The Biggest HIPAA Security Rule Overhaul in 13 Years Is Coming, and Most Health Systems Are Not Ready

The Office for Civil Rights proposed the first significant update to the HIPAA Security Rule since 2013, with finalization scheduled for May 2026 and compliance deadlines expected before end of year or early 2027. The proposed changes eliminate the addressable versus required distinction for security safeguards, making every measure mandatory, and introduce annual compliance audits, mandatory encryption, mandatory MFA, 72-hour disaster recovery requirements, and technology asset inventories that explicitly include AI tools.

What Is Changing

No more addressable loopholes. Every security safeguard becomes mandatory. The distinction that let organizations document why they did not implement a control is gone.

Annual compliance audits. Formal audits at least every 12 months. Not whenever you get around to it.

Asset inventory including AI tools. Organizations must maintain an up-to-date inventory of all technology assets that create, receive, maintain, or transmit ePHI. AI tools are explicitly called out.

Mandatory MFA. Every technology asset accessing ePHI must use multi-factor authentication.

Mandatory encryption. ePHI must be encrypted both at rest and in transit. No exceptions.

Network segmentation. Required wherever possible to contain breaches.

72-hour recovery. Disaster recovery procedures must be able to restore lost systems and ePHI within 72 hours.

Business associate requirements tightened. Updated BAAs, notification obligations, and technical controls for all downstream vendors.

The Enforcement Backdrop

In 2025, OCR levied more than $6.6 million in fines for HIPAA violations, with penalties ranging from $80,000 to $3 million. The highest penalty resulted from a phishing-attack breach at a business associate. In 2024, OCR collected $9.9 million across 22 enforcement actions. In 76 percent of all 2025 enforcement actions, risk analysis failure was cited as a violation. The message is clear: OCR is no longer treating cybersecurity failures as compliance gaps. It is treating them as willful neglect.

Penalty Math

HIPAA civil penalties now range from $145 per violation for no knowledge up to $2,190,294 per violation for willful neglect not corrected within 30 days, reflecting the January 2026 inflation adjustment. State attorneys general can pile on separately. State penalties have ranged from $100,000 to $74 million. And the Change Healthcare breach litigation is establishing new precedent for what reasonable and appropriate cybersecurity measures means in practice.

What Enterprise Buyers Must Do Now

If your organization still treats security safeguards as addressable, meaning you have documented why you did not implement them, that documentation becomes a liability, not a defense. The compliance timeline is aggressive: effective July or August 2026 with 180-day implementation windows. Start now. Conduct a gap assessment against the proposed rule. Inventory every AI tool touching ePHI. Verify MFA on every access point. And update every BAA with downstream vendors, because their compliance is now more explicitly your problem.