The proposed 2026 HIPAA Security Rule updates represent the most significant change to the regulation since it was first enacted. HHS published the Notice of Proposed Rulemaking in January 2024, and finalization is expected in 2026. If you handle electronic protected health information — as a covered entity or a business associate — you need to understand what is changing and act before the compliance deadline arrives.

I have spent 16 years building and operating HIPAA compliance programs at scale. Most of what I have seen over that time is organizations treating the Security Rule as a documentation exercise. The 2026 updates make that approach untenable. These changes have teeth.

What is actually changing

The headline change is the elimination of the "addressable" designation for a core set of technical safeguards. Under the current rule, certain controls are "required" and others are "addressable" — meaning an organization can document a rationale for not implementing them. That flexibility was always narrower than most organizations believed, but the 2026 update removes it entirely for the most critical controls.

Change 1 — Encryption

Addressable: implement if reasonable and appropriate

Required: encryption of ePHI at rest and in transit, no exceptions

Change 2 — Multi-Factor Authentication

Addressable: implement if reasonable and appropriate

Required: MFA for all systems that access or transmit ePHI

Change 3 — Asset Inventory

Implied by risk analysis requirements, rarely documented

Required: annual written inventory of all technology assets that touch ePHI

Change 4 — Breach Notification

60 days to notify HHS of a breach

72 hours to notify HHS — consistent with other federal frameworks

Change 5 — Network Segmentation

Not explicitly addressed

Required: network segmentation for systems that contain ePHI

There are additional changes to workforce training requirements, business associate oversight obligations, and contingency planning. But these five are the ones that will require the most immediate operational action for most organizations.

Why this matters more for Business Associates than covered entities

Large health systems and health plans have compliance programs and internal GRC teams. They will adapt. The organizations that are genuinely underprepared are the business associates — the healthcare SaaS companies, medical billing vendors, telehealth platforms, and AI companies that handle ePHI on behalf of covered entities.

Most Business Associates I work with believe they are compliant because they have a BAA in place and completed a security questionnaire. That is not compliance. That is paperwork.

Here is the reality for most Business Associates right now: encryption is inconsistent across their environments, MFA is deployed on some systems but not all, they have no formal asset inventory, and their incident response plan has never been tested against a 72-hour notification window. The 2026 updates will expose all of these gaps simultaneously.

The risk is not just regulatory. Health systems are increasingly requiring their business associates to demonstrate compliance before contract renewal. I have seen deals delayed and lost because a vendor could not produce a current HIPAA Security Risk Assessment. That friction is about to increase significantly.

The SRA trigger

A material change to the regulatory environment triggers a requirement to update your HIPAA Security Risk Assessment. The 2026 Security Rule updates are a material regulatory change. That means every covered entity and business associate that has not completed a current SRA needs one now — not after finalization, now.

This is not a technicality. The OCR has been consistent in resolution agreements: organizations that waited for enforcement to act on known compliance gaps receive significantly less favorable treatment than those who identified and began remediating gaps proactively. Documented good-faith effort matters.

What to do before finalization

The practical checklist is straightforward, even if the work is not:

  • Complete or refresh your HIPAA SRA. The 2026 regulatory change is a trigger. If your last SRA was more than 12 months ago, or if it predates your current technology environment, it does not reflect your actual risk posture.
  • Audit your encryption posture. Map every system that stores or transmits ePHI. Identify gaps in encryption at rest and in transit. Prioritize remediation by data sensitivity and exposure.
  • Audit your MFA deployment. MFA is now required — not recommended — for every system that accesses ePHI. EHR access, cloud storage, email, remote access tools, API connections. All of them.
  • Build your asset inventory. This is the prerequisite for everything else. You cannot encrypt what you have not inventoried. You cannot secure what you do not know exists.
  • Test your incident response timeline. 72 hours is not generous. If your breach response plan has not been tabletop-tested against that window, it has not been tested.
  • Review your BAA portfolio. The 2026 updates tighten business associate oversight obligations. Your BAAs may need to be updated to reflect new requirements around subcontractors and technology vendors.

The bottom line

The 2026 HIPAA Security Rule updates are not a compliance checkbox exercise. They reflect a genuine shift in what regulators expect from organizations handling patient data. Encryption and MFA are table stakes in 2026. Any organization that cannot demonstrate both — with documented evidence — is exposed.

The organizations that will navigate this transition well are the ones that treat it as an operational discipline problem, not a paperwork problem. That means current SRAs, tested controls, documented remediation, and honest internal assessment of where the gaps actually are.

If you are a Business Associate and you are not sure where you stand, that uncertainty is itself the answer. A conversation costs nothing. The cost of not knowing — when OCR comes asking — is considerably higher.