The Department of Health and Human Services Office for Civil Rights (HHS OCR) is finalizing the most significant HIPAA Security Rule updates since 2013, with final regulations expected by May 2026. For the first time in over a decade, the compliance landscape is about to shift dramatically — and not in ways that favor procrastination.
If you're a healthcare SMB — a medical practice, dental office, behavioral health provider, or business associate handling ePHI — this isn't just regulatory noise. These changes eliminate the ambiguity that's allowed covered entities to defer critical security controls for years. The new rule transforms previously "addressable" safeguards into mandatory requirements with clear implementation deadlines.
Here's what you need to know, what's changing, and how to prepare without panic.
The End of "Addressable" Ambiguity
Since 2003, HIPAA's Security Rule has distinguished between "required" and "addressable" safeguards. Addressable didn't mean optional — it meant you could implement an equivalent alternative if the specified control wasn't reasonable and appropriate for your organization. In practice, many organizations treated "addressable" as "aspirational," conducting cursory risk assessments and deferring implementation indefinitely.
The 2026 updates eliminate this flexibility. What were once addressable safeguards are now required, with specific technical and procedural benchmarks. HHS OCR has made it clear: the threat landscape has evolved, and compliance standards must match the reality of modern cyberattacks targeting healthcare data.
Recent enforcement actions underscore this shift. Just last month, OCR announced a $10,000 settlement against a small clinic that failed to report a breach and had no documented risk analysis. The message is unmistakable: even small violations carry consequences, and basic due diligence is no longer negotiable.
What's Changing: The Nine Major Updates
1. Multi-Factor Authentication (MFA) — No Exceptions
The change: MFA is now required for all systems accessing, transmitting, or storing ePHI. No carve-outs for "low-risk" systems or legacy applications.
SMB impact: If your EHR, practice management system, or patient portal still relies on password-only authentication, you have until November 2026 to implement MFA. This includes administrative access, clinician workstations, and any remote access points.
Practical step: Start with cloud-based systems (often the easiest to enable), then tackle on-premises applications. Budget for MFA solutions that integrate with your existing identity provider or consider a unified SSO platform.
2. Encryption Everywhere: At Rest and In Transit
The change: Encryption of ePHI is mandatory both when stored (at rest) and when transmitted (in transit). The "addressable" loophole that allowed unencrypted storage if you documented equivalent controls is gone.
SMB impact: Laptops, workstations, servers, backup drives, and mobile devices must have full-disk or file-level encryption enabled. All ePHI transmitted via email, file transfer, or portal must use TLS 1.2 or higher.
Practical step: Audit every endpoint and storage location. Windows BitLocker and macOS FileVault cover most workstations. For email, ensure your email gateway enforces TLS and consider secure email solutions for patient communications. Don't forget about backup tapes and portable media — encrypt or eliminate them.
3. Network Segmentation
The change: ePHI systems must be logically or physically separated from general business networks.
SMB impact: Your EHR server can't sit on the same flat network as the front-desk WiFi guest network or the break-room smart TV. You need VLANs, firewall rules, or separate network segments to isolate ePHI environments.
Practical step: Work with your MSP or network admin to create a segmented ePHI zone. Even small offices can implement basic VLANs with modern managed switches. Document the segmentation architecture in your network diagrams.
4. Annual Compliance Audits
The change: Covered entities and business associates must conduct annual third-party compliance audits, not just risk assessments.
SMB impact: Self-assessments won't cut it anymore. You'll need an independent auditor to review your HIPAA posture annually and document findings. Expect costs between $3,000–$10,000 depending on complexity.
Practical step: Build this into your annual budget. Choose auditors with healthcare-specific experience — generalist IT auditors often miss nuances. Use audit findings to prioritize remediation and demonstrate due diligence.
5. Vulnerability Scanning Every Six Months
The change: All systems handling ePHI must undergo vulnerability scans at least every six months.
SMB impact: You need a process to identify, assess, and remediate vulnerabilities on servers, workstations, and network devices. Manual reviews don't scale; you'll need scanning tools or a managed service.
Practical step: Invest in vulnerability management software (many MSPs include this) or use cloud-based scanners. Prioritize critical/high findings and document remediation timelines. Don't forget network devices and IoT medical equipment.
6. Annual Penetration Testing
The change: At least one penetration test per year, conducted by qualified third parties.
