The HIPAA Security Rule is Changing

Changes are coming to the HIPAA security rule, and HIPAAtrek is here to help. The changes to the Security Rule are mostly codifying security steps that are already best practices. That means you may very well already be doing some of these practices, and if you’re not yet, it’s a good idea to start as soon as you can.

When?

Spring 2026

Currently, it looks like the HIPAA Security Rule will change in the Spring of 2026, though that timeline is subject to change.

Why is HIPAA Changing?

The Security Rule has not been updated since 1996. Along with the technology we use going through massive evolutions in the last 30 years, the threats to ePHI have changed significantly as well. This change should align the regulation better with the current landscape.
Slow recovery and responses to major breaches we have seen in recent years (like the Change Healthcare Breach, which took months to restore systems) have highlighted the need for quicker response times. The new regulation requires that organizations have procedures in place to restore functionality in 72 hours after a breach.

What is changing under the new Security Rule?

Annual SRA Requirement

Codifies the annual SRA (currently best practice) as a requirement, and expands the requirements for the contents of the SRA.

New BA Requirements

Requires annual verification in writing from BAs to attest that they are in compliance with the Security Rule.

Tabletop Exercises Requirement

Requires routine review and testing of security measures, including specifically tabletop exercises and simulations.

Multi-Factor Authentication Requirement

Systems used to access ePHI will be required to use multi-factor authentication.

Annual Testing and Audit Requirements

Contingency Planning and Response Testing required annually, as well as new annual compliance audits separate and distinct from the SRA.

Security Rule Consulting

Work with the HIPAA Compliance Experts at HIPAAtrek to manage these changes.

Risk analysis is key to preparing for any regulatory change—after all, you can’t know where you’re going if you aren’t clear where you’re starting from—but especially since the updated regulation will require an annual SRA, now is a great time to complete your SRA and get ahead of that requirement.

In consultation with your team, our compliance experts will:

Review your existing policies and procedures,
Identify gaps and mitigation strategies,
Compile our findings into a report for your team, and
Ensure the new requirements of the SRA under the updated Security Rule are incorporated into your SRA.

Get a proactive head start in complying with the updated Security Rule by working with the experts at HIPAAtrek.

Ready to learn more? Fill out this form and a member of our team will follow up with more details.

Prepare Now for Security Rule Changes

Savvy compliance officers should prepare now in order to efficiently implement key changes later.

Conduct a Risk Analysis

Know where your security program stands, so you can build on a strong foundation once the changes are finalized.

Create an Action Plan

Understand the specifics of these changes, and begin preparations by identifying policies and BAAs that will require updates.

Communicate with Leadership

Create buy-in among the C-suite, sharing your action plan and budget proactively.

Learn more on our blog:

Security Rule Changes Coming Soon: How to Comply with The HIPAA Security Rule in 2026

Are you up to date with HIPAA?

We made you a free cheat sheet to guide your compliance as regulations change.

Download Now

Using HIPAAtrek to Prepare for Security Rule Changes

HIPAAtrek has already been proactively preparing our clients for these regulatory changes. Built by HIPAA compliance experts who have been in your shoes, we know how challenging sweeping changes to HIPAA can be.

That’s why we work diligently to support our clients through changing regulations with:

Specific, in-depth training to educate and prepare our clients, with opportunities to ask questions of our HIPAA compliance experts;
Updated policy templates available in our platform within 45 days of the finalized Security Rule; and
HIPAA Training videos within the software will be updated to reflect the changes and assist with implementation among your team.

Schedule A Demo

There’s never been a better time to join HIPAAtrek. Register for a demo now and a member of our team will reach out with more information: