The HIPAA Security Rule has been a fixture of healthcare compliance since its original implementation in 2003. Its core structure has remained largely unchanged through more than two decades of dramatic transformation in how healthcare organizations store, transmit, and process protected health information. That period of regulatory stability is ending.
Proposed revisions to the HIPAA Security Rule represent the most significant update to federal healthcare data security requirements since the ruleโs inception. The changes are sweeping in scope, prescriptive in their technical requirements, and scheduled for finalization in mid-2026 with a compliance window expected to follow. For healthcare organizations of every size โ from large health systems to early-stage startups โ understanding what is changing and what it demands is no longer optional.
The Scale of the Problem That Drove Regulatory Action
The statistics that regulators cite in the proposed ruleโs preamble tell the story clearly. Ransomware attacks, credential-based intrusions, and healthcare-specific breaches have escalated dramatically across the sector over the past several years.
In 2024 alone, 725 breaches affected more than 275 million records โ a total that represents roughly 82 percent of the U.S. population. The healthcare sector has consistently ranked among the most targeted by cybercriminals, in part because of the high value of healthcare data on criminal markets and in part because healthcare organizations have historically operated with security infrastructure that lagged behind the sophistication of their attackers.
The earlier HIPAA compliance model allowed covered entities and business associates broad discretion in how they applied security safeguards. Many requirements were structured as โaddressable,โ meaning organizations could assess whether implementing a given safeguard was reasonable and appropriate for their specific environment and, if not, document an alternative measure or simply note the exemption. That flexibility enabled a compliance culture where written policies, documented risk assessments, and good-faith implementation efforts could satisfy the regulation even in the absence of specific technical controls.
The proposed 2026 revisions reject that model. Regulators have concluded that the discretion built into earlier HIPAA frameworks produced insufficiently consistent security outcomes across a sector that is both heavily targeted and deeply interconnected.
The End of Addressable Safeguards
The single most consequential structural change in the proposed revisions is the elimination of the addressable category. Under the existing Security Rule, requirements are classified as either required โ meaning they must be implemented without exception โ or addressable โ meaning organizations assess and decide.
The proposed rule is expected to collapse this distinction. All safeguards become mandatory. The flexibility that the addressable framework provided disappears.
This change has implications that extend well beyond the specific requirements that were previously classified as addressable. It signals a fundamental shift in regulatory philosophy: compliance is no longer primarily a policy and documentation exercise with technical implementation as one optional component of a broader framework. Technical controls must be implemented, operational, tested, and demonstrably effective.
Documentation remains essential, but documentation without operational proof becomes inadequate. A written encryption policy without actual encryption implementation is not compliance. A risk assessment without evidence that identified risks were addressed is not compliance. The gap between policy and practice, which the addressable framework allowed organizations to inhabit, closes under the proposed rule.
Mandatory Encryption: No More Flexibility
Under the current HIPAA Security Rule, encryption of electronic protected health information at rest was an addressable safeguard. Organizations could assess their environment and determine that alternative measures provided equivalent protection. Many organizations in practice left data at rest unencrypted in some environments based on such assessments.
The proposed revisions would make encryption of ePHI mandatory both at rest and in transit, with no addressable alternative. Email encryption is also expected to become effectively mandatory when PHI is transmitted over email. The ambiguity around what constitutes reasonable and appropriate encryption has been replaced with a direct technical requirement.
For organizations that have not completed full encryption deployments across their ePHI environments, this is a significant remediation challenge. Healthcare environments typically include a mix of modern cloud infrastructure, legacy applications, medical devices with limited software support, and third-party systems administered by business associates โ all of which need to be evaluated for encryption compliance under the new standard.
Enhanced Risk Analysis and Continuous Monitoring Requirements
The proposed rule restructures risk analysis from a periodic exercise into a continuous operational function. Under the existing Security Rule, organizations must conduct periodic risk assessments โ but the frequency and structure of those assessments has been left largely to organizational discretion.
The proposed revisions impose annual Security Risk Assessments as a direct requirement with less flexibility around timing. Annual compliance audits and independent risk assessments are also expected to become mandatory, introducing a level of external validation that the current framework does not require.
