The biggest overhaul to HIPAA in 20 years is happening right now. The final rule is expected in May 2026. [Healthcare Law Insights] Your compliance deadline is late 2026. Here is exactly what is changing, what it means for your clinic, and what you need to do before the clock runs out.
Final rule expected: May 2026. Compliance deadline: late 2026 to early 2027. That is approximately 180 days from publication, which sounds like a long time until you understand how much needs to change. The clinics that start now will have a smooth transition. The ones that wait will be scrambling and exposed.
The original HIPAA Security Rule was published in 2003. It was designed for a world of desktop computers, on-premise servers, and fax machines. In the two decades since, healthcare has transformed completely. Cloud computing, telehealth, AI documentation tools, remote work, and mobile devices have all become essential clinical infrastructure, yet the Security Rule has not kept pace.
Until now.
The Department of Health and Human Services [HHS.gov] published a Notice of Proposed Rulemaking in January 2025, signalling the most comprehensive update to HIPAA security requirements since the rule was first enacted. The proposed changes are sweeping, specific, and non-negotiable. And they apply equally to a 3-provider family practice in Iowa and a 500-bed hospital system in New York.
The core philosophical shift in the 2026 update is this: HIPAA security is no longer about documenting your intent to be secure. It is about proving that your security controls are implemented, tested, and working. The old "addressable" loophole, where you could write a policy explaining why a control was not reasonable for your practice, is gone.
Here is every significant proposed change, written in plain language for clinic administrators rather than lawyers or IT engineers.
Under the current rule, MFA is "addressable," meaning you could argue that your risk profile did not require it. Under the 2026 update, MFA is mandatory for every access point to electronic Protected Health Information. Your EHR, cloud storage, email, billing system, and any other platform that touches patient data must require a second verification step beyond a password. For most small clinics this means enabling the MFA settings that are already built into your existing software: free and fast. For clinics using older legacy systems, it may require upgrades or third-party authentication tools.
Encryption of ePHI at rest and in transit moves from "addressable" to unconditionally required. This means every device storing patient data must be encrypted: laptops, tablets, portable drives, cloud databases, and backup systems. It also means every transmission of ePHI, including email, file transfers, and API calls between systems, must use encrypted channels. The standard aligns with NIST cybersecurity frameworks. Claiming your legacy system does not support encryption will not satisfy an OCR auditor. You will need to either upgrade or migrate.
Covered entities must maintain and annually update a comprehensive written inventory of every information system, device, and application that creates, receives, stores, or transmits ePHI. This goes beyond a simple equipment list. The inventory must include network maps showing how data flows between systems. For most clinics this is a new requirement entirely; it is foundational to everything else the new rule demands.
Automated vulnerability scanning of all systems accessing ePHI must be conducted at least every six months. Annual penetration testing is also required: a more intensive assessment where a security professional actively attempts to breach your systems to find weaknesses before attackers do. Scan results must be documented, reviewed, and addressed in a timely manner. For most small clinics, this will mean engaging an IT managed service provider or security firm for the first time.
Clinical systems containing ePHI must be separated from administrative networks, guest Wi-Fi, and non-clinical devices. This "segmentation" limits the damage of a breach. If an attacker compromises your billing computer through a phishing email, proper segmentation stops them from jumping across to your EHR. Most modern networking equipment supports this through VLAN configuration. Older setups may need hardware upgrades.
The proposed rule introduces significantly tighter notification timelines for security incidents. Some contractual scenarios involving business associates will require incident notification within 24 hours. Contingency plans must demonstrate the ability to restore critical systems within 72 hours of an incident. Your breach response procedure needs to be completely rewritten to reflect these compressed timelines and tested annually to prove it actually works at that speed.
Covered entities will be required to actively verify that their business associates are implementing required security controls, not simply execute a BAA and assume compliance. This means adding security verification questionnaires to your BAA renewal process, reviewing your vendors' security practices annually, and documenting that verification. Your EHR vendor, billing company, IT provider, and AI tools all fall under this requirement.
The most important thing to understand is this: organisation size no longer exempts you from any technical safeguard. The 2026 rule explicitly applies to all covered entities regardless of staff count, patient volume, or revenue. A solo practitioner faces the same requirements as a regional health system.
This is a significant departure from how many small clinic administrators have historically thought about HIPAA. The informal logic of "we are too small for OCR to audit us" is not just wrong; it is increasingly dangerous. OCR's third phase of compliance audits, confirmed as underway in March 2025, initially covers 50 covered entities and business associates with explicit plans to expand scope.
