← Back to Blogs

HIPAA cybersecurity requirements in 2026 are governed primarily by the HIPAA Security Rule, which mandates administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

In January 2025, the Department of Health and Human Services proposed significant updates to the Security Rule that would make several previously "addressable" safeguards mandatory, including encryption of ePHI at rest and in transit, multi-factor authentication, network segmentation, and annual penetration testing.

Healthcare organisations should treat these proposed changes as the near-term compliance bar, not a future possibility, given the direction of enforcement and the volume of healthcare breaches driving the update.

Below is the full breakdown of what is currently required, what is changing, and a practical checklist to assess where your organisation stands.

Where HIPAA Cybersecurity Requirements Stand Right Now?

HIPAA compliance has always rested on three rules: Privacy, Security, and Breach Notification. The Security Rule is where cybersecurity obligations live, and it organises requirements into three categories of safeguards.

Administrative safeguards cover the policies, training, and governance structure around ePHI, including risk analysis, workforce training, and a named security official responsible for compliance.

Physical safeguards cover the physical protection of systems and facilities that store or access ePHI, including facility access controls and workstation security.

Technical safeguards cover the technology controls protecting ePHI directly, including access controls, audit logs, integrity controls, and transmission security.

Under the current rule, many of these technical safeguards are labelled "addressable" rather than "required," meaning organisations could implement an alternative measure or document why a safeguard was not reasonable for their environment. That flexibility is the central thing changing.

What's Changing in 2026: The Proposed Security Rule Update

In January 2025, HHS published a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time in over a decade. The proposal removes the distinction between "required" and "addressable" safeguards entirely.

Under the proposed rule, the following become mandatory for covered entities and business associates, with limited exceptions:

  • Encryption of ePHI at rest and in transit, with no exceptions process for choosing not to encrypt
  • Multi-factor authentication for access to systems containing ePHI
  • Network segmentation to limit lateral movement if a system is compromised
  • Annual penetration testing and vulnerability scanning at least every six months
  • Asset inventory and network mapping, reviewed and updated annually
  • Removal of access within 24 hours of workforce termination or role change
  • Annual compliance audits verifying that safeguards are actually implemented, not just documented
  • Incident response plans that are tested at least annually

As of mid-2026, the rule remains in the public comment and finalisation process, but the direction is unambiguous.

Digisecuritas' HIPAA Compliance Consulting helps healthcare organisations close the gap between current safeguards and the proposed 2026 requirements before enforcement makes that gap costly.

The HIPAA Cybersecurity Checklist for 2026

Use this checklist to assess where your organisation currently stands against both the existing Security Rule and the proposed update.

Administrative Safeguards

  • A documented, organisation-wide risk analysis covering all systems that create, receive, maintain, or transmit ePHI
  • A named Security Official accountable for HIPAA compliance
  • Documented policies covering access management, workforce training, and sanctions for non-compliance
  • Workforce security awareness training, conducted at least annually
  • A documented and tested incident response plan
  • Business Associate Agreements (BAAs) in place with every vendor that touches ePHI

Physical Safeguards

  • Facility access controls limiting physical access to systems containing ePHI
  • Workstation use and security policies, including screen lock and physical placement standards
  • Device and media controls covering the secure disposal and reuse of hardware that has stored ePHI

Technical Safeguards

  • Unique user identification for every individual accessing ePHI, no shared credentials
  • Multi-factor authentication on all systems accessing ePHI
  • Encryption of ePHI at rest and in transit
  • Audit logging and monitoring across systems that handle ePHI
  • Automatic logoff after a period of inactivity
  • Network segmentation isolating systems handling ePHI from the broader network

Operational Readiness (proposed rule additions)

  • Annual penetration testing of systems handling ePHI, with vulnerability scanning at least every six months
  • Current asset inventory and network map, reviewed annually
  • Access revocation process completing within 24 hours of termination or role change
  • Documented annual compliance audit, separate from the risk analysis

If your organisation cannot check most of the boxes above today, that gap is the actual starting point for a remediation plan, not a reason for alarm. Most healthcare organisations are in the same position.

What Happens If You Are Not Compliant?

