Canonical version of this article lives on the Medcurity blog: https://medcurity.com/hipaa-security-rule-2026-update/
If you run security or compliance for a healthcare organization, the single most important regulatory question of 2026 is still open: the proposed HIPAA Security Rule overhaul has not been finalized yet — but the timeline is tightening, and OCR is already enforcing the spirit of it. This is a mid-year checkpoint on where things actually stand and what to have in place before the final rule lands.
Where the rule stands right now
OCR issued its Notice of Proposed Rulemaking on December 27, 2024 (90 FR 800). It drew more than 4,700 public comments, which OCR is still working through. A final rule has been broadly expected around mid-2026, but as of this writing OCR has not confirmed a publication date. When it does publish, covered entities and business associates will get 240 days from publication to comply — so the window to prepare is the time you have now, before the clock starts.
The practical takeaway: don't wait for the Federal Register notice to start the work. The proposed requirements are specific enough to build against today, and most of them are things a mature security program should already be doing.
The four changes worth preparing for
The NPRM is long, but four proposed requirements drive most of the operational change for small and mid-sized healthcare orgs:
Six-month vulnerability scanning cadence. The proposal moves vulnerability scanning from a vague "as needed" posture to a defined recurring cadence. If you scan once a year (or only after an incident), build the muscle for twice-yearly scans now.
Annual penetration testing. Distinct from scanning — a real test, not a checkbox. Budget for it and identify a qualified provider before it's mandatory.
Mandatory encryption of ePHI at rest and in transit, with narrow documented exceptions. The "addressable" wiggle room many orgs have leaned on shrinks considerably.
A genuine, current risk analysis. This is the through-line of the whole rule — and the one OCR is already enforcing hardest.
OCR isn't waiting for the final rule
Here's what makes this urgent even before finalization: OCR's Risk Analysis Initiative is a live enforcement campaign targeting organizations that never performed an adequate security risk analysis. By mid-2025 it had produced seven enforcement actions; by early 2026 the count had reached eleven. OCR has reiterated that an inadequate or missing risk analysis remains the most frequently cited deficiency in investigations.
In other words: the most-enforced requirement of the future rule is the most-enforced deficiency under the current one. A defensible, current, organization-wide risk analysis is the work that pays off no matter when the final rule publishes.
A 30-minute readiness self-check
Before the rule finalizes, walk through this:
- When was your last security risk analysis, and does it cover every system that touches ePHI (including SaaS, mobile, and BA-hosted systems)?
- Do you have a documented vulnerability-scanning schedule you could move to a six-month cadence without scrambling?
- Have you ever had a real penetration test — and could you produce the report?
- Is ePHI encrypted at rest and in transit, with documented exceptions where it isn't?
- If OCR asked for your risk-analysis documentation tomorrow, could you produce it within a week?
If any answer is "no" or "not sure," that's your pre-finalization to-do list.
Bottom line
The 2026 Security Rule isn't final, but the direction is clear and OCR is enforcing the foundation today. Treat the 240-day comply-by window as a planning horizon you can get ahead of: a current risk analysis, a defined scanning cadence, a real pen test, and encryption you can document. Organizations that do this work now will treat the final rule as a formality rather than a fire drill.
Originally published at medcurity.com — the canonical version is updated as the rulemaking develops.
Top comments (0)