After more than two decades without a major overhaul, the HIPAA Security Rule is finally getting a significant update. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking in January 2025, the first substantial revision to the Security Rule since it was originally adopted in 2003. With the final rule tracking closely to its mid-2026 release window, OCR has already begun citing the updated requirements in resolution agreements.
For healthcare IT professionals, these changes will reshape compliance programs, security architectures, and vendor relationships. Here’s what you need to know.

Why Now?
The original HIPAA Security Rule was written for a different world. It predates cloud computing, widespread telehealth, ransomware as a business model, and the explosion of connected medical devices. The gap between the rule’s language and modern healthcare IT reality has been widening for years. OCR has signaled for some time that enforcement priorities, encryption failures, inadequate access controls, and weak risk analysis would eventually become codified requirements. This update does exactly that.
The End of “Addressable” Safeguards
One of the most consequential structural changes is the elimination of the “addressable” implementation specification category. Under the current rule, certain controls, including encryption, are classified as “addressable,” meaning organizations can document a rationale for not implementing them if they deem the control unreasonable or inappropriate for their environment. In practice, this flexibility has allowed many organizations to skip meaningful security controls with minimal documentation.
The updated rule removes this loophole. Nearly all implementation specifications will become required. If your organization has been relying on the addressable designation to defer encryption or other safeguards, that approach will no longer be viable.
Key Technical & Operational Mandates
| Requirement | Scope & Specification | Operational Impact |
| Mandatory Encryption | ePHI both at rest and in transit. | Aligns with NIST standards; requires strict secure key management. |
| Universal MFA | All systems accessing ePHI. | Broadens from just remote access to all internal apps, SaaS, and EHR environments. |
| Risk Assessments | Rigorous, documented review every 12 months. | Must include full asset inventories, network maps, and threat-vulnerability pairing. |
| Technical Testing | Vulnerability scans every 6 months; pen tests every 12 months. | Integrates proactive technical discovery into the standard compliance lifecycle. |
| Asset & Network Maps | Continuous, accurate system tracking. | Eliminates static spreadsheets; requires dynamic visibility of ePHI pathways. |
| Network Segmentation | Mandatory lateral containment. | Directly impacts firewall architectures and infrastructure planning. |
| 72-Hour Data Recovery | Written procedures to restore critical ePHI systems. | IT must validate backup integrity and map dependencies to hit strict RTO targets. |
New Operational and Endpoint Requirements
Beyond the headline changes, the proposed rule introduces several specific operational requirements that deserve attention from healthcare IT teams.
Anti-Malware Protection: Anti-malware controls will be explicitly required across relevant electronic information systems. This formalizes what should already be standard practice but closes a gap for organizations with inconsistent endpoint coverage.
Portable Device Safeguards: Technical safeguards that currently apply to computer workstations will be extended to mobile devices, tablets, and other portable devices. Organizations with BYOD programs or a large fleet of mobile endpoints will need to evaluate whether their current MDM and device management controls meet the new standard.
Patch Management: The rule requires timely implementation of patches and software updates, a direct response to the reality that unpatched systems are among the most common vectors in healthcare breaches. “Timely” will need to be defined and documented in policy, with evidence of actual patch cadence to back it up.
Unnecessary Software Removal: Covered entities and business associates will be required to remove extraneous software from systems that handle ePHI. This targets the attack surface reduction gap common in environments where software accumulates over time without a formal decommissioning process.
Disable Unused Network Ports: Network ports that are not required must be disabled, in accordance with the organization’s risk analysis findings. This is an infrastructure hygiene requirement that many organizations have historically treated as optional.
Contingency Planning and Incident Response: The updated rule expands incident response and contingency planning obligations considerably. Organizations will be required to develop written procedures for restoring ePHI and relevant systems within 72 hours of an incident, including a prioritized restoration sequence based on system criticality. This is a meaningful operational requirement, not just a policy update. IT teams will need to map their recovery dependencies, validate backup integrity, and document realistic RTOs that can actually meet the 72-hour threshold.
Business Associate Oversight: Business associate agreement (BAA) management is getting more rigorous. The new requirement is not merely to have a BAA on file, organizations must document annual verification that each BAA meets current requirements. This is likely the most underestimated operational change, particularly for organizations with large vendor ecosystems.
Timeline and Status
The final rule is on the launchpad. Once officially published, the clock immediately starts on an anticipated 180-day compliance window, meaning organizations will face an enforcement-ready deadline by late 2026 or early 2027. OCR has already begun citing the updated requirements in enforcement activity, signaling that waiting for formal finalization before preparing is a risky strategy.
It’s worth noting that the proposed rule attracted significant industry pushback; over 4,700 public comments were submitted, and a coalition led by CHIME petitioned HHS to withdraw the rule. The final version may be adjusted from the original proposal, but the direction is clear: security expectations are increasing and will be less flexible.
What Healthcare IT Teams Should Do Now
The organizations that come through this transition in good shape won’t be the ones who wait for the final rule to drop. They’ll be the ones who’ve already closed their most significant gaps.
Start with a current-state assessment: Where are your encryption gaps? When was your last full security risk analysis, and does it meet the new specificity requirements? Is your asset inventory accurate and current? Do your backup procedures support a realistic 72-hour recovery window? Do your BAA verification workflows meet the new documentation standard?
From there, prioritize the changes with the longest implementation lead times, encryption infrastructure, network segmentation, and MFA across legacy systems tend to require the most runway. Build the remainder of your 2026 compliance roadmap around those constraints, not around the finalization date.
The 2026 HIPAA Security Rule update is the most significant shift in healthcare cybersecurity compliance in over 20 years. For healthcare IT teams, that means less discretion, more documentation, and a much shorter runway than many organizations realize. The time to start preparing is now.
Organizations that begin assessing gaps today will be better positioned when the final rule becomes effective. The security and compliance teams at IP Pathways and Tenax Solutions work with healthcare organizations to evaluate risk, strengthen technical controls, and prepare for evolving regulatory requirements.


