Security Rule Changes Coming Soon: How to Comply with The HIPAA Security Rule in 2026 

HIPAA Changes are coming—is your organization prepared? 

You’ve probably already heard about the changes coming to the HIPAA Security Rule in 2026. It’s no surprise: cybersecurity is a hot topic in healthcare (and beyond) right now, as the looming threat of a breach becomes a pressing issue that organizations large and small must contend with. 

Currently, it looks like the HIPAA Security Rule will change in the Spring of 2026, though we know that timeline is subject to change (keep an eye on our changing regulations hub to watch the deadlines for the numerous regulatory changes we’re tracking now).  

The good news? The changes to the Security Rule are mostly codifying security steps that are already best practices. That means you may very well already be doing some of these practices, and if you’re not yet, it’s a good idea to start as soon as you can. 

In this article, we will cover: 

We know how intimidating major regulatory changes like these can be. That’s why we pride ourselves on helping our clients stay prepared—and in compliance.  

At HIPAAtrek, we provide our clients with ongoing education opportunities outlining the specifics of these changes and will have updated templates and training available through our platform within 45 days of the Privacy Rule being finalized. If you’ve been considering using HIPAAtrek to manage your compliance—and stay updated as regulations change—there’s never been a better time to join. Click here to schedule a demo. 

Why the HIPAA Security Rule is Changing  

We’ve said many times that HIPAA changes are inevitable as regulations need to keep up with technological changes, care standards, and patient rights.  

Unsurprisingly, the proposed changes to the Security Rule are largely addressing changing technologies and a cybersecurity landscape in which keeping ePHI secure is more challenging than ever before. 

Ultimately, the main reason for the proposed changes to the Security Rule is that it has not been updated since 1996.  

Take a moment to think about the technology you used in 1996 versus what you use today and it will be obvious why the Rule is long overdue for an update.  

Along with the technology we use going through massive evolutions in the last 30 years, the threats to ePHI have changed significantly as well. The updated regulation is an effort at modernizing this Rule to suit current times. 

Additionally, the large breaches we have seen lately have shown the need for quicker recovery procedures in healthcare. In the case of the Change Healthcare Breach, it took months to restore systems after the initial breach—you may have seen the news articles about delayed payments and even organizations closing following this breach.  

The new regulation requires that organizations have procedures in place to restore functionality in 72 hours after a breach—which seems to be a direct reflection of the impact of those delays related to the Change Healthcare situation. 

These two factors combined provide the motivations behind the changes to the Security Rule that we are anticipating in 2026. 

When will I need to comply with the updated Security Rule? 

Compliance and security professionals alike know that implementing new regulations is not a quick process. Compliance is dynamic and multi-faceted, and changes can take many months to properly implement across healthcare organizations. 

The larger your organization is, the more staff education and training it will take to change habits, routines, and workflows. 

Currently, the modifications to the Security Rule are due to be finalized in Spring of 2026 (the OCR has not yet released a specific date for these changes).  

Covered Entities will have 180 days to comply with the Security Rule changes. That means six months from the final Rule going into effect, your organization will have to achieve compliance under these changing regulations.  

While six months may sound like a long time, anyone working in compliance knows that it will go by fast.  

On the bright side, most of the changes to the Security Rule are already considered best practices, so you may already be doing some of these practices, and if not, there’s no reason to wait for the regulation to actually change to start. 

How to Comply with the Updated Security Rule  

There are quite a few cybersecurity changes coming under the updates to the HIPAA security rule. In order to comply within the timeline allowed, it is best to understand the new requirements now so you can create a plan for implementing the changes. 

Luckily, since many of the changes to the Security Rule are codifying existing best practices, you may already be doing some, and there are many steps you can take right away. 

Complete an Annual SRA 

While HIPAA has always required the Security Risk Analysis (SRA), and annual completion has long been best practice, the new Security Rule is codifying an annual SRA as an official requirement. 

Additionally, the updated Rule includes new requirements, like data inventory and network mapping, that should be a part of the SRA, and which will make it extremely challenging for organizations to complete the SRA internally. 

We have long recommended someone external to your organization or IT provider complete your SRA (completing them internally is a bit like grading your own paper). With a newly expanded list of requirements and an increased time commitment to go along with them, that recommendation is more pertinent than ever. 

Ultimately, if it has been over a year since your last SRA, it’s certainly time to start looking into completing one. If you have made any significant changes to your organization, such as implementing new software or remodeling, it is also time to look at a new SRA. 

Once the new rule is finalized, every organization will be scrambling to perform an SRA that meets the new requirements, so it’s a good idea to think ahead and complete your SRA now. 

