New HIPAA Security Rule: What Healthcare Providers Must Know

The HIPAA Security Rule is getting its first real overhaul since 2003. Enforcement was never softer. And the agency running audits is signaling that “we had a policy” is no longer an acceptable answer.

For most of the past decade, HIPAA compliance operated on a well-understood informal bargain: document your risk analysis, have your policies in a binder, train your staff annually, and hope a breach doesn’t draw attention. OCR had real enforcement authority, but the agency was understaffed relative to the size of the healthcare sector it regulated, and the enforcement posture — while never entirely lenient — rarely reached organizations that were making visible good-faith efforts.

That equilibrium is ending. The 2025 enforcement data, the pending Security Rule overhaul, and the current OCR audit initiative together constitute a structural shift in what HIPAA compliance means operationally. The policy binder is no longer sufficient. The risk analysis as a document is no longer sufficient. OCR is looking for evidence that your organization identified risks, acted on them in documented, timely fashion, and built technical controls that can be independently verified.

The organizations that understand this shift are already moving. The ones still operating on the old bargain are accumulating liability.

The Security Rule Was Written Before the Modern Threat Landscape Existed

The foundational context: the existing HIPAA Security Rule was written in 2003, before cloud computing, telehealth, AI, ransomware, and connected medical devices became routine elements of healthcare infrastructure. It has not been substantively updated since the Omnibus Final Rule in 2013. An organization running EHR workloads in AWS, using telehealth platforms connected to consumer devices, and employing remote billing staff accessing systems over home networks was operating against a regulatory standard designed for an era of on-premise servers and desktop workstations.

HHS acknowledged this gap explicitly. In December 2024, OCR issued a Notice of Proposed Rulemaking to modify the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information, updating the Security Rule’s standards to better address ever-increasing cybersecurity threats to the healthcare sector. The NPRM was published in the Federal Register on January 6, 2025.

OCR’s Spring 2025 Unified Agenda targeted a final rule in May 2026, and OCR Director Paula Stannard confirmed at HIMSS 2026 that review of the 4,700-plus public comments was continuing. The 2026 HIPAA Security Rule is now finalized text, and OCR has begun citing it in resolution agreements — the January 2026 OCR Cybersecurity Newsletter made clear that risk analysis is the most frequently cited deficiency in OCR investigations.

This is not a proposed rule being evaluated at a comfortable distance. It is the operative compliance standard, and enforcement against it has already begun.

What the New Security Rule Actually Requires

The proposed rule represents the most significant restructuring of HIPAA security standards in the statute’s history. The changes are specific, technical, and prescriptive — a deliberate departure from the flexibility that characterized the 2003 framework.

The NPRM removes the “addressable versus required” distinction that has governed the Security Rule since its inception, making almost all safeguards mandatory. It requires detailed technology asset inventories, risk analyses with specific threat-vulnerability pairs, encryption of ePHI at rest and in transit, mandatory multi-factor authentication, vulnerability scanning every six months, annual penetration testing, 72-hour disaster recovery time objectives, 48-hour recovery point objectives, and annual compliance audits with stricter Business Associate Agreement requirements.

The elimination of “addressable” controls is the structural change that will be most consequential in practice. Under the current rule, “addressable” did not mean “optional” — but it did mean organizations could document a reasoned decision not to implement a specific control if they could justify an equivalent alternative. That flexibility is gone. The structural change is the elimination of the addressable/required distinction entirely. Everything becomes required, with narrow exceptions.

The specific technical requirements are not aspirational:

Mandatory MFA on all access to relevant electronic information systems; encryption at rest and in transit as a standalone standard; mandatory network segmentation; written asset inventory and network map reviewed annually; vulnerability scanning every six months; annual penetration testing; 15-day critical patch and 30-day high-severity patch cycles; one-hour workforce access termination; 24-hour cross-entity notification timelines; and annual compliance audits.

For organizations running legacy infrastructure, the patch cadence requirements alone may require capital investment in systems migration. Every large hospital system has servers running operating systems that cannot support modern MFA, run modern endpoint detection and response tools, or be patched on a 15-day cadence. OCR will scrutinize those migration plans in enforcement proceedings.

What this costs. HHS estimated year-one implementation costs at approximately $9 billion across the sector. For a mid-sized provider organization, realistic initial setup costs — covering encryption, MFA deployment, tooling, and documentation — run $15,000 to $40,000, with $5,000 to $15,000 in annual ongoing maintenance, scanning, and penetration testing. Industry associations including CHIME joined more than 100 hospital systems in a letter to the Trump administration requesting that HHS withdraw the proposed rule, arguing that small and mid-sized providers cannot absorb the projected costs, and that rural hospitals operating on thin margins would face existential choices between cybersecurity compliance and patient access.

HHS retained the finalization timeline despite the pushback — a signal that the agency regards the threat environment as more urgent than the cost objection.

