“Corsica is a one-stop shop for us. If I have a problem, I can go to my vCIO or a number of people, and you take care of it. That’s an investment in mutual success.”
It takes dedicated experience to use technology strategically in your industry. That’s why we specialize in certain verticals while offering comprehensive technology services.
Cybersecurity, Healthcare IT Support, HIPAA Compliance
Last updated February 16, 2026.
HIPAA requirements are changing again in 2026. Some requirements have already been finalized with compliance deadlines in 2026. Other changes are on the agenda for HHS to approve in 2026, with compliance deadlines not yet finalized.
Here’s everything you need to know to achieve and maintain HIPAA compliance in 2026.
Key takeaways:
Covered entities must publish their new NPPs (Notices of Privacy Practices) by February 16, 2026.
HHS will significantly overhaul the Security Rule in 2026, with likely changes affecting HIPAA cybersecurity requirements.
Covered entities should start preparing to meet the new requirements now, as some may create significant changes to operational processes and technology environments.
If you're a leader in the healthcare industry, you know that the landscape of compliance is constantly evolving. But the changes coming to HIPAA in 2026 are some of the most significant we've seen in years. The February 16th deadline for updating your notice of privacy practices is just the beginning. A wave of new requirements is on the horizon, and being unprepared is a risk you can't afford to take. So what's changing? The proposed updates to the HIPAA security rule are focused on strengthening your defenses against modern cyber threats. We're talking about a much higher standard for your security program. This includes mandatory multi factor authentication. It will no longer be optional. Every user accessing your systems will need it. Comprehensive asset inventories. You'll need a complete up to date inventory of every single device on your network, from servers to medical devices and even staff cell phones. Enhanced risk management. The expectation for how you identify, assess, and mitigate risk is becoming far more rigorous. Faster incident response. Your ability to respond to and recover from a breach will be under greater scrutiny than ever before. For many organizations, these new requirements can feel overwhelming. How do you implement these changes while still managing the day to day demands of your practice? The truth is many traditional managed service providers or MSPs aren't equipped to handle this new reality. They often treat cybersecurity as an afterthought, outsourcing it to a third party. They fix problems as they arise, but they don't provide the strategic forward-looking guidance you need to stay ahead of the curve. This leaves you with a fragmented, reactive approach to security and compliance, creating dangerous gaps that put your patients and your practice at risk. At Corsica Technologies, we do things differently. We believe you deserve more than just a vendor. You deserve a true technology partner. We've built our entire service model around providing the comprehensive, holistic support that health care organizations need. Our cybersecurity experts are in house, working side by side with our IT team to provide a unified security posture. Every client receives a dedicated virtual CIO or vCIO to help you build a three-year technology road map. This ensures your technology strategy aligns with your business goals and that you're always prepared for what's next. And we stand by our work with a cybersecurity service guarantee, giving you the peace of mind that if an incident does occur, we have the expertise and resources to manage it from containment to recovery. The 2026 HIPAA updates are a challenge, but they're also an opportunity, an opportunity to build a stronger, more resilient organization. Don't wait until it's too late. Let us help you navigate this transition with confidence. Schedule your complimentary HIPAA 2026 readiness assessment today. Let's build a secure and compliant future for your practice together.
What rules are being added to HIPAA in 2026?
Significant changes are coming to HIPAA in 2026. Some changes will require compliance in calendar year 2026, while others will be finalized in 2026 with compliance dates not yet determined.
Here’s a high-level overview of the 2026 changes to HIPAA.
New privacy practice requirements (required by 2/16/26)
Overhauled Security Rule (finalization expected May 2026)
Mandatory MFA (multifactor authentication)
Mandatory encryption of ePHI (electronic Protected Health Information)
Mandatory audits, vulnerability scans, penetration tests, and more
We’ll unpack each of these below.
How are HIPAA privacy notice requirements changing in 2026?
By February 16, 2026, all NPPs (Notices of Privacy Practices) must be revised to explain patients’ rights. These new NPPs must explain to patients how their personal information is protected in compliance with the updated HIPAA Privacy Rule that was finalized in April 2024.
What changes are coming to the HIPAA Security Rule in 2026?
The HIPAA Security Rule has remained largely unchanged since its introduction in 2003, with the last formal update occurring in 2013. HHS released a Notice of Proposed Rulemaking (NPRM) on December 27, 2024 that would significantly revise the Security Rule. The intent is to release a modernized version of the Security Rule that offers better protection for ePHI (electronic protected health information).
HHS plans to finalize the new Security Rule in May 2026. Required compliance dates will likely be set at that time.
These changes have significant implications for the policies, operations, and cybersecurity controls of covered entities. In a nutshell, the new Security Rule will revolutionize HIPAA cybersecurity requirements.
Here are the new requirements that HHS is expected to include in the rule.
1. Removal of “required” vs “addressable” distinctions.
The revised rule would eliminate the longstanding flexibility that allowed entities to treat certain safeguards as “addressable.” Nearly all implementation specifications would become mandatory, with only narrow exceptions remaining.
2. Mandatory written documentation
To improve auditability and enforcement, the revised rule would require entities to maintain comprehensive written documentation of the following information and processes.
