For most of healthcare’s history, HIPAA’s Security Rule has been a document that said “reasonable and appropriate” a lot. It was written in 2003 — before cloud computing, before ransomware-as-a-business-model, before a solo cardiologist in Connecticut could have their entire patient database exfiltrated from a phishing email opened on a personal phone.
The Office for Civil Rights noticed. And in late 2024, OCR proposed the most sweeping update to the HIPAA Security Rule since its original adoption. The changes are still technically proposed — no final rule has been published as of June 2026 — but the direction is clear, the requirements are detailed, and the compliance window once a final rule drops is 240 days. That means organizations that start preparing now will be ready. Organizations that wait for the final rule will be scrambling.
Here’s what every small and mid-size medical practice in Connecticut needs to understand.
What’s Actually Changing — And Why It’s Different This Time
The current HIPAA Security Rule uses a two-tier system: some safeguards are “required,” and some are “addressable.” Addressable doesn’t mean optional — it means you can implement an equivalent alternative and document why. In practice, many practices used this flexibility to avoid implementing encryption, MFA, and regular vulnerability scanning. A documented reason was enough.
The proposed rule eliminates this distinction. Every implementation specification becomes required. The days of “we documented why encryption wasn’t reasonable for our practice” are over.
The Six New Mandatory Requirements, Explained Plainly
Annual Security Risk Assessments — Every 12 Months
The proposed rule requires a comprehensive, documented assessment every 12 months. Not an update to last year’s document — a full reassessment covering current systems, vendors, threats, and workforce. If you’ve added telehealth, changed EHR vendors, or adopted AI tools, your SRA needs to reflect that.
Mandatory Encryption of ePHI — At Rest and In Transit
Encryption was previously “addressable.” Under the proposed rule, every system that stores or transmits ePHI must use encryption — servers, databases, laptops, backup media, email, cloud storage. No exceptions. Legacy on-premises EHR systems without database-level encryption are a significant undertaking to bring into compliance.
Required Multi-Factor Authentication on All ePHI Systems
If your staff logs into your EHR or billing platform with just a username and password, that’s no longer going to be compliant. MFA will be required for all access to systems containing ePHI. Rolling it out organization-wide requires planning, testing, and staff training.
Regular Vulnerability Scanning and Penetration Testing
Organizations will need regular automated vulnerability scans of their networks and systems, plus periodic penetration testing to validate defenses. For most small practices, this requires engaging an IT security provider since the tools and expertise aren’t found in-house.
Technology Asset Inventory and Network Mapping
You’ll need a current, accurate inventory of every device, system, and application that touches ePHI, plus a map of how they connect. Asset inventory is foundational: you can’t encrypt what you don’t know about, can’t patch what’s not in your inventory.
Enhanced Documentation — Prove Your Policies Are Working
It’s no longer enough to have a binder of security policies. You’ll need to demonstrate that policies are implemented, staff are trained, controls are tested, and gaps are remediated. In an OCR investigation, undocumented security is treated the same as absent security.
The Compliance Timeline and What to Expect
As of June 2026, no final rule has been published. OCR’s regulatory agenda had targeted spring 2026 for finalization, but that window passed. A coalition of over 100 hospital and provider organizations has asked HHS to withdraw the proposal — HHS has retained the rule on its agenda despite the pushback.
Once a final rule publishes: effective date 60 days after Federal Register publication → compliance deadline 180 days after that (240 days total) → BAA updates required within one year.
The organizations that meet the deadline comfortably are those that started preparing before finalization. Waiting means a 240-day sprint to implement encryption, MFA, SRAs, asset inventories, and vulnerability scanning programs simultaneously.
What This Means for Small Practices Specifically
The proposed rule applies the same requirements to a solo practitioner in New Haven as it does to Yale New Haven Health. There’s no small-practice exemption. OCR has historically shown leniency toward good-faith, phased compliance efforts — but the requirements themselves don’t scale down.