The compliance window. Once the final rule is published, covered entities receive 180 days to comply. Business associates receive an additional 60 days to update agreements, for a total of 240 days — eight months. For organizations that have not begun gap assessments, that timeline is already under pressure.

The Risk Analysis Initiative: OCR Is Already Auditing

The Security Rule finalization is the legislative layer. But OCR began its enforcement escalation before the rule was finalized, through a targeted campaign called the Risk Analysis Initiative.

In fall 2024, OCR formally launched the Risk Analysis Initiative — a targeted enforcement campaign focused on organizations that had not conducted adequate security risk analyses. By mid-2025, seven enforcement actions had come out of this effort. By early 2026, that number had reached 11.

The pattern across these actions is consistent: a ransomware attack or breach triggers an OCR investigation, the investigation finds the organization had not conducted a comprehensive, documented risk analysis, and a settlement follows — along with a two- to three-year corrective action plan that includes mandatory reporting to OCR on compliance progress. The settlements range from $10,000 for a small rural entity to $350,000 for a larger provider, but the corrective action requirements are often more burdensome than the monetary penalty.

OCR’s 2026 guidance has made clear that it is not sufficient to simply document a risk analysis. Organizations must now tie risk management documentation directly to technical and procedural safeguards — for example, a risk analysis that identifies unpatched software and device firmware gaps must be paired with documented, timely risk management actions that reduce those vulnerabilities.

This is the enforcement theory that providers most frequently misunderstand. The risk analysis is not the compliance endpoint. It is the beginning of a documented cycle: identify risk, act to reduce it, document the action, test the control, repeat. Organizations that produce an annual risk analysis document and file it have satisfied one-tenth of what OCR is currently expecting.

Ransomware: Not a Technical Problem, a Compliance Problem

The most operationally urgent enforcement priority in 2026 is ransomware — not because OCR has new statutory authority over ransomware specifically, but because ransomware attacks reliably expose the underlying HIPAA Security Rule failures that OCR is already investigating.

710 large breaches were reported to OCR in 2025 alone, affecting tens of millions of patients. Hacking incidents increased 239% and ransomware attacks 278% between 2018 and 2023. Between 2018 and 2024, the rate of healthcare data breaches involving 500 or more records doubled, from approximately one to two per day.

On April 23, 2026, OCR announced settlements with four additional regulated entities following separate ransomware investigations — marking 19 completed ransomware breach investigations and 13 completed investigations under the Risk Analysis Initiative. The April settlements included Axia Women’s Health, a multi-state women’s health network, and three other organizations that experienced ransomware attacks and were found to have inadequate security controls in place at the time.

OCR’s theory in ransomware enforcement is straightforward: a ransomware attack is presumed to be a HIPAA breach unless the covered entity can demonstrate otherwise, and the attack itself is evidence that security controls were inadequate. The absence of MFA, untested backup systems, inadequate logging, and missing or stale Business Associate Agreements are the specific deficiencies OCR identifies in settlement announcements. These are exactly the controls the new Security Rule will mandate. Organizations that have not yet deployed them are both vulnerable to ransomware and noncompliant with the emerging regulatory standard.

OCR enforcement is now specifically targeting: missed Right of Access deadlines, incomplete records and unclear fee practices; outdated risk analyses with no documented risk management plan; missing or stale Business Associate Agreements; ransomware and phishing incidents attributable to lack of MFA, inadequate logging, and untested backups; web tracking pixels and analytics SDKs that impermissibly disclose ePHI to third parties; and unauthorized employee access — “snooping” — without prompt sanctions.

The web tracking category deserves specific attention. Following the 2022–2023 wave of investigations into healthcare organizations using Meta Pixel, Google Analytics, and similar tools on patient-facing web pages, OCR has maintained consistent enforcement focus on this issue. If your patient portal, appointment scheduling page, or symptom checker loads third-party analytics code, and that code can capture PHI, you have a potential HIPAA issue that is unlikely to resolve itself.

Right of Access: The 54th Enforcement Action and Counting

Patient access to their own records has been an OCR enforcement priority since 2019, when the agency launched a targeted Right of Access initiative. It has not stopped.

OCR emphasized that individuals must receive timely access to records within 30 days, with one allowable 30-day extension. In the most recent Concentra settlement — OCR’s 54th Right of Access enforcement action — the organization had failed to provide an individual’s PHI within 30 days despite multiple requests, and access was ultimately provided more than a year after the initial request. The matter resolved for $112,500 plus a settlement agreement.

The Right of Access enforcement pattern is notable for its consistency. OCR does not reserve this enforcement tool for large violations or systemic failures. A single patient complaint, a documented delay, and a pattern of non-response is sufficient to trigger investigation. For organizations that have not built a formal, monitored Right of Access workflow — tracking requests, response deadlines, extensions, and completion — the compliance risk is ongoing and not trivial.