The monitoring dimension is equally significant. Continuous monitoring of systems that handle ePHI โ rather than periodic review โ is expected to become a baseline requirement. Organizations must demonstrate that controls remain active, are tested regularly, and continue to function as intended. The evidence base for those demonstrations must be maintained and must be producible to regulators.
For organizations that have historically relied on annual assessments as their primary compliance validation mechanism, the shift to continuous monitoring requires investment in operational infrastructure: monitoring tools, log management systems, alert processes, and staff capacity to review and respond to findings.
Strengthened Identity and Access Management
Credential theft is the leading entry point for healthcare breaches. That fact has been documented consistently across the sectorโs breach investigations, and the proposed ruleโs attention to access management reflects it directly.
Multi-factor authentication is expected to become mandatory across all systems that handle ePHI. The existing Security Rule treated some access control measures as addressable; MFA requirements would be mandatory under the revised framework.
Least privilege access and role-based access controls are expected to receive significantly greater regulatory attention. The proposed rule emphasizes that access to ePHI should be limited to what each user role genuinely requires for their functions, and that access rights should be actively reviewed and updated as roles change.
Supporting requirements likely to accompany the MFA and access control mandates include comprehensive audit logging, real-time anomaly detection, and processes for identifying and responding to suspicious access patterns. For healthcare organizations โ including startups that have built access control infrastructure appropriate for an early-stage company โ the proposed standards represent a materially higher bar.
The practical challenge for healthcare organizations is that access governance across a modern healthcare environment is complex. Employee accounts, contractor access, privileged administrative roles, cloud system access, third-party application integrations, and medical device interfaces all present access control challenges. Building MFA and least-privilege access consistently across all of them requires systematic work.
Supply Chain and Vendor Risk Under the Proposed Rule
Business associate oversight has been a component of HIPAA compliance since the original Security Rule. The proposed revisions expand that oversight significantly. Organizations will need to demonstrate not just that business associate agreements exist but that vendor security programs have been assessed, that audit results may need to be shared with covered entities, and that vendor risk is actively monitored rather than contractually assumed away.
Risk inheritance is a fundamental issue in healthcare that the proposed rule is designed to address more directly. A covered entityโs security obligations extend to the systems and environments of every business associate that handles ePHI on its behalf. A business associateโs security failure is a covered entityโs compliance problem.
For healthcare organizations that have built their vendor management programs around standard business associate agreements and periodic certification requests, the proposed requirements will demand a more substantive approach to vendor oversight: documented due diligence processes, defined minimum security standards for vendors handling ePHI, and active monitoring of vendor security posture.
Technical Testing and Security Validation
The proposed rule moves security testing from a good practice to a formal compliance requirement. Annual penetration testing is expected to become mandatory โ not optional, not discretionary, and not satisfiable by internal vulnerability scans alone.
Penetration testing at the level the proposed rule envisions requires qualified personnel conducting realistic assessments of live environments, attempting to exploit identified vulnerabilities, and documenting results in a format that demonstrates what defenses work and what gaps remain. The results must drive remediation that is itself documented and verifiable.
Regular vulnerability scanning โ expected to be biannual or more frequent โ would also be required. That scanning must be systematic, cover all systems that handle ePHI, and generate findings that are assessed and addressed in a documented risk-based manner.
Healthcare organizations that have relied on cursory security assessments as compliance evidence will need to build more rigorous testing programs. Testing firms with healthcare-specific experience and familiarity with the regulatory requirements are in significant demand across the sector.
Asset Inventory and Network Visibility
Organizations cannot protect systems they cannot identify. The proposed rule is expected to make full asset inventory โ including AI tools and cloud-based systems that interact with ePHI โ mandatory rather than aspirational.
Network mapping of ePHI data flows is also expected to become mandatory. Understanding where ePHI originates, how it moves through systems, where it is stored, and where it leaves the organization is foundational to almost every other security control. Without that visibility, risk assessments are incomplete, access controls are imprecise, and encryption deployments will have gaps.
For healthcare startups operating in cloud environments with frequent changes to infrastructure, APIs, and third-party integrations, maintaining current and accurate asset inventories is particularly challenging. The proposed rule creates a compliance obligation that demands more systematic approaches to asset management than many early-stage organizations have in place.