The most significant gaps we see in Connecticut practices of 1–50 providers: no formal annual SRA, single-password EHR access, legacy systems with unencrypted databases, no documented asset inventory, outdated BAAs, and security policies that predate cloud computing and telehealth.
What to Do Right Now, In Order of Priority
Start with a Security Risk Analysis
The SRA tells you everything else you need to do. It’s also the most frequently cited deficiency in OCR investigations under the current rule — meaning this isn’t just preparation for the new rule, it’s risk reduction today.
Audit Your Technology Asset Inventory
Create a current list of every device and system that touches ePHI. Most practices discover during their first audit that they have more ePHI-touching assets than they realized.
Assess Your Encryption Posture
Identify every system that stores or transmits ePHI and confirm whether encryption is in place. Legacy on-premises systems, unencrypted backup drives, and consumer cloud storage (Dropbox, personal Google Drive) are the common weak points.
Deploy MFA Starting With Your Highest-Risk Systems
Begin with remote access, EHR portal, and email. Microsoft 365 MFA can be configured in hours. Legacy EHR systems may require vendor coordination. Roll out in phases to avoid overwhelming staff.
Review and Update Your Business Associate Agreements
Every vendor that touches ePHI needs a current signed BAA. The proposed rule adds an annual verification requirement — you’ll need to document not just that a BAA exists, but that you’ve reviewed it.
How Atlantic Computer Systems Helps Connecticut Practices Get Ready
ACS serves small and mid-size medical practices across Connecticut and the northeast. HIPAA compliance is built into how we manage IT for healthcare clients — not an add-on.
Annual Security Risk Assessments
Documented, comprehensive SRAs producing the audit-ready documentation OCR looks for first.
MFA Deployment & Management
We roll out MFA across Microsoft 365, EHR portals, and remote access with staff training so adoption sticks.
Vulnerability Scanning
Regular automated network scans with clear remediation reporting. We handle the patching.
BAA Management & Vendor Review
We maintain your BAA inventory, flag expiring agreements, and evaluate new vendors before you commit.
Asset Inventory & Network Mapping
We build and keep current the technology asset inventory the proposed rule requires.
HIPAA Staff Training
Practical, scenario-based training on encryption, MFA, AI tool compliance, and incident reporting.
Frequently Asked Questions
Is the 2026 HIPAA Security Rule update in effect yet?
Not yet. As of June 2026 it remains a proposed rule. OCR continues to enforce the current Security Rule. Starting preparation now reduces your risk under both the current and proposed requirements.
Does my small practice have to meet the same requirements as a hospital?
Yes. The proposed rule applies to all covered entities regardless of size. The same mandatory encryption, MFA, and annual SRA requirements apply to a solo practitioner as to a large health system.
My EHR vendor says they handle HIPAA compliance. Am I covered?
Your EHR vendor’s BAA covers their platform only. Your practice is responsible for everything else that touches patient data — email, backup systems, workstations, mobile devices, and every other vendor with PHI access.
How long does an MFA rollout take for a small practice?
Microsoft 365 MFA can be configured in hours for a small team. For a 10–50 person practice with legacy EHR systems, plan for 2–4 weeks including training and support. A managed IT partner handles this end-to-end.
What’s the difference between a Security Risk Analysis and a HIPAA audit?
An SRA is proactive — you conduct it to identify your own risks. An OCR audit is reactive, triggered by a complaint or breach. Your SRA documentation is what you produce in an OCR inquiry. Organizations without recent SRAs consistently face larger penalties.
GET AHEAD OF THE DEADLINE
Find out exactly where your practice stands — before OCR does.
ACS offers a free 30-minute HIPAA security assessment for Connecticut medical practices. We’ll identify your highest-priority gaps and give you a plain-English action plan. No obligation.
30-minute call · No obligation · Connecticut & New England practices
HHS OCR — HIPAA Security Rule NPRM, Jan. 2025 · Medcurity — 2026 HIPAA Security Rule Update · HIPAA Journal — New HIPAA Regulations 2026