The 2026 HIPAA Security Rule changes are the most significant update to ePHI protection requirements in over a decade. After the 2024 Notice of Proposed Rulemaking and the 2025 finalization, U.S. healthcare organizations now face explicit, enforceable requirements around MFA, encryption, vulnerability management, and incident response — areas that were addressable-and-vague under the previous rule. This guide is the practical breakdown of what changed, what is now mandatory, what auditors will ask for, and how to get compliance-ready before enforcement deadlines hit.
What Changed in 2026
| Area | Before | 2026 Requirement |
|---|---|---|
| MFA | Addressable; not explicitly required | Required for all access to ePHI; phishing-resistant for privileged access |
| Encryption | Addressable | Required at rest and in transit for all ePHI |
| Vulnerability scanning | Implied | Required at minimum quarterly; documented remediation |
| Penetration testing | Not specified | Required at least annually for covered entities of any size with ePHI exposure |
| Patching SLA | Vague | Documented SLAs with critical-vuln remediation tracking |
| Network segmentation | Implied | Required for systems holding ePHI |
| Incident response plan | Required, untested | Required with annual tabletop and documented updates |
| Asset inventory | Implied | Required and current |
| Audit logging | Required | Required with minimum retention and tamper-resistance specifics |
The Highest-Impact Mandatory Controls
- MFA on all ePHI access. Phishing-resistant for any privileged or administrative ePHI account.
- Encryption at rest. Database, file system, backup, and removable media all in scope.
- Encryption in transit. TLS 1.2+ on all paths carrying ePHI; explicit weak-cipher disablement.
- Quarterly vulnerability scanning. Documented remediation SLAs (typically critical <14 days, high <30).
- Annual penetration testing. External-facing systems mandatory; internal recommended.
- Documented and tested incident response plan. Annual tabletop minimum; documented outcomes.
- Asset inventory. Every system holding or processing ePHI inventoried with owner and tier.
- Network segmentation. ePHI systems on segmented VLANs with access controls.
- Backups with immutability. 3-2-1-1-0 model; restore tests on documented cadence.
Compliance Evidence the Auditor Will Ask For
- MFA coverage report from Entra ID / Okta showing 100% on ePHI access
- EDR coverage report showing every endpoint enrolled and reporting
- Most-recent restore-test log with date and integrity confirmation
- Most-recent vulnerability scan report with remediation tracking
- Annual penetration test report
- Annual tabletop exercise minutes and lessons-learned document
- Up-to-date Written Information Security Policy with executive signature
- Current Business Associate Agreement inventory
- Audit log retention configuration with tamper-resistance evidence
90-Day Compliance Sprint
- Days 1–14: Inventory ePHI systems and access; identify gaps against the new rule
- Days 15–45: Close identity gaps (MFA enforcement, conditional access)
- Days 30–60: Encryption at rest and in transit verification; remediate any plaintext exposure
- Days 45–75: Vulnerability scan + remediation; patching SLA documented
- Days 60–90: Tabletop exercise; IR plan refresh; policy signature; evidence package assembly
Bottom Line
The 2026 HIPAA Security Rule update converts most previously-addressable safeguards into explicit, evidence-required mandates. Healthcare organizations that already operate a security-forward managed IT program have most of the controls in place; the gap is usually documentation and evidence automation. Organizations starting from scratch should plan a 90-day sprint to compliance-ready posture.
Need help getting HIPAA-compliant under the 2026 rule? ACS specializes in HIPAA-aligned managed IT for U.S.-based healthcare organizations. Contact us.