Reproductive Health Privacy: A Vacated Rule and a Persisting Obligation

The reproductive health privacy landscape under HIPAA is currently in legal flux, and organizations need to track it carefully.

In April 2024, OCR finalized an update to the HIPAA Privacy Rule to strengthen reproductive healthcare privacy protections, prohibiting covered entities from using or disclosing PHI to investigate or penalize individuals seeking, providing, or facilitating reproductive healthcare. The rule took effect June 25, 2024, with enforcement beginning December 23, 2024. However, in June 2025, following a legal challenge in Texas federal court, the rule was vacated nationally.

The vacatur does not mean the underlying privacy concern has disappeared. Several states have enacted independent reproductive health data privacy statutes that impose obligations on healthcare providers beyond what HIPAA requires. And the Notice of Privacy Practices modifications that survived the June 2025 court decision still require implementation by February 16, 2026. Organizations that updated their NPPs in anticipation of full enforcement — and those that did not — both need legal review of their current obligations.

The 42 CFR Part 2 alignment that accompanied the 2024 privacy rule is on more stable legal footing. The 2024 final rule aligned substance use disorder treatment record protections more closely with general HIPAA standards — a change that affects behavioral health providers, integrated care systems, and any organization that handles SUD treatment records alongside general medical records. For covered entities handling 42 CFR Part 2 records under the 2024 final rule, compliance obligations apply as of February 16, 2026.

Employee Snooping: The Enforcement Category Nobody Plans For

Most HIPAA compliance programs focus on external threats — hackers, ransomware, unauthorized vendors. They underinvest in the internal threat: employees who access patient records they have no business reason to view.

OCR penalized Memorial Healthcare System with a $5.5 million fine after former employees retained system access, exposing PHI for over 115,000 individuals. This category of violation — unauthorized access by current or former employees — requires access controls, audit log monitoring, and a functioning sanctions policy to prevent and detect. The new Security Rule’s requirement for one-hour workforce access termination upon separation is a direct response to this pattern: terminated employees who retain system access are a compliance failure waiting to become an enforcement action.

Audit log review is the technical control that catches internal snooping. Organizations that are generating logs but not reviewing them have the evidence of a problem accumulating in storage they are not reading. OCR’s January 2026 Cybersecurity Newsletter specifically called out activity log review as a required, documented practice — not an optional monitoring tool.

The Business Associate Problem: Your Vendors Are Your Liability

One of the most underappreciated compliance risks in the current environment involves Business Associates — the vendors, contractors, clearinghouses, billing services, EHR vendors, and cloud providers that access PHI on behalf of covered entities.

Under HIPAA, covered entities are responsible for ensuring their BAs have appropriate protections in place and appropriate Business Associate Agreements signed. In the current enforcement environment, having a signed BAA is a floor, not a ceiling. The new requirement is to verify the BAA — document the verification itself, not just keep the BAA on file. Annual verification that BAs have deployed required safeguards — MFA, encryption, breach notification timelines — is becoming the expected standard.

The practical challenge is that most covered entities have dozens to hundreds of business associate relationships, many of which were established years ago and have never been formally reviewed. A BA that was compliant under 2003 standards may not be compliant under 2026 standards. And when that BA experiences a breach that exposes your patients’ PHI, the investigation will include your organization’s due diligence on vendor oversight.

The new Security Rule’s requirement that BAs provide written verification annually — not just an attestation but evidence of control deployment, similar in concept to a SOC 2 report — will fundamentally change the BA management workflow for most covered entities. Organizations that start building that vendor risk management infrastructure now will be ahead of a compliance deadline that is arriving on a compressed timeline.

The Operational Posture That Matches the Current Moment

Taken together, the enforcement actions, the Security Rule finalization, the Risk Analysis Initiative, the Right of Access campaign, and the continuing focus on ransomware define a compliance environment with several clear characteristics.

OCR is treating cybersecurity failures as organizational negligence, not bad luck. A ransomware attack is not an act of God that exempts you from HIPAA liability. It is evidence that your risk analysis was inadequate, your controls were insufficient, or your management of the resulting incident violated breach notification requirements. The enforcement posture is that the attack reveals the pre-existing compliance failure.

Risk analysis without risk management is noncompliance. The most common violation pattern in current enforcement actions is not the absence of a risk analysis — it is the presence of a risk analysis that identified vulnerabilities and was then filed away without generating documented corrective action. OCR’s current guidance is explicit: the analysis is the beginning of a cycle, not a deliverable.

The average healthcare data breach cost $10.9 million in 2024, and HIPAA fines increased again in 2026. Compliance investment is the cheaper option. The organizations doing the actuarial math correctly are not asking whether they can afford to implement MFA and encryption. They are asking whether they can afford not to.

The compliance floor just moved. The organizations that understand that are building. The ones that don’t will be paying settlements.

Sources