What's changing with HIPAA in 2026

Changes are coming to HIPAA in 2026, from the Security Rule overhaul, to evolving obligations around email security, business associate compliance, and reproductive health data privacy. Whether you're a covered entity, a business associate, or a healthcare administrator, understanding what's changing and when is important to staying compliant.

Why 2026 is a turning point

The HIPAA Security Rule is about to undergo an update since its original adoption. The existing rule was written in 2003 before cloud computing, telehealth, AI, ransomware, and use of connected medical devices.

The Department of Health and Human Services (HHS) published the Notice of Proposed Rulemaking (NPRM) for the HIPAA Security Rule update in the Federal Register on January 6, 2025, followed by a 60-day comment period. The proposed rule attracted industry feedback, and the direction was that compliance is no longer about good intentions, it's about provable, technical enforcement.

As a May 2026 article published on Healthcare Dive noted, for many healthcare organizations HIPAA compliance has historically felt complex, ambiguous, or easy to delay. That approach is becoming harder to maintain because expectations are becoming clearer, enforcement is more consistent, and organizations are expected to demonstrate real, documented protection of patient information.

Security Rule changes

The proposed Security Rule overhaul introduces several mandatory requirements that will change how organizations protect electronic protected health information (ePHI).

Covered entities and business associates would be required to maintain and annually update a technology asset inventory and network map, conduct detailed security risk analyses tied to those inventories, and enforce access controls. Security incident response and restoration would be required within 72 hours.

Besides response timelines, the required technical controls include encryption of ePHI in transit and at rest, multi-factor authentication, biannual vulnerability scans, annual penetration testing, and network segmentation.

One of the most notable structural shifts in the proposed rule is the elimination of the "addressable" versus "required" distinction. The existing Security Rule allows organizations to treat many safeguards as "addressable," meaning they can implement alternatives if they document justification. The NPRM proposes to remove the distinction and make nearly all implementation specifications required. Organizations will no longer be able to defer controls such as audit logging or access termination. As Healthcare Dive summarized, the 2026 updates reduce that ambiguity, creating more consistent expectations across organizations.

OCR has given a preliminary date of May 2026 for the release of the final rule, although it could be delayed. Regardless of the exact timing, the compliance window that follows finalization will arrive quickly, and according to Healthcare Dive, that window could be as short as 60 days.

System hardening

Alongside the broader Security Rule changes, OCR's January 2026 Cybersecurity Newsletter notes that system hardening is a foundational expectation for regulated entities. As OCR defines it, "system hardening is the process of customizing electronic information systems to reduce their attack surface, thus reducing the number of weaknesses and vulnerabilities that an attacker can exploit."

The newsletter adds that the Security Rule's risk analysis provision requires something more than a general review, "regulated entities must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI, this includes risks and vulnerabilities to ePHI from unpatched software." In practice, this means maintaining an up-to-date IT asset inventory, applying patches regularly, removing unneeded software and services, and enabling security measures such as multi-factor authentication, encryption, audit controls, and endpoint detection tools.

One area OCR specifically flags is default passwords. According to the newsletter, "in investigations, OCR has found well-known default passwords in use for various products such as databases, networking software, and anti-malware solutions." Organizations should audit all systems for default credentials, especially after removing legacy software, as orphaned service accounts can remain exploitable even after the software that created them is gone.

OCR is also clear that system hardening is not a one-time project. As the newsletter states, "defining, creating, and applying system hardening techniques is not a one-and-done exercise... as new threats and vulnerabilities evolve and are discovered, and attackers vary and improve their tactics, techniques, and procedures, regulated entities need to remain vigilant." The periodic review and modification of security measures is, in fact, a formal requirement under the Security Rule.

Business associate obligations

Business associates face new obligations as well. The rule imposes new verification requirements on business associates, making them directly liable for HIPAA compliance and requiring them to confirm adherence to safeguards and contingency plans within 24 hours of activation.

Covered entities must now obtain written verification at least annually confirming that business associates have implemented required technical safeguards. A signed business associate agreement alone is no longer enough. This is a shift because the BAA has historically been the primary mechanism for managing vendor compliance, but going forward, organizations must actively verify that safeguards are in place, not just that they've been promised.

Privacy rule changes and reproductive health data

In April 2024, HHS finalized a rule to modify the HIPAA Privacy Rule to strengthen reproductive health care privacy, prohibiting the use or disclosure of PHI for investigations targeting individuals who seek, obtain, provide, or facilitate reproductive health care that is lawful under the circumstances in which it is provided. As HHS stated directly, "the Final Rule strengthens privacy protections by prohibiting the use or disclosure of protected health information (PHI) by a covered health care provider, health plan, or health care clearinghouse — or their business associate" for such purposes.

