HIPAA requirements are changing again in 2026. Some requirements have already been finalized with compliance deadlines in 2026. Other changes are on the agenda for HHS to approve in 2026, with compliance deadlines not yet finalized.
If you have a managed service provider for healthcare, your provider can help you understand the changes.
Either way, there’s a lot know.
So what’s definitely changing?
What’s likely to change?
Here’s everything you need to know to achieve and maintain HIPAA compliance in 2026.
Key takeaways:
- Covered entities must publish their new NPPs (Notices of Privacy Practices) by February 16, 2026.
- HHS will significantly overhaul the Security Rule in 2026, with likely changes affecting HIPAA cybersecurity requirements.
- Covered entities should start preparing to meet the new requirements now, as some may create significant changes to operational processes and technology environments.
What rules are being added to HIPAA in 2026?
Significant changes are coming to HIPAA in 2026. Some changes will require compliance in calendar year 2026, while others will be finalized in 2026 with compliance dates not yet determined.
Here’s a high-level overview of the 2026 changes to HIPAA.
- New privacy practice requirements (required by 2/16/26)
- Overhauled Security Rule (finalization expected May 2026)
- Mandatory MFA (multifactor authentication)
- Mandatory encryption of ePHI (electronic Protected Health Information)
- Mandatory audits, vulnerability scans, penetration tests, and more
We’ll unpack each of these below.
How are HIPAA privacy notice requirements changing in 2026?
By February 16, 2026, all NPPs (Notices of Privacy Practices) must be revised to explain patients’ rights. These new NPPs must explain to patients how their personal information is protected in compliance with the updated HIPAA Privacy Rule that was finalized in April 2024.
What changes are coming to the HIPAA Security Rule in 2026?
The HIPAA Security Rule has remained largely unchanged since its introduction in 2003, with the last formal update occurring in 2013. HHS released a Notice of Proposed Rulemaking (NPRM) on December 27, 2024 that would significantly revise the Security Rule. The intent is to release a modernized version of the Security Rule that offers better protection for ePHI (electronic protected health information).
HHS plans to finalize the new Security Rule in May 2026. Required compliance dates will likely be set at that time.
These changes have significant implications for the policies, operations, and cybersecurity controls of covered entities. In a nutshell, the new Security Rule will revolutionize HIPAA cybersecurity requirements.
Here are the new requirements that HHS is expected to include in the rule.
1. Removal of “required” vs “addressable” distinctions.
The revised rule would eliminate the longstanding flexibility that allowed entities to treat certain safeguards as “addressable.” Nearly all implementation specifications would become mandatory, with only narrow exceptions remaining.
2. Mandatory written documentation
To improve auditability and enforcement, the revised rule would require entities to maintain comprehensive written documentation of the following information and processes.
- Policies and procedures relating to the HIPAA Security Rule
- Plans relating to the Security Rule
- Analyses and compliance activities
3. Technology asset inventory and network mapping
The revised rule would require organizations to:
- Maintain a technology asset inventory
- Create and update a network map showing how ePHI moves throughout the entity’s systems
- Update both the map and the inventory annually, or when system changes affect ePHI
4. Formal compliance audit every 12 months
The revised rule would require covered entities to conduct a formal compliance audit every twelve months. Business associates (BAs) would be required to share results with all their covered-entity clients. This new requirement will place HIPAA compliance under the microscope for every covered entity.
5. More stringent cybersecurity requirements
The revised rule would introduce tighter requirements for cybersecurity and information security.
- MFA (multifactor authentication) required for all system access, whether remote or onsite.
- Role-based access controls would be required.
- Automatic session timeouts would be required.
- Revocation of system access within one hour of workforce termination would be required.
- Encryption of ePHI in transit and at rest would be required rather than “addressable.”
- A 24-hour incident reporting timeline would now be required.
- A written incident response plan, along with annual incident response testing, would now be required.
