On December 27, 2024, HHS published a Notice of Proposed Rulemaking that would make the most significant changes to the HIPAA Security Rule since the original rule was finalized in 2003. The NPRM is scheduled to become final in May 2026, with a 180-day compliance window after publication — meaning covered entities and business associates will need to meet the new requirements by late 2026 or early 2027.
The headline change: the end of "addressable" implementation specifications. Under the current Security Rule, certain safeguards like encryption of ePHI at rest and multi-factor authentication are technically optional — you can skip them if you document a reasonable alternative. The proposed rule eliminates that flexibility. If finalized, virtually every Security Rule requirement becomes mandatory with no opt-out.
That's significant. But it doesn't mean current requirements aren't already a serious compliance burden. This guide covers everything you need to meet now, what's changing, and how to verify your documentation holds up before a regulator checks it for you.
The 2026 Security Rule overhaul hasn't finalized yet — current requirements still apply. But organizations that have been treating encryption, MFA, and penetration testing as optional should start planning to implement these controls now. Retrofitting after a final rule drops is harder than building them in during the compliance window.
Who HIPAA applies to
HIPAA covers two categories of entities. Covered entities are healthcare providers that conduct standard electronic transactions (billing, eligibility verification, etc.), health plans including employer-sponsored plans above 50 employees, and healthcare clearinghouses. If you're a hospital, physician's office, dental practice, pharmacy, health insurer, or HMO, you're almost certainly a covered entity.
Business associates are any vendor or contractor that creates, receives, maintains, or transmits protected health information on behalf of a covered entity. This is broader than most people assume. It includes EHR and practice management software companies, medical billing services, cloud storage providers hosting patient data, IT support firms with access to clinical systems, transcription services, data analytics firms processing clinical outcomes, and many SaaS platforms embedded in healthcare workflows.
Business associates must comply with the Security Rule directly — not just via contractual obligations. An OCR audit can target a business associate just as readily as a hospital. The proposed 2026 rule tightens BA obligations further, including a new 24-hour requirement for business associates to report security incidents to covered entities.
HIPAA Privacy Rule requirements
The Privacy Rule governs how protected health information can be used and disclosed. PHI is any individually identifiable health information held or transmitted by a covered entity or business associate — diagnoses, treatment records, billing information, anything that connects an individual to their health data.
Required written policies and documentation
The Privacy Rule doesn't just require good practices — it requires those practices to be documented in writing and kept current. The specific documentation you must maintain:
- Notice of Privacy Practices (NPP): The patient-facing document explaining how your organization uses and discloses PHI. Must be provided to patients at first service delivery and posted in your facility and on your website. The February 16, 2026 deadline for 42 CFR Part 2 compliance required updates to NPPs for any organization handling substance use disorder records.
- Written Privacy Policies: Internal policies covering minimum necessary use, PHI disclosure procedures, patient rights, and workforce training requirements.
- Business Associate Agreements: Written contracts with every vendor that handles PHI on your behalf. Missing BAAs are one of the most consistent findings in OCR enforcement actions.
- Accounting of disclosures: Records of PHI disclosures made for purposes other than treatment, payment, and healthcare operations.
- Privacy Officer designation: Documentation identifying a named individual responsible for developing and implementing privacy policies.
Patient rights under the Privacy Rule
Patients have specific enforceable rights that your policies must address: the right to access their own PHI (and receive it in their requested format), the right to request corrections, the right to restrict certain uses and disclosures, the right to receive an accounting of disclosures, and the right to file complaints with OCR.
Your NPP must explain each of these rights and how to exercise them. Policies that describe rights vaguely — "patients may request access to their records" without explaining how — don't satisfy the requirement.
Check your HIPAA documentation for free
PolicyAudit scans your privacy notices, security policies, risk analyses, and BAAs against HIPAA's Privacy and Security Rule requirements. Find the gaps in minutes — not after an OCR investigation. Free tier covers up to 3 documents.
Scan your HIPAA policies free →HIPAA Security Rule requirements
The Security Rule applies specifically to electronic PHI — ePHI. It requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect ePHI confidentiality, integrity, and availability.
Administrative safeguards
Administrative safeguards are the policies and procedures that govern your workforce and operations. These are the areas where OCR most frequently finds deficiencies:
Security Risk Analysis — 45 CFR §164.308(a)(1)
A documented assessment of the risks and vulnerabilities to ePHI in your environment. This is the single most commonly cited deficiency in OCR enforcement settlements. The requirement isn't just to have a risk analysis document — it must identify specific threats and vulnerabilities, assess the likelihood and impact of each, and document the resulting risk levels.
A list of threats is not a risk analysis. A generic template with your organization's name at the top isn't either. OCR's guidance is explicit about what a valid risk analysis contains.
2026 UPDATEOCR's current enforcement initiative explicitly separates risk analysis from risk management. You must now document both — an incomplete risk management plan (showing how you're addressing identified risks) is independently enforceable.
Workforce Training — 45 CFR §164.308(a)(5)
All workforce members who handle ePHI must receive security training. The training must cover malicious software protection, log-in monitoring, and password management at minimum. Equally important: you must document that training occurred, who received it, and when. Workforce training that isn't documented might as well not have happened from an audit perspective.
Contingency Plan — 45 CFR §164.308(a)(7)
Written procedures for responding to emergencies that damage systems containing ePHI. This includes a data backup plan, a disaster recovery plan, an emergency mode operations plan, and a testing and revision procedure. Organizations that have backups but no documented recovery procedures — or that have documentation that's never been tested — have a compliance gap here.
