The HIPAA Security Rule Just Got a Major Overhaul — And the Deadline Already Passed

The HIPAA Security Rule Just Got a Major Overhaul — And the Deadline Already Passed

If you run a medical office, dental practice, mental health clinic, or any business that touches a patient’s data, you’ve probably heard the buzz about HIPAA changes rolling out in 2026. Here’s the maybe-not-surprising truth: the federal government proposed the biggest update to HIPAA’s Security Rule since 2003 — and then missed its own deadline to finalize it.

What’s Being Proposed — And Why It’s a Big Deal

The Department of Health and Human Services (HHS) published a Notice of Proposed Rulemaking (NPRM) in late 2024 that would fundamentally change what “HIPAA compliant” means for your IT systems. The proposed changes include:

  • Mandatory encryption of all electronic protected health information (ePHI) at rest and in transit — no more treating this as optional
  • Multi-factor authentication (MFA) required for every system that accesses ePHI
  • 72-hour incident reporting to HHS when a breach occurs
  • Annual penetration testing of your systems
  • Vulnerability scanning every six months
  • Enhanced documentation and business associate oversight requirements

This would be the first major update to HIPAA’s security requirements since the original rule was written — before cloud computing, before ransomware-as-a-business-model, before telehealth became mainstream.

So Why Hasn’t the Final Rule Been Published?

The rule was targeted for finalization in spring 2026. That window came and went — no announcement, no final rule, no confirmed timeline for when one will be issued.

Here’s why that’s dangerous if you assume it means you’re safe to wait:

The Office for Civil Rights (OCR) — the agency that enforces HIPAA — has been handing out fines and settlements for years for exactly these issues: inadequate encryption, missing MFA, and failed risk assessments. The proposed rule isn’t introducing new ideas. It’s formalizing what OCR is already enforcing right now through penalties.

Being late doesn’t mean enforcement is late.

What’s Already in Effect Right Now

Not all of the changes to the HIPAA rules are still pending — they’re already law:

  • Notices of Privacy Practices (NPPs) were required to be updated by February 16, 2026
  • Part 2 regulations (covering substance use disorder records) were aligned with HIPAA as of the same date
  • Enforcement trends continue to tighten around security risk analysis failures

If your practice hasn’t updated its NPP or conducted a formal security risk analysis recently, you may already be out of compliance — today, not in some future deadline.

5 Questions Every Healthcare Business Should Ask Right Now

Whether you’re a covered entity (healthcare provider, health plan) or a business associate (accountant, IT provider, billing company) that handles PHI, here’s what you should be asking:

  • Is all ePHI encrypted—both at rest and in transit?
  • Is MFA enabled on every system that can access patient data?
  • When did you last conduct a formal security risk assessment?
  • Do you have documented incident response procedures?
  • Are your business associate agreements (BAAs) up to date?

These aren’t hypothetical future requirements. They’re what OCR looks for when something goes wrong.

How LAN Services FBG Can Help

At LAN Services FBG, we help small businesses in the Texas Hill Country get — and stay — compliant with HIPAA and related security frameworks. Our managed IT services include:

  • Endpoint encryption and monitoring
  • MFA deployment and management across all your systems
  • Security risk assessments aligned with HIPAA requirements
  • Documented incident response planning
  • Business associate agreement (BAA) review support

The final rule will come. Don’t let it catch you off guard.

Contact us today for a free, no-obligation HIPAA readiness conversation.
lanservicesfbg.com/contact

[email protected]

Website: https://lanservicesfbg.com

Bryan is the owner of LAN Services FBG LLC, a managed IT and cybersecurity firm serving small businesses in the Texas Hill Country. Through his Vines & Firewalls blog, he translates real-world cyber threats into plain-language advice for wineries, accounting firms, and the businesses that keep this community running. When he's not locking down networks, he's probably enjoying everything Fredericksburg has to offer.

Leave a Reply

Your email address will not be published. Required fields are marked *