SMB impact: Pentests simulate real-world attacks to uncover exploitable weaknesses. Unlike vuln scans, they require skilled human testers. Budget $5,000–$15,000 annually for a focused pentest covering external perimeter, internal network, and web applications.
Practical step: Schedule your first pentest for Q3 2026 to allow remediation time before the November deadline. Share results with leadership and use them to justify security investments.
7. 72-Hour ePHI Recovery Requirement
The change: Disaster recovery and backup plans must demonstrate the ability to restore ePHI within 72 hours of a system failure or ransomware event.
SMB impact: "We back up weekly to an external drive" won't meet this standard. You need frequent backups (ideally daily), offsite or cloud storage, and tested restore procedures that prove you can meet the 72-hour window.
Practical step: Test your backups now. Conduct a tabletop exercise simulating ransomware. Document recovery time objectives (RTOs) and recovery point objectives (RPOs). Consider immutable backups or air-gapped solutions to protect against crypto-locking.
8. One-Hour Access Revocation
The change: When an employee, contractor, or business associate's access should be terminated (termination, role change, breach of policy), their system access must be revoked within one hour.
SMB impact: Manual processes — calling your IT guy, emailing your EHR vendor — are too slow. You need automated identity and access management (IAM) workflows.
Practical step: Implement centralized user directories (Active Directory, Azure AD, Okta) with automated deprovisioning. Document offboarding checklists that include system access, physical keys, and device return. Integrate with your HR system if possible.
9. Strengthened Business Associate Agreements (BAAs)
The change: BAAs must now include language requiring senior executive sign-off (C-level or equivalent) and more explicit breach notification and liability terms.
SMB impact: Every vendor touching ePHI — your EHR, billing service, shredding company, cloud storage provider — needs an updated BAA. Expect vendors to push back on liability terms.
Practical step: Review and update all BAAs by September 2026. Have legal counsel review templates. Don't accept vendors who refuse to sign compliant BAAs — you're on the hook if they cause a breach.
Your Implementation Timeline
With a final rule expected in May 2026 and an estimated 180-day implementation window, you're looking at a hard deadline around November 2026. Here's a phased approach:
April–June 2026: Assess and Plan
- Conduct a gap analysis against the new requirements
- Inventory all ePHI systems, endpoints, and vendor relationships
- Identify quick wins (e.g., enabling MFA on cloud apps)
- Budget for audits, pentests, and technology upgrades
July–September 2026: Implement Core Controls
- Deploy MFA across all ePHI systems
- Enable encryption on endpoints and storage
- Segment networks and update firewall rules
- Update BAAs with all business associates
- Schedule your first vulnerability scan and pentest
October–November 2026: Test and Document
- Test disaster recovery procedures (72-hour restore)
- Conduct tabletop exercises for access revocation
- Schedule your first annual compliance audit
- Document all policies, procedures, and technical implementations
- Train staff on new security protocols
Why This Matters (Beyond Compliance)
Yes, these changes increase your compliance burden. But they also reflect the reality of today's threat environment. Healthcare remains the most-targeted sector for ransomware, and patient data is the most valuable commodity on the dark web. The controls HHS is mandating — MFA, encryption, segmentation, continuous monitoring — are the same baseline defenses every security practitioner recommends for any organization handling sensitive data.
Think of this as an opportunity to modernize your security posture and reduce your risk exposure, not just check a compliance box. A well-implemented HIPAA security program protects your patients, your reputation, and your business continuity.
What You Should Do This Week
- Read the final rule when it's published (likely May 2026). Don't rely on summaries — understand the specific language.
- Schedule a gap assessment with your IT team, MSP, or a HIPAA consultant.
- Engage leadership and secure budget approval for compliance investments.
- Prioritize the low-hanging fruit: MFA, endpoint encryption, and backup testing can often be done quickly and inexpensively.
Need Help Navigating the 2026 HIPAA Changes?
Over 25 years in information security, I've helped dozens of healthcare organizations navigate HIPAA compliance without breaking the bank. Let's map out your path to compliance.
Book a Strategy Session →Peter Hallen is a fractional CISO and information security consultant with over 25 years of experience helping healthcare organizations build practical, risk-based security programs. He specializes in HIPAA compliance, vendor risk management, and pragmatic security for resource-constrained SMBs. Learn more at peterhallen.com.