OCR levied more than $6.6 million in HIPAA fines in 2025 alone [Healthcare Law Insights, Feb 2026], with penalties ranging from $80,000 to $3 million per incident. [OCR Enforcement Actions] The highest penalty resulted from a phishing attack on a business associate — a scenario that proper network segmentation and MFA would likely have prevented. Being small did not protect those organisations.
The good news is that clinics which start preparing now will find compliance manageable, cost-effective, and far less disruptive than those that wait. Here is a prioritised action plan broken down by what you can do immediately versus what requires more planning.
| Action | What It Involves | Timeline |
|---|---|---|
| Run a HIPAA Gap Assessment | Identify where you currently stand against all 7 proposed changes. Start with our free online checker. | This week |
| Enable MFA on all systems | Google Workspace, Microsoft 365, and your EHR all have MFA in settings. Enable for every user account. | Within 2 weeks |
| Verify device encryption | Check BitLocker (Windows) and FileVault (Mac) on every laptop and portable device. | Within 2 weeks |
| Build your asset inventory | Create a spreadsheet listing every device, software, and cloud service touching patient data. | Within 1 month |
| Update breach response procedure | Rewrite to reflect 72-hour timelines. Schedule an annual tabletop drill. | Within 6 weeks |
| Add BA security questionnaires | Send verification forms to your top 5 business associates asking to confirm their security controls. | Within 2 months |
| Network segmentation review | Ask your IT administrator or MSP to assess whether clinical systems are properly separated. | Within 3 months |
| Engage vulnerability scanning | Add automated scanning to your IT support contract or engage a healthcare-specialised security firm. | Before final rule |
One of the most common objections we hear from clinic administrators is concern about the cost of compliance. It is a fair concern. But it needs to be measured against the right comparison.
A small practice starting from a moderate security baseline might invest between $20,000 and $50,000 to achieve full compliance with the 2026 requirements. [Medcurity, 2026] That investment covers technology upgrades, security assessments, staff training, and expert guidance. Done properly, it also produces a dramatically more secure and resilient clinical operation.
Compare that to what non-compliance actually costs. OCR fines for willful neglect that is not corrected can reach $1.9 million per violation category per year. [HHS Enforcement Highlights] A single ransomware attack, which proper MFA and network segmentation would likely prevent, costs an average of $10.9 million in the healthcare sector [IBM Cost of a Data Breach Report 2024] when you factor in downtime, recovery, notification, legal fees, and reputational damage.
The question is not whether your clinic can afford to become compliant with the 2026 HIPAA updates. The question is whether it can afford not to. A Rapid Assessment that identifies every gap in your current posture costs a fraction of what a single OCR enforcement action will cost; it builds the foundation you need to meet every new requirement.
Based on what we consistently see in practice, three types of clinics face the highest risk from the 2026 updates:
We work with small and mid-size clinics across the country helping them navigate exactly these kinds of regulatory transitions. Our honest recommendation for 2026 is simple: start now, start with a gap assessment, and build a phased remediation plan that addresses the highest-risk items first.
You do not need to fix everything at once. You need to demonstrate to OCR that you have a documented, active, good-faith compliance program. That starts with knowing exactly where you stand, and that is exactly what a proper assessment tells you.
Run our free 15-point HIPAA assessment right now. Get your compliance score, see your breach cost exposure, and get step-by-step fix guides for every gap, all in under 10 minutes. No account required.
// This article reflects the proposed HIPAA Security Rule as of April 2026. The final rule has not yet been published. All regulatory details are subject to change upon final publication. This article does not constitute legal advice.
The 2026 HIPAA Security Rule update is not a minor administrative adjustment. It is a fundamental reimagining of what HIPAA compliance means: from a documentation exercise to a demonstrably implemented, continuously maintained security program.
The final rule is expected in May 2026. [Healthcare Law Insights] The compliance clock starts ticking the moment it is published. Clinics that have been preparing since now will cross the deadline in good shape. Clinics that have been waiting will find 180 days is nowhere near enough time to implement MFA across all systems, deploy encryption, build asset inventories, establish vulnerability scanning programs, rewrite breach response procedures, and verify the security posture of every business associate.
The time to act is now. Not after the final rule. Not in Q4 2026. Now.
Start with a free assessment at elevarehealth.ai/hipaa-checker-app-v2.html; it takes 10 minutes and tells you exactly where your gaps are. If you need professional help closing those gaps before the deadline, our fixed-fee Rapid Assessment starts at $1,500 and includes a complete 2026 readiness review.