Biggest HIPAA Security Overhaul in 13 Years: What to Do Now

HHS is finalizing the first major update to the HIPAA Security Rule since 2013. The final rule is expected in May 2026, and covered entities and business associates will have approximately 240 days to comply after publication. That puts the compliance deadline somewhere around early 2027.

The changes are significant. Controls that were previously “addressable” (frequently skipped by small practices) become mandatory. New requirements around penetration testing, incident response, and business associate accountability arrive for the first time. We covered the technical requirements in detail when the proposed rule was published. This post focuses on what you need to actually do and budget for between now and the deadline.

What “Addressable” Going Away Means for Your Budget

Under the current rule, certain HIPAA controls are classified as “addressable.” This was supposed to mean “implement it, find an equivalent, or document why you can’t.” In practice, many small practices treated “addressable” as “optional” and simply documented that they chose not to implement controls like encryption and multi-factor authentication.

The updated rule eliminates the addressable category entirely. Every control is now required. For practices that have been relying on that loophole, this translates to real spending:

• Encryption of all ePHI at rest and in transit using NIST-consistent standards
• Multi-factor authentication on every system that stores, processes, or transmits ePHI
• Network segmentation separating ePHI systems from general-purpose networks
• Vulnerability scanning at least every six months
• Penetration testing at least annually
• Technology asset inventory and network map, updated annually

If your practice already has these controls in place, the transition will be straightforward. If not, you are looking at capital expenditures and potentially new vendor relationships that take months to stand up.

Your Business Associates Are Now Accountable on Paper

The updated rule significantly strengthens requirements around business associates. This affects two groups: healthcare practices that rely on BAs, and the BAs themselves (billing companies, IT vendors, document storage providers, transcription services, and clearinghouses).

BAAs must include explicit cybersecurity obligations. The days of a two-page BAA that vaguely references “appropriate safeguards” are ending. Updated Business Associate Agreements will need to spell out specific security controls the BA is expected to maintain, consistent with the same standards that apply to covered entities.

BAs must provide annual written verification. Business associates will be required to verify in writing, at least annually, that they are meeting the cybersecurity obligations in their BAAs. This is not a self-attestation checkbox. It requires evidence that controls are actually in place and functioning.

24-hour incident notification from BAs to covered entities. When a business associate activates its incident response procedures due to a security event, it must notify the covered entity within 24 hours. Under current BAAs, notification timelines are often vague or undefined. Many practices don’t find out about BA incidents until weeks or months later, which is exactly why vendor breaches cause so much downstream damage.

For practice owners, this means you need to pull every BAA you have on file and start the update process now. For businesses that operate as BAs, it means you need to invest in the same technical controls your covered entity clients are required to maintain.

Incident Response Plans Get Specific

The current HIPAA Security Rule requires a contingency plan, but the specifics have always been open to interpretation. The updated rule pins down what “incident response” actually means.

Covered entities and BAs must maintain a written incident response plan that documents procedures for detecting, containing, and recovering from security incidents. That plan must be tested at least annually through tabletop exercises or simulations. Staff who have incident response responsibilities must receive training on the plan.

If you don’t have a documented IR plan today, building one from scratch takes time. Identifying your critical systems, defining response roles, and establishing communication procedures is typically a multi-week process. Starting after the final rule publishes leaves less room for error. Infonaligy offers a free tabletop exercise template that can help you get started.

A Prioritized Action Checklist

You don’t need to solve everything at once. Here is what to tackle first, second, and third based on lead time and complexity.

Start now (these take months to deploy):

1. Conduct a gap assessment. Measure your current environment against the new requirements. Identify which controls you already have, which you partially have, and which are missing entirely. A cybersecurity risk assessment is the formal way to do this, and it satisfies the existing HIPAA risk analysis requirement at the same time.

2. Budget for MFA and encryption. These are the two controls most small practices lack, and they take the most time to deploy properly. Cloud-based EHR and billing platforms usually support MFA natively, but on-premises systems may require additional identity management infrastructure. Encrypting endpoints (laptops, workstations, portable devices) requires a deployment plan and testing period.

3. Engage a penetration testing and vulnerability scanning provider. The rule requires annual pen tests and semi-annual vulnerability scans. These services require vendor selection, scoping, and scheduling. Start the procurement process now so you have a provider in place before the deadline. Our penetration testing page covers what a thorough assessment involves.

Start within 60 days:

4. Review and update every BAA. Pull your agreements with all business associates. Flag any that don’t include specific cybersecurity obligations, incident notification timelines, or verification requirements. Contact your BAs to begin the update process. Renegotiating contracts takes time, especially with larger vendors.

5. Build your technology asset inventory. Document every device, system, and application that touches ePHI. Map how patient data flows through your environment. This inventory is now explicitly required, and it feeds directly into your risk analysis and network segmentation planning.

6. Write or update your incident response plan. Document your procedures for detecting, containing, and recovering from security incidents. Assign roles and responsibilities. Schedule your first tabletop exercise.

Start within 120 days:

7. Implement network segmentation. Separate ePHI systems from general-purpose networks. This often requires infrastructure changes that should be planned and tested during a maintenance window.

8. Run your first penetration test and vulnerability scan. Use the results to validate your gap assessment and prioritize remaining remediation work before the deadline.

9. Request written compliance verification from each BA. Document the responses and follow up on any gaps. This documentation protects you during an OCR audit.

Don’t Wait for the Final Rule

The proposed rule has been public since January 2025, and the core requirements haven’t changed during the comment period. Waiting until the final rule publishes means starting a 240-day clock with zero progress.

Small practices that treat this as a future problem will face a familiar bind: competing with every other healthcare organization in Texas for the same limited pool of HIPAA compliance and IT resources. Practices that start now will have their controls in place before the rush begins.