Modernizing HIPAA: Are You Ready?

Healthcare , HIPAA/HITECH , Industry Specific Modernizing HIPAA: Are You Ready? Key Challenges in the Proposed HIPAA Security Rule Update Tom Walsh • March 6, 2026     Get Permission Image: Shutterstock The HIPAA Security Rule may soon undergo its first major overhaul in over two decades. Although finalization could come as early as May 2026, timelines remain uncertain. Regardless, the proposed changes introduce significant new requirements grounded in modern cybersecurity practices and established frameworks. See Also: Free Your IT Program of Tech Debt With an Enterprise Browser (eBook) In January 2025, the U.S. Department of Health and Human Services' Office for Civil Rights issued a Notice of Proposed Rulemaking to strengthen the HIPAA Security Rule in response to rising cyberthreats and widespread healthcare breaches. If finalized, the update would shift HIPAA from a flexible, risk-based model to a more prescriptive compliance framework. Key Challenges Implementation specifications become required. The distinction between "required" and "addressable" implementation specifications would be eliminated; New citations. Control mappings will need updates, as many standards will be renumbered or reorganized. Defined review frequencies. Many safeguards must be reviewed and tested at least annually, with some requirements occurring more frequently. Asset inventories and network maps. Organizations must maintain detailed technology inventories and data flow maps showing where PHI is created, stored, processed and transmitted. Formal compliance audits. Organizations must validate Security Rule compliance through documented audits. Better defined risk analysis and risk management expectations. Vulnerability management. Vulnerability scans every six months and annual penetration testing conducted by qualified personnel. Patch management timelines. Critical patches must be applied within 15 days; others within 30 days. Multifactor authentication. Required for systems handling PHI. Accelerated access termination. System access must be revoked within one hour of employee termination (24 hours when third-party systems are involved). Business associate oversight. Annual written verification and certification of technical safeguards will be required. Just having a signed business associate agreement is not enough. Mandatory encryption. Encryption for PHI at rest and in transit becomes a firm requirement. The Bottom Line The proposed update reflects a clear move toward standardized, enforceable cybersecurity controls aligned with current best practices. Organizations should begin assessing gaps now to prepare for a more rigorous and structured compliance environment.