HHS is finalizing significant modifications to the Security Rule in 2026, with compliance deadlines expected to follow within 180 days of publication. The proposed changes eliminate the flexibility that many organizations have relied on for years, converting “addressable” safeguards into mandatory requirements and adding new technical standards that will force most covered entities and business associates to overhaul their security programs.
If you manage, store, or transmit electronic protected health information (ePHI) in any capacity, the clock is ticking. Here’s exactly what’s coming, what it means for your organization, and why waiting to act is the most expensive option on the table.
The New Security Rule Requirements: What HHS Is Adding
The Notice of Proposed Rulemaking (NPRM) was added to the Federal Register on January 6, 2025. After a 60-day comment period and regulatory review, HHS aims to finalize the updated rule by mid-2026. Once published, most provisions will require compliance within 180 days.
So far in 2026, the existing Security Rule requirements haven’t technically changed. But the final rule is imminent, and covered entities should be examining the new requirements now and building their compliance roadmap. Waiting until the rule is published cuts your preparation time in half.
Here are the new cybersecurity requirements HHS is expected to add:
Multi-Factor Authentication (MFA)
MFA will be required for all system access to ePHI, whether remote or onsite. The current rule treats MFA as addressable, meaning organizations could document why they chose not to implement it. That option is going away. Every user accessing systems containing ePHI will need a second authentication factor. No exceptions, no alternative justifications.
Access Controls and Session Management
Role-based access controls will be required, meaning users only access the minimum ePHI necessary for their specific job function. Automatic session timeouts will be mandated for inactive users. And when a workforce member is terminated, their system access must be revoked within one hour. Not end of day. Not next morning. One hour.
Mandatory Encryption
Encryption of ePHI both in transit and at rest moves from “addressable” to required. Under the current rule, organizations can technically document a reason for not encrypting data and remain compliant. The updated rule eliminates that loophole entirely. Every system, every database, every email containing ePHI must be encrypted going forward.
Incident Response and Reporting
Three new mandates hit this area hard. First, a written incident response plan is now required, not recommended. Second, that plan must be tested annually through tabletop exercises or live simulations. Third, incidents must be reported within 24 hours, a dramatic reduction from the current 60-day breach notification window for most scenarios.
System Recovery
Covered entities must demonstrate the capability to restore critical systems within 72 hours of an incident. This isn’t about having a backup somewhere. It’s about proving, through documented testing, that your organization can actually recover operations within three days if ransomware or a system failure takes you down.
Technical Testing and NIST Alignment
NIST-aligned security practices become the required baseline. Vulnerability scans must be performed every six months. Penetration testing must be conducted annually. And internal compliance audits must happen at least every 12 months with documented findings and remediation plans.
Together, these changes represent the most significant expansion of HIPAA’s technical requirements in over a decade.
Why Covered Entities and Business Associates Can’t Afford to Ignore This
HIPAA applies to covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically. But the HITECH Act of 2009 extended direct liability to business associates as well. That means IT vendors, billing companies, cloud providers, consultants, and any other organization that creates, receives, maintains, or transmits ePHI on behalf of a covered entity.
Under HITECH, business associates face the same civil and criminal penalties as covered entities for Security Rule violations. They’re directly liable for impermissible uses and disclosures, failure to provide breach notification, failure to enter into Business Associate Agreements with subcontractors, and failure to comply with applicable Security Rule provisions.
The 2026 modifications apply equally to both groups. If you’re a business associate handling ePHI, these new requirements are your problem too.
2026 Fines and Enforcement: The Numbers Are Going Up
Effective January 28, 2026, HHS applied an inflation adjustment to HIPAA violation penalties using a 1.02598 cost-of-living multiplier. The updated penalty tiers:
- Tier 1 (Lack of Knowledge): $145 to $73,011 per violation, annual cap of $2,190,294
- Tier 2 (Reasonable Cause): $1,461 to $73,011 per violation, annual cap of $2,190,294
- Tier 3 (Willful Neglect, Corrected): $14,602 to $73,011 per violation, annual cap of $2,190,294
- Tier 4 (Willful Neglect, Not Corrected): $73,011 to $2,190,294 per violation, annual cap of $2,190,294
That’s per violation. A single data breach affecting multiple patients can generate thousands of individual violations. Do the math on a breach exposing 5,000 patient records at Tier 3 and the numbers become staggering.
Beyond federal enforcement, state attorneys general have independent authority under HITECH to pursue HIPAA violations affecting their residents, with fines up to $25,000 per violation category per calendar year. And as of February 2026, HHS’s Office for Civil Rights also commenced enforcement of the 42 CFR Part 2 substance use disorder regulations under its newly delegated authority, expanding the scope of enforcement activity.
The enforcement posture is clear: HHS is spending more resources on compliance investigations, the penalty amounts keep climbing, and the new Security Rule will give auditors significantly more specific technical standards to measure organizations against.
What Your Organization Should Do Now
The final rule isn’t published yet. But the requirements are clear enough from the NPRM that organizations can and should start preparing today. Every month of preparation now reduces the compliance scramble once the 180-day clock begins.
- Conduct a gap assessment against the proposed requirements. Map your current security controls against each new mandate. Where do you have MFA deployed? Where don’t you? Is your encryption covering data at rest, or only in transit? Can you actually revoke access within an hour?
- Implement MFA across all ePHI systems immediately. This is coming regardless, and it’s one of the highest-impact security controls you can deploy. Don’t wait for the final rule to start rolling it out.
- Develop or update your incident response plan. Document the plan, assign roles, establish communication protocols, and schedule your first tabletop exercise. The new rule requires annual testing, so build that cadence now.
- Test your backup and recovery capability. Can you restore critical systems within 72 hours? Run a recovery test and find out. If you can’t meet that threshold today, you have work to do before the compliance deadline arrives.
- Review and update all Business Associate Agreements. Your BAAs need to reflect the new requirements. Every vendor touching ePHI must meet the same standards you’re being held to.
- Schedule your first vulnerability scan and penetration test. If you haven’t done these before, getting a baseline now gives you time to remediate findings before the compliance deadline hits.
The organizations that start preparing now will have a manageable transition. The ones that wait until the final rule drops will be rushing to meet a 180-day deadline while competing with every other healthcare organization for the same security resources and vendors.
CyberShieldIT Can Help You Achieve Every One of These Requirements
The modified Security Rule raises the bar significantly. But none of these requirements are impossible to meet, especially with the right partner.
CyberShieldIT works with covered entities and business associates to build security programs that meet HIPAA requirements before auditors come looking. Our services map directly to the new mandates:
- ITShield: Managed IT with role-based access controls, automatic session timeouts, and access revocation workflows built in
- CyberShield: 24/7 threat monitoring, vulnerability scanning every six months, annual penetration testing, and incident response planning
- Cloud Shield: Encrypted cloud infrastructure for ePHI at rest and in transit, with documented backup and 72-hour recovery capability
- Comm Shield: Encrypted email and communications that meet the new mandatory encryption standards
We handle the gap assessments, the technical implementation, the documentation, and the ongoing compliance monitoring. You focus on patient care while we make sure the security infrastructure holds up to the new standards.