Policies and procedures relating to the HIPAA Security Rule
Plans relating to the Security Rule
Analyses and compliance activities
3. Technology asset inventory and network mapping
The revised rule would require organizations to:
Maintain a technology asset inventory
Create and update a network map showing how ePHI moves throughout the entity’s systems
Update both the map and the inventory annually, or when system changes affect ePHI
4. Formal compliance audit every 12 months
The revised rule would require covered entities to conduct a formal compliance audit every twelve months. Business associates (BAs) would be required to share results with all their covered-entity clients. This new requirement will place HIPAA compliance under the microscope for every covered entity.
5. More stringent cybersecurity requirements
The revised rule would introduce tighter requirements for cybersecurity and information security.
MFA (multifactor authentication) required for all system access, whether remote or onsite.
Role-based access controls would be required.
Automatic session timeouts would be required.
Revocation of system access within one hour of workforce termination would be required.
Encryption of ePHI in transit and at rest would be required rather than “addressable.”
A 24-hour incident reporting timeline would now be required.
A written incident response plan, along with annual incident response testing, would now be required.
Covered entities would be required to demonstrate the capability to restore critical systems within 72 hours of an incident.
NIST-aligned security practices would now be required.
Vulnerability scans would be required every six months.
Penetration testing would be required once a year.
6. Enhanced requirements to BAAs (business associate agreements)
The revised rule would require more specific language in BAAs (business associate agreements), eliminating the ability of covered entities to use certain types of blanket statements. BAAs would have to specify all of the new cybersecurity requirements, including MFA, data encryption, incident reporting timeline, vulnerability scanning requirements, penetration testing requirements, and so on.
7. Expanded and more detailed risk assessments
The revised rule would require risk assessments to be more detailed, thoroughly documented, conducted every 12 months, and designed to drive actionable security improvements. Aligning with the NIST Cybersecurity Framework may help covered entities achieve compliance more efficiently and consistently.
How can covered entities comply with new HIPAA regulations in 2026?
Covered entities need to first understand how HIPAA is changing, then implement changes to their processes, systems, and cybersecurity controls to achieve and maintain compliance. Here’s an overview of what companies can do to comply with HIPAA in 2026.
Strengthen logging, monitoring, and incident response
Update backup and disaster recovery processes
2. Update policies and documentation (required for all Security Rule components)
Maintain documented policies for every Security Rule standard
Retire the distinction between “required” and “addressable” safeguards (all become required except limited exceptions)
Document network maps showing ePHI flows (updated at least annually or after environmental/operational changes)
3. Comply with new reproductive health privacy rules
Revise Notices of Privacy Practices (NPPs) by Feb 16, 2026
Require signed attestations for certain PHI disclosures
Train staff on new routing and review workflows
4. Implement changes to 42 CFR Part 2 (substance use disorder data alignment)
Update NPPs, consent forms, BAAs, and internal procedures to reflect new disclosure rules
Identify and segment all SUD-related data across EHRs, billing systems, and third-party tools
Ensure minimal necessary access and redisclosure restrictions remain in place
5. Prepare for interoperability and access enhancements (emerging)
HIPAA changes in 2026 emphasize operational compliance, which means embedding privacy and security into daily workflows. For covered entities, this will most likely mean:
Strengthened patient access processes
Improved cross‑system interoperability
Documentation to demonstrate real‑world compliance, not just paperwork
6. Plan for shorter breach reporting expectations (if final rule passes)
Proposed changes include 24‑hour breach reporting requirements for business associates. If the final rule passes, covered entities must:
What are the best cybersecurity services for healthcare organizations that ensure HIPAA compliance?
The exact answer will depend on what cybersecurity capabilities the organization has on staff—and what functions must be covered by a managed service provider. That said, here are the most common services that Corsica Technologies clients use in the healthcare sector. Many of these overlap each other.
HIPAA cybersecurity compliance consulting
Identity and access management
MDR (managed detection and response)
SOCaaS (SOC, i.e. security operations center, as a service)
DLP (data loss prevention)
Managed network security
Managed cloud services, including security
Zero-trust network design
The takeaway: Get the support you need to comply with HIPAA in 2026
HIPAA compliance is only getting more complex in 2026, which increases the burden on covered entities to achieve and maintain compliance. If you need additional expertise and bandwidth, Corsica Technologies is here to help. Our cybersecurity team maintains deep expertise in HIPAA, and we’ve helped 1,000+ companies achieve their goals with technology. Contact us today, and let’s take your next step.
About
Ross Filipek
Ross Filipek is Corsica Technologies’ CISO. He has more than 20 years’ experience in the managed cyber security services industry as both an engineer and a consultant. In addition to leading Corsica’s efforts to manage cyber risk, he provides vCISO consulting services for many of Corsica’s clients. Ross has achieved recognition as a Cisco Certified Internetwork Expert (CCIE #18994; Security track) and an ISC2 Certified Information Systems Security Professional (CISSP). He has also earned an MBA degree from the University of Notre Dame.
Ready to take your next step?
Contact us today to get the outside perspective you need for the next step on your journey.