HIPAA enforcement is handled by the HHS Office for Civil Rights (OCR), and penalties are tiered based on the level of culpability:

Violation Category Penalty Range Per Violation Annual Cap
Unknowing violation$137 to $34,464$2,067,813
Reasonable cause$1,379 to $68,928$2,067,813
Wilful neglect, corrected$13,785 to $68,928$2,067,813
Wilful neglect, uncorrected$68,928 minimum$2,067,813

Beyond financial penalties, breaches affecting 500 or more individuals must be reported publicly on the HHS breach portal, trigger mandatory individual notification, and in many cases lead to OCR investigation. The reputational cost for a healthcare organisation tied to a public breach listing frequently exceeds the regulatory fine itself.

For organisations that experience a security incident involving ePHI, the response obligations intersect directly with broader incident response requirements. The notification timelines, evidence preservation, and root cause analysis steps covered in our ransomware incident response playbook apply just as directly to a HIPAA breach involving ePHI as they do to any other ransomware event, with the added layer of HHS notification obligations on top.

How to Close the Gap: A Practical Approach

Start with a current-state risk analysis: You cannot remediate gaps you have not formally identified. A proper risk analysis covering every system that touches ePHI is the foundation everything else builds on, and it is also the single most commonly cited deficiency in OCR enforcement actions.

Prioritise the safeguards becoming mandatory: Encryption, MFA, and network segmentation are moving from optional to required. If your organisation has not implemented these, they should be the immediate priority regardless of where the final rule lands.

Build, do not just document, an incident response capability: A written plan that has never been tested is a paper exercise. Annual testing, whether through tabletop exercises or simulated incidents, is what the proposed rule expects and what actually improves real-world response.

Schedule penetration testing on a recurring basis: Annual testing, at minimum, is the expected baseline. For organisations with limited prior testing history, our guide on what a penetration test actually involves is a useful starting point for understanding scope and what to expect.

Extend the same scrutiny to vendors: Business Associates handling ePHI on your behalf carry the same compliance obligations you do, and a vendor's failure becomes your liability. A structured third-party risk management process is essential, not optional, for any healthcare organisation working with external vendors, billing companies, or cloud providers.

Digisecuritas' GRC Consulting team builds the documentation, technical remediation roadmap, and audit-ready evidence healthcare organisations need to demonstrate compliance, not just claim it.

Conclusion

HIPAA compliance in 2026 is shifting from a documentation exercise to an operational one. The proposed Security Rule update closes the flexibility that let organisations defer hard technical investments for over a decade, and enforcement pressure is rising alongside it.

The organisations in the strongest position are not waiting for the final rule to be published before acting. They are closing the gap now, while there is still time to do it methodically rather than under breach notification deadlines.

If you are unsure where your organisation actually stands against the checklist above, that uncertainty is the starting point for a risk analysis, not a reason to delay one.

Digisecuritas helps healthcare organisations assess HIPAA compliance gaps and build a remediation roadmap before they become enforcement or breach exposure.

Request a HIPAA Compliance Assessment to find out exactly where your organisation stands.

Frequently Asked Questions

Is the 2026 HIPAA Security Rule update finalised?
As of mid-2026, the proposed update remains in the rulemaking process following the January 2025 Notice of Proposed Rulemaking. Organisations should treat the proposed requirements as the near-term compliance expectation given the clear regulatory direction, rather than waiting for final publication to begin remediation.

Does HIPAA require encryption of all patient data?
Under the current rule, encryption is an addressable safeguard, meaning an alternative measure can be documented in its place. Under the proposed 2026 update, encryption of ePHI at rest and in transit becomes mandatory with no exceptions process.

Do small healthcare practices need to meet the same requirements as large hospitals?
Yes. HIPAA applies to all covered entities and business associates regardless of size, though the scale and complexity of required safeguards can reasonably reflect the size and risk profile of the organisation. Smaller practices are not exempt from the core requirements.

How often does HIPAA require penetration testing?
The current rule does not explicitly mandate a testing frequency. The proposed 2026 update specifies annual penetration testing and vulnerability scanning at least every six months, which is increasingly treated as the practical expectation regardless of final rule timing.

What is the difference between a HIPAA risk analysis and a HIPAA audit?
A risk analysis is a self-assessment process identifying vulnerabilities and gaps across systems handling ePHI, conducted by or on behalf of the organisation. A HIPAA audit, whether internal or conducted by OCR, verifies that identified risks have actually been remediated and that safeguards are functioning as documented, not merely planned.