For the first time since 2013, the U.S. Department of Health and Human Services Office for Civil Rights has proposed major updates to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. Regulators aim to finalize the updates by May 2026, along with a clear compliance timeline.
The revisions introduce stricter audit requirements, set intervals for technical testing, mandate network segmentation, and expand incident response obligations. Multifactor authentication (MFA), encryption, and other safeguards will be required controls rather than optional, “addressable” options.
These changes will affect covered entities, business associates (BAs), and, often, their third-party partners. Overall, the revisions will make HIPAA compliance more structured, measurable, and continuously overseen. The goal is to strengthen the confidentiality, integrity, and availability of protected health information (PHI) while supporting patient care and healthcare operations.
Why the 2026 HIPAA Security Rule Changes Matter
The 2026 updates set clearer, more objective standards for cybersecurity and HIPAA compliance. They reduce inconsistent practices and help covered entities and BAs better protect electronic protected health information (ePHI).
Healthcare organizations that rely solely on written policies rather than measurable controls and ongoing monitoring face a higher risk of cyberattacks and regulatory scrutiny. By clarifying requirements and removing “addressable” flexibility, these changes shift HIPAA compliance from a checklist task to a proactive, measurable process — ultimately protecting patient data and ensuring operational continuity.
What the HIPAA Security Rule 2026 Means for Your Organization
If finalized, the updated rule will impact your cybersecurity controls, documentation procedures, vendor oversight, and operational workflows. Preparing now can help you manage costs, minimize disruption, and reduce cyber risk before deadlines are enforced.
Key changes include:
- Making most previously “addressable” safeguards required.
- Establishing defined audit and testing schedules
- Requiring network segmentation
- Expanding incident response responsibilities
- Strengthening vendor accountability
The 5 Major HIPAA Security Rule Updates for 2026
HIPAA Audit and Risk Assessment Requirements
Covered entities and BAs must perform and document comprehensive compliance audits at least annually. Instead of periodic reviews, you must formally test and verify administrative, physical, and technical safeguards every 12 months.
To comply with the updated rule, covered entities and BAs should:
- Conduct and record a comprehensive risk assessment annually and whenever major environmental changes occur
- Share written compliance testing results with BAs and covered entities
- Maintain evidence demonstrating effective control operation
- Consider aligning with the NIST Cybersecurity Framework
Key security controls that need to be put in place include:
- MFA authentication for both onsite and remote system access
- Encryption of ePHI at rest and in transit
- Role-based access controls
- Automatic session timeouts
- Revoke access within one hour of employee termination.
These requirements move HIPAA compliance from policy documentation to measurable control performance.
HIPAA Technical Testing and Vulnerability Scanning Requirements
The proposal specifies the required technical testing frequencies for all covered entities and BAs. To meet technical testing standards, organizations must conduct at least the following assessments:
- Vulnerability scans at least every six months
- Annual penetration testing of ePHI systems
Testing frequency should increase when risk assessments identify higher threats or if significant environmental changes occur. Qualified cybersecurity professionals must conduct tests, and organizations need to keep written records of findings and corrective actions. This method highlights continuous monitoring rather than reactive fixes.
HIPAA Network Segmentation Rules
The updated HIPAA Security Rule requires network segmentation as a safeguard. Effective segmentation restricts lateral movement during an attack and lessens breach impact. To effectively implement network segmentation, organizations should:
- Maintain a comprehensive inventory of network hardware and software assets
- Keep an up-to-date network map
- Map ePHI data flows to guide segmentation strategy
- Implement advanced firewalls, identity-based policies, network micro segmentation, and other zero-trust principles.
- Separate IT and operational technology environments logically
For example, electronic health record systems shouldn’t share networks with connected devices, such as CCTV or IoT systems. Asset and data mapping also help reduce and clearly define the HIPAA compliance footprint.
HIPAA Incident Response Requirements
Covered entities and BAs must document, implement, and annually test a formal incident response plan. Effective incident response plans should:
- Include written reporting and response procedures
- Identify critical systems and prioritize restoration
- Describe how you will restore ePHI within 72 hours
- Define roles, reporting pathways, and remediation processes
Business associates must notify covered entities within 24 hours of activating an incident response or contingency plan. Annual testing ensures procedures remain effective as environments and threat landscapes evolve. By removing “addressability,” these requirements shift healthcare cybersecurity from reactive measures to a proactive, structured approach.
HIPAA Business Associate Agreement Requirements
The updates strengthen business associate agreements (BAAs) requirements and reinforce vendor accountability. To strengthen vendor accountability, agreements should:
- Clearly define BA cybersecurity obligations.
- Ensure subcontractors handling PHI meet comparable compliance standards.
- Require annual written verification that controls are in place.
- Include analysis by a qualified professional and approval by a senior executive.
- Explicitly communicate incident reporting obligations throughout the supply chain
These updates address increasing third-party breach activity and make organizations more responsible for actively managing vendor risk. By holding BAs accountable for full compliance, the rule aims to enhance ePHI protection and decrease risks from supply chain cyberattacks and vendor-related incidents.
Get Ready for the 2026 HIPAA Security Rule Updates
The scope of change requires meaningful investment in technology, documentation, and governance. Embedding controls into daily operations, rather than relying solely on written policies, will be essential.
Priority preparation steps include:
- Build a comprehensive asset inventory and ePHI data flow diagram
- Perform a gap assessment against proposed requirements
- Conduct updated risk assessments and threat modeling
- Increase vulnerability scanning and penetration testing frequency
- Update incident response documentation and strengthen recovery capabilities
- Revise BAAs
- Validate vendor cybersecurity posture
- Engage leadership to align risk tolerance with funding decisions
- Update employee training to reflect new procedures
- Consider alignment with the NIST Cybersecurity Framework or comparable standards
In today’s heightened threat environment, cyber maturity is crucial for patient safety, care continuity, and operational resilience. Waiting until deadlines are mandatory to start preparations can raise costs, slow down implementation, and boost the risk of cyber incidents.
Proceed Confidently with HIPAA Compliance
The HIPAA Security Rule updates introduce new technical, operational, and governance requirements. Assessing your current situation and developing a clear plan helps your organization move forward confidently.
CBIZ has decades of experience helping HIPAA-covered entities achieve compliance efficiently and demonstrate robust cybersecurity. Connect with a member of our cybersecurity team to discuss how these proposed changes could impact your organization and what steps to take now.
© Copyright CBIZ, Inc. All rights reserved. Use of the material contained herein without the express written consent of the firms is prohibited by law. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein. Material contained in this publication is informational and promotional in nature and not intended to be specific financial, tax or consulting advice. Readers are advised to seek professional consultation regarding circumstances affecting their organization.
“CBIZ” is the brand name under which CBIZ CPAs P.C. and CBIZ, Inc. and its subsidiaries, including CBIZ Advisors, LLC, provide professional services. CBIZ CPAs P.C. and CBIZ, Inc. (and its subsidiaries) practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations, and professional standards. CBIZ CPAs P.C. is a licensed independent CPA firm that provides attest services to its clients. CBIZ, Inc. and its subsidiary entities provide tax, advisory, and consulting services to their clients. CBIZ, Inc. and its subsidiary entities are not licensed CPA firms and, therefore, cannot provide attest services.