However, on June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy, Not all provisions were struck down, however, "the remaining modifications to the NPP [Notice of Privacy Practices] requirements are undisturbed and remain in effect... compliance with the remaining NPP modifications is required by February 16, 2026," according to the official HHS fact sheet.

Furthermore, the attestation requirement, which requires covered entities and business associates to obtain a signed attestation confirming that any request for PHI related to reproductive health care is not for a prohibited purpose, remains a meaningful compliance consideration for applicable disclosures. As HHS explained, the attestation requirement "gives a covered health care provider, health plan, or health care clearinghouse (or business associates) a way of obtaining written representations from persons requesting PHI that their requests are not for a prohibited purpose."

With regards to law enforcement, covered entities and business associates "are only permitted to disclose PHI for law enforcement purposes where they suspect an individual of obtaining reproductive health care...if the covered entity or business associate is required by law to do so and all applicable conditions are met."

Federal regulations governing substance use disorder (SUD) patient records, known as Part 2, have operated under a separate, stricter set of privacy rules than HIPAA. A February 2024 final rule from HHS, updated January 2026, brought Part 2 closer in line with HIPAA standards, implementing confidentiality provisions of the CARES Act that "require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules." The rule now "allows a single consent for all future uses and disclosures for treatment, payment, and health care operations," aligns Part 2 breach notification with HIPAA's Breach Notification Rule, and replaces Part 2's existing criminal penalties with "civil and criminal enforcement authorities that also apply to HIPAA violations." The compliance deadline for these changes was February 2026. If your organization handles SUD records and hasn't yet aligned with the updated requirements, you are already past the deadline.

HIPAA compliant email

According to the Paubox 2026 Healthcare Email Security Report, 170 healthcare email-related breaches were reported in 2025, and 53% of healthcare breaches occurred on Microsoft 365, up from 43% in 2024.

Under current rules and the proposed updates, achieving HIPAA compliant email requires more than simply using a "secure" provider. The security standards for HIPAA compliant email require covered entities and business associates to implement access controls, audit controls, integrity controls, ID authentication, and transmission security mechanisms in order to restrict access to PHI, monitor how PHI is communicated via email, ensure the integrity of PHI at rest, ensure 100% message accountability, and protect PHI from unauthorized access during transit.

The proposed Security Rule changes will make encryption a non-negotiable requirement for email specifically. Previously, encryption for email was technically listed as an "addressable" safeguard, meaning organizations could document an equivalent alternative. The 2026 HIPAA changes make encryption at rest mandatory, not just in transit. Most organizations encrypt data in transit (HTTPS), but encryption at rest is now also required.

In 2026, OCR's HIPAA Security Rule overhaul is still not final, but regulators are pushing toward more explicit, measurable cybersecurity requirements, especially around protecting ePHI in transit, including email. Healthcare organizations should treat the proposal as a roadmap and tighten safeguards now.

Practically speaking, if you plan to send ePHI externally you will need to make your email HIPAA compliant. When selecting a provider, organizations should look for zero-step encryption (where all emails are encrypted automatically, not just when a user remembers to click a button) and ensure that a business associate agreement is signed with the email service provider before any PHI is transmitted.

It is now common practice to use an email service provider like Google Workspace or Microsoft 365 to host your organization's email while using a separate HIPAA compliant email service to provide additional protection, such as email encryption, security, data loss prevention, and backups.

Learn more: Paubox: HIPAA Compliant Email

What organizations should do

Although details may change before the new HIPAA Security Rule is issued, the direction is clear and the compliance window will come quickly. Healthcare Dive noted the following as a practical starting framework for healthcare leaders:

• Confirm your role under HIPAA (covered entity vs. business associate)
• Conduct a comprehensive HIPAA risk analysis
• Document policies, procedures, and current safeguards
• Address high-risk gaps first, especially around access and data protection
• Build an ongoing compliance roadmap to maintain progress over time

Beyond those foundational steps, organizations should also: ensure email encryption is applied to both data in transit and data at rest; review and update all business associate agreements and begin collecting the annual written verifications the new rule will require; train staff on email best practices, because human error remains the leading cause of email-related breaches; and audit all systems for default passwords and orphaned service accounts.

FAQs

What is the difference between a covered entity and a business associate under HIPAA?

A covered entity is a healthcare provider, health plan, or clearinghouse that directly handles patient data, while a business associate is any third-party vendor or partner that accesses or processes that data on their behalf.

What happens if my organization is found to be non-compliant after the final rule is issued?

OCR can impose civil monetary penalties depending on the level of negligence, and repeat violations carry harsher consequences.

How does HIPAA interact with state privacy laws?

Where state laws are stricter than HIPAA, the state law generally takes precedence, meaning organizations may need to comply with both simultaneously.