HIPAA Security Rule Changes May 2026: What to Prepare

The HIPAA Security Rule is about to get its most significant update in over a decade. HHS published the proposed changes in January 2025, the public comment period closed in March 2025, and the final rule is expected in May 2026. When it takes effect, every organization that handles electronic protected health information (ePHI) will face stricter, more specific security requirements with far less room for interpretation.

If you run a healthcare practice, clinic, or healthcare-adjacent business in Texas, this is the update you need to plan for right now. Not next quarter. Not when the final rule publishes. Now, because some of these changes require months of preparation and investment.

The Biggest Change: “Addressable” Is Gone

Under the current HIPAA Security Rule, controls are classified as either “required” or “addressable.” That distinction has caused confusion for over 20 years. Many organizations interpreted “addressable” as “optional,” which was never the intent. HHS meant that covered entities should assess each addressable control and either implement it, implement an equivalent alternative, or document why it wasn’t reasonable for their environment.

The proposed rule eliminates the addressable category entirely. Every control becomes required, with limited exceptions that must be documented in writing with specific justification.

What this means in practice: controls that many small practices treated as optional (like encryption of ePHI at rest, multi-factor authentication, and network segmentation) will become mandatory. Organizations that relied on the “addressable” designation to avoid implementing these controls will need to close those gaps before the rule takes effect.

What the Updated Rule Requires

The proposed rule adds several specific technical requirements that go well beyond the current framework. These aren’t vague guidance statements. They’re prescriptive controls with clear expectations.

Mandatory encryption of ePHI at rest and in transit. Currently, encryption is an “addressable” specification. Under the new rule, all ePHI must be encrypted using standards consistent with NIST guidelines, both when stored on servers, workstations, and portable devices, and when transmitted over networks. No more documenting why you chose not to encrypt.

Multi-factor authentication on all systems containing ePHI. The rule requires MFA for every user accessing systems that store, process, or transmit ePHI. If your EHR system, billing platform, or email system touches patient data and your staff logs in with just a username and password, that will be a violation. Our post on multi-factor authentication for businesses covers why MFA is one of the most cost-effective security controls available.

Regular vulnerability scanning and penetration testing. The proposed rule mandates vulnerability scanning at least every six months and penetration testing at least annually. Many small practices have never conducted either. This is a significant new requirement that will require either in-house expertise or an outside partner.

Network segmentation. Systems containing ePHI must be segmented from general-purpose networks. A flat network where the front desk computer, the billing system, and the EHR server all sit on the same subnet will not pass muster.

Technology asset inventory and network mapping. Organizations must maintain a current, accurate inventory of all technology assets and a network map showing how ePHI flows through their environment. This needs to be updated at least annually, and it forms the foundation for risk analysis.

72-hour incident notification to HHS. The proposed rule requires covered entities to notify HHS within 72 hours of activating their contingency plan due to a security incident. This is a much tighter window than many organizations are prepared for.

Why Texas Practices Should Pay Attention Now

Texas has seen some of the largest healthcare data breaches in the country over the past two years, and the patterns are instructive.

Nacogdoches Memorial Hospital disclosed a breach in 2024 affecting approximately 257,000 patients. The attack compromised patient names, Social Security numbers, medical records, and insurance information. For a community hospital serving a rural East Texas population, the operational and reputational impact was severe.

Conduent, the claims processor for Blue Cross Blue Shield of Texas, suffered a breach that exposed the personal information of roughly 4 million Texas residents. This wasn’t a direct attack on BCBS TX itself but on a business associate, which underscores why the updated rule also tightens requirements around Business Associate Agreements (BAAs) and third-party risk management.

These are not isolated incidents. HHS’s Office for Civil Rights (OCR) breach portal shows a consistent pattern of Texas healthcare organizations appearing in reported breaches, from large hospital systems down to individual physician practices.

OCR’s Risk Analysis Initiative: Enforcement Is Getting Sharper

Even before the new rule takes effect, OCR is already stepping up enforcement of existing requirements. In 2024, OCR launched its Risk Analysis Initiative, a targeted enforcement program focused specifically on organizations that failed to conduct adequate security risk analyses.

The initiative has resulted in 11 enforcement actions and counting. Settlements have ranged from $40,000 to over $500,000, and the organizations penalized include small physician practices, not just large hospitals. OCR has made clear that size is not a defense. If you’re a covered entity, you’re expected to conduct a thorough, documented risk analysis regardless of your organization’s size.

The message from OCR is straightforward: risk analysis is the foundation of HIPAA compliance, and they’re actively auditing for it. If your practice hasn’t completed a formal risk analysis in the past year, or if your last one was a checkbox exercise that didn’t result in actual remediation, you’re exposed.

Your Preparation Checklist

The final rule is expected in May 2026, with a likely compliance deadline 180 days after publication. That puts the compliance window somewhere around November 2026. Here’s what to prioritize between now and then.

Audit your encryption posture. Identify every system, device, and transmission path that touches ePHI. Verify that encryption is active and meets NIST standards. Pay special attention to laptops, portable devices, email, and cloud storage. If you find gaps, start procurement and deployment now. Encrypting an entire environment takes time, especially if you’re running older systems that need upgrades.

Deploy MFA on all ePHI systems. If you haven’t already, implement MFA across your EHR, practice management system, email, remote access tools, and any other platform that stores or transmits patient data. Most cloud-based healthcare applications support MFA natively. On-premises systems may require additional identity management infrastructure.

Schedule vulnerability scans and a penetration test. Engage a qualified security firm to run your first vulnerability scan and penetration test. This establishes your baseline. The new rule requires these on an ongoing schedule, so build the relationship and budget now rather than scrambling after the rule is final. Our vulnerability assessment services page covers what a thorough assessment looks like.

Review your BAAs. Pull every Business Associate Agreement you have on file. Verify that each one addresses the new requirements, including mandatory encryption, incident notification timelines, and the business associate’s obligation to conduct their own risk analysis. Any BAA that hasn’t been updated since the original HIPAA Security Rule was published is almost certainly out of date.

Conduct a formal risk analysis. If your last risk analysis was more than 12 months ago, or if it was a template-based exercise that didn’t examine your actual systems and workflows, do a new one. Document findings, assign risk ratings, and create a remediation plan with specific deadlines and owners. This is the single most important step you can take, because risk analysis is both the foundation of compliance and OCR’s primary enforcement target.

Build your technology asset inventory. Document every server, workstation, laptop, mobile device, network device, and cloud service in your environment. Map the flow of ePHI through your systems. This exercise often reveals shadow IT and forgotten systems that represent unmanaged risk.

Why Small Practices Need an MSP for This

A 200-bed hospital has a CISO, a compliance team, and a dedicated IT security budget. A 50-person dermatology practice or a 30-person dental group does not. The new HIPAA Security Rule doesn’t distinguish between the two. Both must meet the same requirements.

For small and mid-sized practices, partnering with a managed service provider that specializes in healthcare IT and HIPAA compliance is the most practical path to meeting these requirements. The right MSP provides the encryption infrastructure, MFA deployment, vulnerability scanning schedule, network segmentation, and ongoing monitoring that the rule demands, without requiring you to hire a full-time security team.

Infonaligy works with healthcare practices across Texas to build and maintain HIPAA-compliant IT environments. We handle the technical controls, documentation, and ongoing monitoring so that practice leadership can focus on patient care instead of parsing federal regulations.

The compliance deadline will arrive faster than most practices expect. The organizations that start preparing now will have a smooth transition. The ones that wait for the final rule to publish will be competing with every other practice in Texas for the same limited pool of IT and compliance resources.