Incident Response and Reporting Modernization
The proposed rule is expected to introduce approximately 72-hour reporting windows for significant security incidents โ aligning HIPAA incident reporting timelines more closely with breach notification requirements under other regulatory frameworks.
Incident response plans must be formal, tested, and operationally current. Faster detection methods and clear escalation processes are expected. Organizations must demonstrate readiness not only to prevent incidents but to respond to them when they occur: detecting the incident quickly, determining scope, containing impact, notifying appropriate parties, preserving evidence, and restoring operations.
The emphasis on cyber resilience โ not only prevention โ reflects an acknowledgment that determined attackers will sometimes succeed and that how organizations respond when they do is a compliance matter as much as a security matter.
What This Means for Healthcare Startups Specifically
Healthcare startups face the proposed requirements in a particular context. They are building compliance programs from the ground up, often with limited resources and teams that wear many hats. They face customers โ hospitals, health systems, payers, and enterprise buyers โ who will increasingly scrutinize vendor security posture as the proposed rule elevates what โadequate securityโ means in the healthcare sector.
The proposed rule effectively raises the barrier to entry for healthcare market participation. Organizations that cannot demonstrate credible security programs will find enterprise customer due diligence processes more difficult to pass. Investors increasingly weigh regulatory compliance posture in healthcare technology deals.
The startup framing of compliance as something to address after achieving product-market fit is directly at odds with the direction the proposed rule is taking HIPAA. Security architecture decisions made early have compliance consequences later. Organizations that build security into their infrastructure from the beginning are in a fundamentally different position than those that attempt to retrofit compliance onto systems designed without it.
Healthcare organizations, including startups, can use purpose-built tools to assess their current cybersecurity risk posture in the context of HIPAA and related requirements. DeviceRisk provides structured assessment capabilities for organizations evaluating medical device security risk, and the compliance baseline tools at ComplianceHub can help organizations understand where they stand against healthcare security requirements before undertaking formal gap remediation.
The Compliance Timeline
The proposed rule was published for comment in January 2025. Finalization is expected in mid-2026, with a compliance window likely to be approximately 180 days after publication of the final rule. That timeline creates urgency for organizations that have not already begun preparing.
The gap between the proposed ruleโs current status and the final compliance deadline should not be interpreted as time to wait. Core requirements โ encryption, MFA, annual penetration testing, continuous monitoring, comprehensive asset inventory โ are consistent with best practices that healthcare organizations should be implementing regardless of the regulatory timeline. Organizations that use the compliance window to build programs from scratch will face compressed timelines and higher costs than organizations that have already made progress.
Practical Preparation Steps
Organizations preparing for the 2026 HIPAA Security Rule should prioritize the following.
Conduct a gap analysis against the proposed requirements now, comparing current safeguards against the administrative, technical, and physical controls the proposed rule would mandate. Identify missing capabilities, weak processes, and documentation gaps. Develop a phased remediation plan that addresses highest-risk gaps first.
Deploy encryption for all ePHI at rest and in transit. Remove insecure communication channels โ email, messaging, file sharing mechanisms โ that transmit PHI without encryption.
Implement MFA across all systems handling ePHI. Begin with external access and privileged accounts if full deployment is not immediately achievable, and develop a roadmap to full coverage.
Build continuous risk management infrastructure. Annual assessments are necessary but not sufficient under the proposed rule. Invest in monitoring tools, vulnerability scanning capabilities, and processes for continuous evidence collection.
Assess vendor risk systematically. Identify all business associates handling ePHI, evaluate their security programs, strengthen contractual protections, and establish processes for ongoing monitoring.
Schedule a penetration test before the final rule takes effect. Testing your defenses against realistic attack scenarios now reveals gaps that are less disruptive to address before they become compliance failures.
The 2026 HIPAA Security Rule overhaul represents a fundamental renegotiation of what compliance means in healthcare. Organizations that engage with that renegotiation proactively will be better positioned โ competitively, operationally, and legally โ than those who wait for the final rule to compel action.
This article is provided for informational purposes only and does not constitute legal or regulatory advice. Covered entities and business associates should consult qualified legal counsel and compliance professionals regarding their specific obligations under HIPAA and its implementing regulations.