Routine Audits, Reviews, and Tests of Security Measures 

A commitment to regular auditing is reflected in multiple parts of the new Security Rule.  

In addition to the annual SRA becoming a requirement, the updated Rule also requires Contingency Planning and Response Testing at least annually, as well as new annual compliance audits separate and distinct from the SRA. 

Additionally, the Rule contains a significant change requiring review and testing of security measures and specifically requires tabletop exercises (like those included in our Breach Preparedness Assessment). These exercises are simulations of security incidents to test how your team responds to real-world scenarios and can be critical tools for identifying gaps and deficiencies in your security processes.  

Implement Multi-Factor Authentication 

Multi-factor authentication will now be a requirement on systems used to access ePHI. This is another example of an existing best practice being codified into the regulation, so you may already use multi-factor authentication.  

If not, this is probably a straightforward change you can implement in your EMR or other tools fairly simply, and you should start researching options in your specific systems now to be prepared. 

Additionally, plan ahead that this change may take some time to implement across large organizations and may require additional training and education for your team as it will complicate the login process. 

Business Associate Management  

The final significant change to the Security Rule will be the requirement to verify Business Associates (BAs) are in compliance with the Security Rule.  

Again, this will be an annual requirement that will impact your BA management process, as you will need to obtain written verification from the BA each year. 

Start thinking ahead now to how you will manage communications with and obtain verification from each of your BAs. A centralized BA management system like the one in HIPAAtrek will be a critical tool to ensure no BAs are forgotten, and to store these verifications in an audit-ready trail of compliance. 

How to Prepare for the Security Rule Changes Coming in 2026 

With all of these changes coming so soon, it is critical to begin preparing now in order to implement the changes in an efficient way upon finalization of the Security Rule.  

We made a free Changing Regulations Cheat Sheet to help you stay on top of changes to HIPAA and other privacy and security regulations. Click here to download it now: 

Step 1: Risk Analysis  

The best way to begin preparing now? A Security Risk Analysis. 

Risk analysis is key to preparing for any regulatory change—after all, you can’t know where you’re going if you aren’t clear where you’re starting from—but especially since the updated regulation will require an annual SRA, now is a great time to complete your SRA and get ahead of that requirement. 

Your SRA should be completed by an outside consultant, especially considering the new, more robust requirements outlined in the updated Security Rule, which will increase the time commitment significantly.  

We’ve always recommended completing an SRA with an outside consultant who can catch risks you may be overlooking, so this is another case where best practice aligns well with the new regulation. 

Your risk analysis should include:  

Learn more about what constitutes a “complete and thorough SRA” here. 

Step 2: Understand the Specifics of the Changes  

Now is the time to begin studying the proposed modifications and identifying the specific actions you will take to implement these changes within the given timeline.  

For instance, you can begin creating a budget and plan for completing tabletop exercises, ongoing annual SRAs, compliance audits, and contingency planning and response.  

You should also make a technology plan for how you will conduct required training and knowledge assessments and implement multi-factor authentication to access PHI. 

Thinking through these steps will allow you to be proactive in your communication with team members, so that nobody is surprised by changes. 

Step 3: Speak with Leadership  

Finally, now is the time to create buy-in for your action plan among the C-suite and other organizational leaders. Share your action plan and create a budget now—there is a cost to HIPAA changing. You need to be sure you’re budgeting appropriately for the changes required, including outside consulting services. 

And, of course, HIPAA compliance software should be included in your budget in order to effectively manage these sweeping changes. HIPAAtrek has been proactively preparing our clients for these regulatory updates with specific, in-depth training and opportunities to ask questions about these changes. We also meet with clients and their leadership teams every six months to help them see their progress and prepare for coming changes. 

Additionally, HIPAAtrek will have updated policy templates available in our platform within 45 days of the finalized Security Rule. HIPAA training within the software will also be updated to reflect the changes and assist with implementation among your team.  

If you’re ready to learn more about using HIPAAtrek to manage your compliance—and stay updated as regulations change—now is the time to reach out. Click here to schedule a demo. 

Security Rule Changes 2026 

Major changes to HIPAA and relevant regulations are always intimidating, especially as the changes require updates to policies, training, consulting services, technology systems, and security practices across the board. 

But with the right preparation, it doesn’t have to be a challenge to stay compliant! Conducting a risk analysis, identifying an action plan early, and creating buy-in among leadership and team members are critical steps to success. And, of course, HIPAAtrek can help along the way.  

Download our free Changing Regulations Cheat Sheet to help you stay on top of changes to HIPAA and other privacy and security regulations. Click here to download it now: