The 2026 HIPAA Security Rule Overhaul: What's Proposed and How Your Practice Can Prepare

If you run a small medical practice — family medicine, dental, chiropractic, mental health, physical therapy, urgent care — there is a major HIPAA development you should be tracking. The Department of Health and Human Services has proposed the most significant update to the HIPAA Security Rule since it was first written in 2003. One thing to be clear about up front: this is still a proposed rule. It has not been finalized, and as of now HHS has not confirmed whether — or in what form — it will be. Industry groups have asked HHS to withdraw or substantially scale it back. The agency's own preliminary target for a final rule has been referenced as mid-2026 (sometimes cited as May 2026), but that date is not confirmed and could slip, change, or not happen at all. If a final rule is published, covered entities and business associates would get a compliance window — most analysis points to roughly 240 days (about 180 days for the substantive requirements, plus an additional 60 for business-associate agreement updates), and HHS could extend that further.

This is not a minor tweak. If finalized as proposed, it would change the fundamental way HIPAA treats cybersecurity for every covered entity and business associate in the country, regardless of size. If your practice has five staff or fifty, the same rules would apply to you. That is exactly why it is worth understanding now — not because it is law yet, but because most of the preparation is worth doing regardless of what the final rule ultimately says.

Most of what has been written about this so far is aimed at hospital CISOs and IT security vendors. This article is not. This article is for the practice owner, the office manager, the person who wears the compliance hat on top of twelve other hats. Here is what is changing, what it means for your day-to-day operations, and exactly what you should start doing right now.

What Is Actually Changing?

HHS published a Notice of Proposed Rulemaking (NPRM) in the Federal Register on January 6, 2025, proposing sweeping modifications to the HIPAA Security Rule. The comment period closed in March 2025 and drew thousands of comments — much of it significant industry pushback over cost and feasibility, including a coalition petition asking HHS to withdraw the proposal. As of now, HHS has not confirmed whether it will finalize the rule, finalize a scaled-back version, or withdraw it. Everything below describes what the proposed rule would require if it is finalized in its current form. Treat it as a strong signal of where HIPAA security expectations — and OCR enforcement — are already heading, not as current law.

Here are the changes that matter most to a small practice.

1. "Addressable" Safeguards Are Gone — Everything Becomes Mandatory

This is the single biggest change and the one that will affect the most practices. Under the current Security Rule, safeguards are classified as either "required" or "addressable." If a safeguard was addressable — like encryption — you could assess whether it was reasonable and appropriate for your practice. If you decided it was not, you could document your reasoning and implement an alternative measure. Many small practices used this flexibility to skip encryption entirely, arguing that their small size or limited budget made it impractical.

Under the proposed rule, that distinction disappears. Nearly all implementation specifications become mandatory, with only very narrow exceptions. Encryption, access controls, audit logging, multi-factor authentication — these are no longer things you can reason your way out of. You either implement them or you are out of compliance. Period.

What this means for your practice: Encryption is currently still an "addressable" specification under the existing Security Rule, so this flexibility has not gone away yet. But if you have been relying on it to avoid encrypting laptops, email, or your EHR backup, the direction of travel is clear, and OCR already treats unencrypted devices as a top enforcement risk. Closing this gap now is a no-regrets move whether or not the proposed rule is finalized.

2. Multi-Factor Authentication Becomes Mandatory

The proposed rule would require multi-factor authentication (MFA) on every system that accesses electronic protected health information (ePHI). That includes your EHR, your practice management system, your email (if it touches patient information), your cloud storage, and your billing software.

MFA means logging in requires two things: something you know (your password) and something you have (a code from your phone, a hardware token, or a biometric like a fingerprint). If your staff currently logs into your EHR with just a username and password, that will no longer be sufficient.

What this means for your practice: Check whether your EHR vendor supports MFA today. Most modern cloud-based EHR systems do, but it may not be turned on. If your EHR does not support MFA, that is a conversation you need to have with your vendor now — not after the rule is finalized.

3. Annual Risk Assessments Must Drive Real Action

The HIPAA Security Risk Assessment (SRA) has been a requirement since 2003, and it is the single most-cited deficiency in OCR audits. But under the current rule, many practices treat it as a paperwork exercise — answer some questions, generate a PDF, put it in a drawer.

The proposed rule changes this. Risk assessments must now be conducted at least every 12 months, must be documented in detail, and must produce actionable remediation plans. The assessment has to identify specific risks to ePHI, evaluate the likelihood and impact of each risk, and document what the practice is doing to mitigate each one. Importantly, your remediation plan cannot just sit on paper — the rule requires that you implement the mitigations and document that implementation.

What this means for your practice: If your last SRA was a checkbox exercise, it will not pass muster under the new rule. You need an SRA process that identifies real risks, produces a real remediation plan, and tracks your progress on fixing the gaps. This is exactly what GuardWell's Security Risk Assessment module is built for — a guided, question-by-question walkthrough that generates a risk register and tracks remediation automatically.

4. You Need a Network Map Showing Where ePHI Lives

The proposed rule requires covered entities to create and maintain a technology asset inventory and a network map that shows how ePHI moves through your practice. This means documenting every system, device, and application that creates, receives, stores, or transmits patient data — and showing how they connect to each other.

For a small practice, this might include your EHR system, your practice management software, your billing clearinghouse, your email provider, your fax service (especially cloud fax), any cloud storage you use, your appointment scheduling system, your patient portal, and every workstation and mobile device that accesses any of those systems.

What this means for your practice: Sit down with whoever manages your IT — whether that is an internal person, an MSP, or you — and create a list of every system that touches patient data. Document which ones talk to each other. This does not have to be a complex network diagram. A spreadsheet listing each system, what data it holds, how it connects to other systems, and who has access is a solid start.

5. Written Verification From Every Business Associate

Under the current rule, a signed Business Associate Agreement (BAA) is the primary mechanism for ensuring your vendors protect ePHI. The proposed rule goes further: you must now obtain written verification from each business associate — at least annually — confirming that they have actually implemented the required technical safeguards.

A signed BAA alone is no longer enough. You need to ask your EHR vendor, your billing company, your cloud fax provider, your IT company, and every other vendor who touches patient data to provide written documentation that they have encryption in place, that they use MFA, that they conduct their own risk assessments, and that they can report breaches within 24 hours.

What this means for your practice: Start with your highest-risk vendors — EHR, billing, IT provider, cloud services — and send them a simple request: "Can you provide written verification that you have implemented the technical safeguards required by the HIPAA Security Rule, including encryption, MFA, and audit logging?" If a vendor cannot or will not provide this, that is a red flag you need to address.

6. Business Associates Must Report Incidents Within 24 Hours

Under the current Breach Notification Rule, business associates must notify covered entities of a breach "without unreasonable delay" — which has been interpreted as within 60 days. The proposed rule would tighten this dramatically to 24 hours for security incidents (not just confirmed breaches).

What this means for your practice: Review your BAAs. Do they include a specific timeframe for incident notification? If they say "60 days" or "without unreasonable delay," you should plan to update them to reflect the 24-hour requirement once the final rule is published. You also need an internal incident response process so that when a vendor notifies you at 2 AM on a Saturday, someone knows what to do.

7. Mandatory Vulnerability Scanning and Penetration Testing

The proposed rule would require vulnerability scans every six months and penetration testing annually for all systems handling ePHI. For most small practices, this means engaging an outside cybersecurity firm to run these tests — and documenting the results and any remediation actions taken.

What this means for your practice: If you have never had a vulnerability scan or penetration test performed, you are not alone — most small practices have not. If the proposed rule is finalized as written, this would become a hard requirement, so it is worth understanding the cost now. A basic external vulnerability scan and penetration test for a small practice typically costs $2,000–$5,000 depending on scope, and would need to be done on the schedule the final rule sets.

When — and Whether — Does This Take Effect?

This is the part to be precise about. There is no final rule today. HHS's preliminary planning target for publishing one has been referenced as mid-2026 (sometimes May 2026), but the agency has not confirmed that timeline or committed to finalizing the rule at all, and a final rule could be delayed, narrowed, or dropped in response to the industry comments. If a final rule is published, the proposal contemplates a compliance window in the range of 240 days (roughly 180 days for the substantive requirements, plus 60 days for business-associate agreement updates), and HHS has discretion to extend that to ease the burden.

Here is the practical takeaway that does not depend on the rulemaking outcome: the core measures below — a real risk assessment, MFA, encryption, an asset inventory, vendor verification — are already security best practice, already map to where OCR is enforcing today, and would be worth doing even if this specific rule never becomes final. Treat the proposal as a planning prompt, not a countdown clock.

Your 8-Step Action Plan — Start This Week

You do not need to do everything at once. But you should start moving. Here is a practical action plan, ordered by priority, that any small practice can begin immediately.

Step 1: Turn on MFA everywhere you can today. Start with your EHR and your email. Most cloud-based systems already support it — you just need to enable it. This is free and takes 30 minutes.

Step 2: Run (or re-run) your Security Risk Assessment. If your last SRA was more than 12 months ago, or if it was a superficial exercise, do it again. Use a guided tool that produces a real risk register with scored risks and remediation tracking.

Step 3: Inventory every system that touches ePHI. Make a list: EHR, practice management, billing, email, fax, cloud storage, appointment scheduling, patient portal, every workstation and mobile device. Note who has access to each one.

Step 4: Check encryption status. Is your EHR data encrypted at rest and in transit? What about your email? Your laptops? Your backups? If you do not know the answer, ask your IT provider. If you do not have an IT provider, that itself is a gap to address.

Step 5: Contact your top 5 vendors. Ask your EHR vendor, billing company, IT provider, cloud fax, and any cloud storage provider for written verification that they have implemented encryption, MFA, and audit logging. Document their responses.

Step 6: Review and update your BAAs. Check whether your existing BAAs include specific incident notification timeframes. Flag any that need to be updated once the final rule is published.

Step 7: Budget for a penetration test. Get quotes from 2–3 cybersecurity firms that specialize in small healthcare practices. You do not need to do the test today, but knowing the cost and having a vendor ready means you can move quickly when the rule is finalized.

Step 8: Document everything. Documentation is already a HIPAA requirement today, and the proposed rule would make it an even more specific, auditable one. Every policy, every risk assessment, every vendor verification, every remediation action needs to be documented and retrievable. A compliance platform that tracks all of this in one place will save you significant time and stress when audit season arrives.

The Bottom Line

The proposed 2026 HIPAA Security Rule overhaul is the most significant change to healthcare cybersecurity requirements proposed in over 20 years. Even though it is not final, the direction is unmistakable: regulators increasingly expect practices to prove they are secure, not just document that they intended to be. Whether or not this exact rule is finalized, that expectation is already shaping OCR enforcement today.

For small practices, this does not have to be overwhelming. Most of the individual steps — enabling MFA, encrypting devices, running a proper risk assessment, verifying vendor safeguards — are manageable. The key is to start now, while you have time to address gaps methodically rather than scrambling under a deadline.

GuardWell Compliance is built for exactly this moment. Our platform walks you through your Security Risk Assessment step by step, tracks your compliance across all 15 regulatory modules, manages your vendor BAAs with expiration alerts, and gives you a real-time compliance score that tells you exactly where you stand — updated daily. If the new Security Rule has you thinking about where your practice's gaps are, take our free 2-minute compliance score quiz to get a snapshot of where you are today.