcare industry groups, including the American Hospital Association (AHA) and the College of Healthcare Information Management Executives (CHIME), raised concerns that the costs would disproportionately burden small and rural providers already operating on thin margins.

    The cost concerns are real. But they need to be weighed against the cost of non-compliance. Consider the numbers on the other side of the equation:

    Proactive compliance is expensive. Reactive breach response is more expensive. The $9 billion figure spread across the entire healthcare industry is a fraction of what the industry loses to breaches, penalties, and operational disruption each year.

    Timeline: When You Need to Act

    Understanding the regulatory timeline is essential for planning:

    | Milestone | Date | |---|---| | NPRM published in Federal Register | January 6, 2025 | | Public comment period closed | March 7, 2025 | | Final rule published in Federal Register | Not yet issued (pending) | | Rule takes effect (60 days after publication) | 60 days after final rule | | Full compliance required (180 days after effective date) | ~240 days after final rule |

    The 180-day compliance window sounds generous until you account for budget cycles, vendor procurement timelines, technology implementation, workforce training, and BAA renegotiation. Organizations that wait until the rule is finalized to begin planning will find themselves scrambling.

    How to Prepare Now

    The final rule has not been published yet, but the NPRM provides a clear roadmap of what is coming. Organizations that begin preparing now will be in a dramatically stronger position when the compliance clock starts. Here are five concrete steps to take today.

    1. Run a Gap Assessment Against the New Requirements

    Compare your current security posture against the specific requirements outlined in the NPRM. Identify where you already meet the proposed standards and where gaps exist. Prioritize those gaps by the level of effort and investment required to close them. This gives your leadership team a clear picture of the work ahead and the resources needed.

    2. Audit Your MFA Coverage

    Map every system that stores, processes, or transmits ePHI and determine whether MFA is currently enforced on each one. Pay particular attention to local workstation access, clinical applications, and legacy systems. For any system that does not currently support MFA, begin evaluating upgrade paths, replacement options, or compensating controls now, before vendor backlogs pile up.

    3. Verify Encryption Across All Systems

    Conduct a technical audit of encryption status for ePHI at rest and in transit across your entire environment. This includes databases, file servers, laptops, mobile devices, email, backups, and data transmissions between systems. Document any gaps and create a remediation plan with specific timelines.

    4. Update Your BAAs with 24-Hour Reporting Language

    Review every active Business Associate Agreement. Identify those that reference the current 60-day notification window or that lack specific incident reporting timelines. Begin drafting updated BAA language that reflects the 24-hour security incident notification requirement. Engage your business associates early. This is a two-party negotiation, and your vendors will need time to adjust their own incident response capabilities.

    5. Schedule Your Annual Risk Assessment

    If your last risk assessment was more than 12 months ago, or if it does not meet the level of documentation detail outlined in the NPRM, schedule a new one now. Use the proposed rule's requirements as your benchmark: asset inventory, threat identification, vulnerability assessment, risk ratings, and actionable remediation plans with assigned owners and deadlines.

    Frequently Asked Questions

    When does the 2026 HIPAA Security Rule overhaul take effect?

    The updated Security Rule was proposed by HHS OCR in the Notice of Proposed Rulemaking published January 6, 2025. It is still proposed — a final rule has not been issued as of 2026, and the current Security Rule remains in effect in the meantime. Once a final rule is published, covered entities and business associates will have a compliance window — historically 180 days from the effective date — to meet the new requirements. Because the changes are substantial, organizations should begin preparing before the final rule is published rather than waiting for the compliance clock to start. Vendor capacity and internal project timelines both tighten as the deadline approaches.

    What is the difference between "required" and "addressable" safeguards under the new rule?

    Under the current Security Rule, many implementation specifications are labeled "addressable," meaning organizations can assess whether a safeguard is reasonable and appropriate for their environment and document an alternative if it is not. The proposed overhaul would eliminate this distinction and make nearly all implementation specifications mandatory. Controls that are currently addressable — such as encryption of electronic protected health information and multi-factor authentication — would become hard requirements with very narrow exceptions that must be documented. Until a final rule takes effect, the addressable/required distinction still applies.

    Is multi-factor authentication mandatory under the 2026 HIPAA Security Rule?

    Yes. The proposed rule requires multi-factor authentication for access to systems that contain electronic protected health information, with only limited, documented exceptions. This is a significant shift from the current rule, which treats authentication controls as addressable. Organizations should inventory every system that touches ePHI and confirm MFA is enforced before the rule takes effect.

    Do business associates have to comply with the new 24-hour incident reporting requirement?

    Yes. The proposed rule requires business associates to notify covered entities of a security incident within 24 hours of activating their contingency or incident response plan. This is far faster than the breach notification timelines most organizations currently operate under, and it means business associate agreements, contracts, and internal escalation procedures will need to be updated so notifications can move quickly enough to satisfy the requirement.

    Preparing Is the Strategy

    The proposed HIPAA Security Rule overhaul would be the most significant regulatory change in healthcare data security in over a decade. The elimination of addressable specifications, mandatory MFA, universal encryption requirements, annual risk assessments with detailed documentation, and 24-hour incident reporting for business associates would collectively raise the compliance baseline for every covered entity and business associate in the country — once the rule is finalized.

    The organizations that come through this transition smoothly will be the ones that started preparing before the final rule was published. The ones that waited will face compressed timelines, competing vendor priorities, and the very real risk of non-compliance during an OCR enforcement environment that shows no signs of easing.

    Live Compliance is built to help healthcare organizations stay ahead of exactly this kind of regulatory shift. Our platform continuously monitors your compliance posture, identifies gaps against current and emerging requirements, and provides the documentation and workflows needed to demonstrate audit readiness.

    If you want to know where you stand today, start with our free 12-minute audit-readiness gap scan. It will identify your most critical exposure areas and give you a prioritized action plan before the new rule takes effect.

    Get your free gap scan and start preparing now.