The HIPAA Security Rule Is Getting Its Biggest Overhaul Since 2013. Here Is What Is Actually Changing.
The HIPAA Security Rule has not had a substantive update since 2013. In the thirteen years since, healthcare has lived through the rise of ransomware-as-a-service, the mass migration to cloud infrastructure, the normalization of remote work, the proliferation of connected medical devices, and the Change Healthcare attack, which exposed the health data of 190 million Americans through a single portal missing multi-factor authentication.
HHS published a major proposed overhaul in January 2025. Finalization is expected in May 2026. This is not a minor housekeeping update. It is the most significant restructuring of healthcare cybersecurity compliance in over a decade, and the projected industry-wide cost of implementation is $34 billion over five years.
Most practices are not ready. The ones that start a gap assessment now have the runway to address findings systematically. The ones that wait for enforcement to begin will be scrambling under deadline pressure and making expensive decisions without the time to make them well.
DAS Health has already done the work of mapping the new requirements against the environments we manage. Here is what every healthcare organization needs to understand before May 2026.
What Is Actually Changing
The End of “Required vs. Addressable”
The most structurally significant change in the updated rule is the elimination of the distinction between required and addressable specifications. Under the original framework, organizations could document a rationale for not implementing addressable specifications if an alternative measure was equally effective or if implementation was not reasonable and appropriate.
That flexibility is gone. Every specification in the updated rule is required. There are no workarounds, no documentation substitutes, no exceptions for legacy systems. Compliance means full implementation.
DAS Health manages its clients’ environments against the full set of requirements, not the minimum the previous rule allowed. For the organizations we work with, this change closes documentation loopholes rather than requiring new program elements.
Encryption of ePHI, Everywhere
The new rule explicitly requires encryption of ePHI both at rest and in transit. The previous addressable classification allowed organizations to document justifications for unencrypted storage. Given that the AHA found 100% of hacked health data in recent major breaches was unencrypted at the point of access, the regulatory response is direct and overdue.
DAS Health manages encryption as part of a unified security posture. We know where our clients’ ePHI lives, how it moves, and where it is stored outside the primary EHR. Encryption is not a standalone implementation project for the organizations we support. It is a managed, ongoing program.
Multi-Factor Authentication for All ePHI Access
MFA is now required for any system that accesses ePHI, not just remote access portals or VPN connections. Many organizations have deployed MFA for remote access and believe they are compliant. The new rule extends the requirement to internal system access, EHR logins, and clinical applications. The Change Healthcare attack entered through an internal access portal that lacked MFA. The updated rule closes that pathway for every covered entity.
DAS Health deploys and manages MFA comprehensively across client environments, including the internal access points that organizations often overlook. We also understand the clinical workflow constraints that make MFA implementation more complex in healthcare settings, and we build around them rather than against them.
Automated Vulnerability Scanning and Annual Penetration Testing
Organizations must run automated vulnerability scans at a minimum every six months and conduct annual penetration testing. These are no longer aspirational best practices. They are compliance requirements.
DAS Health delivers both as standard components of our managed cybersecurity program. Our clients are not scheduling penetration tests in response to a compliance deadline. They already have them built into their annual security calendar.
72-Hour System Restoration
Following a data loss event, organizations must be able to restore critical systems within 72 hours. A plan that exists on paper is not sufficient. The system must be tested, documented, and verified to meet the restoration timeline.
DAS Health manages backup and disaster recovery programs with tested, verified restoration timelines. We do not assume our clients’ backups work. We test them and document the results so that when a data loss event occurs, the 72-hour clock is a goal we have already demonstrated the ability to meet, not a requirement we are hoping to hit.
Annual Compliance Audits and Business Associate Accountability
Annual compliance audits must be incorporated into existing HIPAA Security Risk Assessment processes. Business associates handling ePHI must conduct their own annual security reviews. Given that the majority of healthcare data breaches originate from vendors rather than direct attacks on covered entities, this extension of accountability to the supply chain reflects what the breach data has been showing for years.
DAS Health manages business associate and vendor security reviews as part of client programs, maintaining the documentation record that regulators expect and ensuring that third-party relationships do not become the weakest link in the security chain.
What to Do Before May 2026
The most important step any practice can take today is a structured gap assessment mapped against the specific requirements of the updated rule. Not a general security review. A targeted evaluation of where your environment stands against each new requirement, what remediation is needed, and in what order it should be addressed.
DAS Health conducts these assessments and builds the remediation roadmaps that follow. Organizations that start now have the time to implement changes thoughtfully. Those that wait will be making technology and policy decisions under compliance pressure.
The HIPAA Security Rule finalizes in May 2026. The required vs. addressable distinction is gone. Encryption, MFA, annual pen testing, and 72-hour recovery are no longer optional. Stop guessing about where your organization stands. A DAS Health cybersecurity expert will map your environment against every new requirement and tell you exactly what needs to change before the deadline hits.
Frequently Asked Questions
What is the biggest change in the 2026 HIPAA Security Rule update?
The elimination of the required vs. addressable distinction is the most significant structural change. Every specification is now required with no flexibility for documented exceptions. The rule also explicitly mandates encryption, comprehensive MFA, annual penetration testing, and 72-hour system restoration capability.
When does the updated HIPAA Security Rule take effect?
Finalization is expected in May 2026, with an implementation timeline following publication. Organizations should begin gap assessments immediately to have adequate time for remediation.
Does MFA for remote access satisfy the new HIPAA requirements?
No. The updated rule requires MFA for any system accessing ePHI, including internal systems. Many organizations have MFA only for remote or VPN access and will need to extend it to all internal ePHI access points.