HIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready?

For the past several months, compliance officers across the country have been watching the HHS regulatory calendar with a mix of anticipation and anxiety. The proposed overhaul of the HIPAA Security Rule — the most sweeping proposed update since the original rule took effect in 2005 — has been moving toward finalization. And it is almost here.

Where things stand

Despite sharp criticisms and industry pushback, recent developments confirm that OCR has kept the Security Rule overhaul on its official regulatory agenda for May 2026.

This is significant. Proposed rules frequently slip from regulatory agendas, particularly after administration changes. The fact that OCR has maintained its May 2026 target — through a change in administration and significant industry opposition — signals genuine institutional commitment to finalizing this rule.

OCR has stated that the final rule is due in May 2026, although it could well be delayed. If issued, it will likely be 2027 before compliance is enforced.

The practical implication: organizations that begin preparing now will be significantly ahead. The compliance window after a final rule publishes may be as short as 180 days for some provisions.

What the proposed rule requires

HHS proposed substantial Security Rule changes on December 27, 2024, including mandatory encryption of ePHI at rest and in transit, MFA, asset inventories and network maps, routine vulnerability scanning and annual penetration tests, segmentation, 24-hour access-change notifications, 72-hour restoration objectives, and annual compliance audits.

Here is what each major proposed change means in practice:

Mandatory encryption — the end of the addressable standard

Under the current Security Rule, encryption of ePHI at rest and in transit is an addressable implementation specification. Organizations can choose not to encrypt if they document a reasonable alternative. In practice many organizations — particularly small practices — have used this flexibility to defer encryption indefinitely.

The proposed rule eliminates this flexibility entirely. Encryption of ePHI at rest and in transit would become a required specification. There are no alternatives, no documentation workarounds, and no exceptions based on organization size. Every system storing or transmitting ePHI must encrypt it.

Multi-factor authentication — required for all ePHI access

The proposed rule would make MFA a required specification for all workforce member access to systems containing ePHI. Currently MFA is strongly encouraged through NIST guidance and OCR cybersecurity guidance but is not explicitly required under the Security Rule itself.

This change will require significant operational investment for organizations with legacy systems, particularly those using shared workstations, older EHR platforms, or point-of-care devices that have not been designed with MFA in mind.

Asset inventories and network maps — required documentation

Organizations would be required to maintain current, accurate inventories of all technology assets that store, process, or transmit ePHI — and network maps showing how ePHI flows between systems. This requirement directly addresses the most common gap OCR finds in breach investigations: organizations that did not know where their ePHI was located.

Annual penetration testing — required, not optional

The proposed rule would require annual penetration testing of systems containing ePHI. Penetration testing — where security professionals actively attempt to breach an organization's defenses — provides a far more realistic assessment of security posture than vulnerability scanning alone. Currently this practice is recommended but not required.

72-hour restoration objectives — recovery planning gets teeth

Organizations would be required to establish and document a 72-hour recovery time objective for restoring access to ePHI following a security incident. This directly addresses the operational reality of ransomware attacks, where the inability to access patient records creates immediate patient safety risks.

Annual compliance audits

The proposed rule would require annual internal audits of Security Rule compliance — documented reviews of whether policies, procedures, and technical controls continue to meet requirements. This is distinct from a risk analysis and would need to occur in addition to ongoing risk analysis activities.

What has not changed

It is important to note that these are proposals; the existing Security Rule remains in force until a final rule is published.

Every organization subject to HIPAA must continue to meet all current Security Rule requirements. The proposed rule does not reduce or defer any existing obligation. Organizations that are currently non-compliant with the existing rule — particularly those lacking a current risk analysis — face immediate enforcement exposure regardless of whether the final rule is published.

The industry pushback — and why it may not matter

The proposed rule generated significant opposition from healthcare industry groups who argued that many of the requirements — particularly mandatory MFA and annual penetration testing — would be disproportionately burdensome for small and rural providers.

OCR has acknowledged these concerns but has not indicated it will substantially scale back the proposed requirements. The agency's public position is that the current cybersecurity threat environment in healthcare — with large breaches affecting hundreds of millions of patients annually — justifies stronger mandatory requirements regardless of implementation burden.

What your organization should do now

Waiting for the final rule before beginning preparation is a strategic mistake. Organizations that start now will have more time to implement changes methodically — rather than rushing to meet a compliance deadline.

Audit your encryption posture today. Identify every system, database, device, and data flow that stores or transmits ePHI. Determine what is currently encrypted and what is not. For unencrypted systems, begin the planning process for encryption now — procurement, vendor engagement, and implementation take time.

Assess your MFA readiness. Inventory all systems used to access ePHI. Determine which support MFA natively, which require additional configuration, and which may require replacement or supplemental solutions. Legacy EHR and medical device systems often present the greatest challenges.

Build your asset inventory. Begin documenting all technology assets that touch ePHI — including cloud services, mobile devices, and third-party vendor systems. This documentation will be required under the final rule and is already expected by OCR under the current rule's risk analysis requirement.

Engage a penetration testing vendor. If your organization has never conducted a penetration test, engage a qualified security firm to conduct one before the final rule takes effect. The first test typically reveals more than subsequent annual tests — better to discover vulnerabilities now than after the rule is final.

Update your contingency plan. Review your disaster recovery and business continuity plans against the proposed 72-hour restoration objective. If your current plan cannot realistically achieve 72-hour recovery for ePHI systems, identify what changes are needed.