2026 UPDATEThe proposed rule requires incident response plans to be tested at least once per year, with documented results.
Physical safeguards
Physical safeguards cover facility access controls, workstation use policies, and device and media controls. The core requirements: documented facility access procedures, workstation use policies specifying what functions can be performed on workstations containing ePHI, and procedures for disposing of hardware and media that contained ePHI.
Physical safeguard gaps are less common in enforcement cases but can compound other findings. An organization that fails a risk analysis audit and also can't produce documented workstation security policies has a harder time arguing it has a functioning compliance program.
Technical safeguards — current requirements
Technical safeguards are the controls built into your systems. The current rule requires:
| Requirement | Status (Current) | Status (Proposed 2026) |
|---|---|---|
| Access controls (unique user IDs, automatic logoff) | Required | Required |
| Audit controls (hardware/software activity logs) | Required | Required |
| Integrity controls (verify ePHI hasn't been improperly altered) | Required | Required |
| Encryption of ePHI at rest | Addressable | Mandatory |
| Encryption of ePHI in transit | Addressable | Mandatory |
| Multi-factor authentication | Addressable | Mandatory |
| Vulnerability scanning (every 6 months) | Not specified | New requirement |
| Penetration testing (annually) | Not specified | New requirement |
| Technology asset inventory and network map | Not specified | New requirement |
The "addressable" column matters. If your current security policy documentation says something like "we have evaluated encryption and determined that our existing access controls provide equivalent protection," that document will not satisfy the proposed new rule. You're better off starting the implementation of encryption and MFA now rather than waiting for the final rule to force the issue.
HIPAA Breach Notification Rule requirements
The Breach Notification Rule requires covered entities and business associates to notify affected individuals, HHS, and in some cases the media following a breach of unsecured PHI. The key timelines:
- Individuals: Written notification within 60 days of discovering the breach
- HHS: Breaches affecting 500 or more individuals in a state must be reported within 60 days. Smaller breaches can be logged and reported annually.
- Media: Breaches affecting 500 or more residents of a state or jurisdiction require notification to "prominent media outlets" in that area
- Business associates to covered entities: Must report to the covered entity without unreasonable delay and within 60 days of discovery. The proposed 2026 rule tightens this to 24 hours.
Having breach notification procedures documented before a breach occurs isn't just good practice — it's required. Your procedures need to specify who makes the determination that a breach occurred, who drafts the notifications, who approves them, and who is responsible for each reporting timeline. A policy that says "we will notify individuals within 60 days" without naming responsible parties won't stand up to scrutiny after an actual incident.
What to check in your existing documentation right now
If you're a covered entity or business associate and haven't reviewed your HIPAA documentation recently, these are the highest-priority areas to check:
Your risk analysis. Pull it out and look at whether it contains likelihood and impact assessments for each identified risk. If it's a list of threats without quantitative or qualitative assessments, it needs to be redone. OCR has settled dozens of cases where the organization had a document labeled "risk analysis" that didn't meet the regulatory standard.
Your Notice of Privacy Practices. Check the publication date. If your organization handles substance use disorder records, verify your NPP addresses the updated Part 2 requirements that took effect February 16, 2026. If you last updated your NPP before the 2024 reproductive health privacy rule changes, it needs a review.
Your BAA inventory. Match every vendor with access to PHI against your contracts. Look specifically for BAAs that haven't been reviewed since 2013 (when the Omnibus Rule updated the required provisions) — many of these are missing breach reporting obligations that are now required.
Your security policies for the "addressable" controls. If you're currently documenting alternatives to encryption or MFA, identify the gap between what you have and what the proposed rule will require. It's a smaller project to fill that gap now than to do it under a compliance deadline.
The fastest way to identify documentation gaps across all of these areas is to run your policies through a compliance checker. PolicyAudit scans your uploaded documents against HIPAA Privacy and Security Rule requirements and outputs a specific gap report — missing elements, vague language that won't satisfy auditors, and outdated provisions. If you haven't done a systematic documentation review recently, that's the starting point. The HIPAA compliance checker guide covers the practical details of running that scan.
HIPAA penalties: what non-compliance actually costs
OCR penalties are tiered by culpability. The current penalty ranges (adjusted annually for inflation):
- Tier 1 — Did not know: $141 to $71,162 per violation
- Tier 2 — Reasonable cause: $1,424 to $71,162 per violation
- Tier 3 — Willful neglect, corrected: $14,246 to $71,162 per violation
- Tier 4 — Willful neglect, not corrected: $71,162 to $2,134,831 per violation category per year
The financial penalties are one part of the cost. OCR settlements almost always include corrective action plans — typically two to three years of OCR monitoring, required policy rewrites, mandatory workforce training, and regular reporting to OCR on compliance status. That operational burden is often more disruptive than the fine itself, particularly for smaller providers and business associates.
OCR's current enforcement priorities include risk analysis deficiencies, risk management documentation, and right of access violations (where organizations delay or deny patient requests for their own records). These are the areas most likely to generate an investigation — and most likely to result in a settlement if your documentation doesn't hold up.
Frequently asked questions
See where your HIPAA documentation stands
PolicyAudit checks your privacy notices, security policies, and BAAs against HIPAA requirements and outputs a specific gap report. Upload a document and find out in under a minute what's missing. Free for up to 3 documents — no credit card required.
Check your HIPAA policies free →