- Covered entities would be required to demonstrate the capability to restore critical systems within 72 hours of an incident.
- NIST-aligned security practices would now be required.
- Vulnerability scans would be required every six months.
- Penetration testing would be required once a year.
6. Enhanced requirements to BAAs (business associate agreements)
The revised rule would require more specific language in BAAs (business associate agreements), eliminating the ability of covered entities to use certain types of blanket statements. BAAs would have to specify all of the new cybersecurity requirements, including MFA, data encryption, incident reporting timeline, vulnerability scanning requirements, penetration testing requirements, and so on.
7. Expanded and more detailed risk assessments
The revised rule would require risk assessments to be more detailed, thoroughly documented, conducted every 12 months, and designed to drive actionable security improvements. Aligning with the NIST Cybersecurity Framework may help covered entities achieve compliance more efficiently and consistently.
How can covered entities comply with new HIPAA regulations in 2026?
Covered entities need to first understand how HIPAA is changing, then implement changes to their processes, systems, and cybersecurity controls to achieve and maintain compliance. Here’s an overview of what companies can do to comply with HIPAA in 2026.
1. Meet updated Security Rule requirements (major overhaul)
- Implement mandatory multi‑factor authentication (MFA)
- Encrypt ePHI at rest and in transit
- Maintain detailed asset inventories
- Conduct ongoing, documented risk analyses
- Strengthen logging, monitoring, and incident response
- Update backup and disaster recovery processes
2. Update policies and documentation (required for all Security Rule components)
- Maintain documented policies for every Security Rule standard
- Retire the distinction between “required” and “addressable” safeguards (all become required except limited exceptions)
- Document network maps showing ePHI flows (updated at least annually or after environmental/operational changes)
3. Comply with new reproductive health privacy rules
- Revise Notices of Privacy Practices (NPPs) by Feb 16, 2026
- Require signed attestations for certain PHI disclosures
- Train staff on new routing and review workflows
4. Implement changes to 42 CFR Part 2 (substance use disorder data alignment)
- Update NPPs, consent forms, BAAs, and internal procedures to reflect new disclosure rules
- Identify and segment all SUD-related data across EHRs, billing systems, and third-party tools
- Ensure minimal necessary access and redisclosure restrictions remain in place
5. Prepare for interoperability and access enhancements (emerging)
HIPAA changes in 2026 emphasize operational compliance, which means embedding privacy and security into daily workflows. For covered entities, this will most likely mean:
- Strengthened patient access processes
- Improved cross‑system interoperability
- Documentation to demonstrate real‑world compliance, not just paperwork
6. Plan for shorter breach reporting expectations (if final rule passes)
Proposed changes include 24‑hour breach reporting requirements for business associates. If the final rule passes, covered entities must:
- Update BAAs with new timelines
- Implement rapid‑detection tools
- Establish immediate internal escalation procedures
What are the best cybersecurity services for healthcare organizations that ensure HIPAA compliance?
The exact answer will depend on what cybersecurity capabilities the organization has on staff—and what functions must be covered by a managed service provider. That said, here are the most common services that Corsica Technologies clients use in the healthcare sector. Many of these overlap each other.
- HIPAA cybersecurity compliance consulting
- Identity and access management
- MDR (managed detection and response)
- SOCaaS (SOC, i.e. security operations center, as a service)
- DLP (data loss prevention)
- Managed network security
- Managed cloud services, including security
- Zero-trust network design
The takeaway: Get the support you need to comply with HIPAA in 2026
HIPAA compliance is only getting more complex in 2026, which increases the burden on covered entities to achieve and maintain compliance. If you need additional expertise and bandwidth, Corsica Technologies is here to help. Our cybersecurity team maintains deep expertise in HIPAA, and we’ve helped 1,000+ companies achieve their goals with technology. Contact us today, and let’s take your next step.
Want to learn more about HIPAA compliance in 2026?
Reach out to schedule a consultation with our HIPAA cybersecurity specialists.
