← Back to Insights
ComplianceMarch 28, 2026· 7 min read

The Proposed HIPAA Security Rule Changes: What Healthcare Leaders Need to Know

The biggest update to the HIPAA Security Rule in over a decade is on the horizon. Here is what is changing, what it will cost, when it takes effect, and what you should be doing now.

By Paul Alcock

Key Takeaways

  • The distinction between required and addressable safeguards is being eliminated — nearly all controls become mandatory.
  • Encryption, MFA, and network segmentation will be required, not optional. No exceptions for legacy systems or small practices.
  • HHS estimates $9.3 billion in first-year costs across the industry, with a five-year total of $34 billion.
  • Finalization is targeted for May 2026, with compliance expected 180–240 days later — late 2026 or early 2027.
  • Over 100 healthcare organizations have pushed back, but the regulatory direction is clear. Start preparing now.

In December 2024, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a Notice of Proposed Rulemaking (NPRM) that represents the most significant update to the HIPAA Security Rule since 2013. If finalized as proposed, this rule will fundamentally change how healthcare organizations approach cybersecurity compliance.

This is not a minor update. It is a structural overhaul.

Here is what it means for healthcare leaders — in plain terms, with the financial and operational reality included.

What Is Actually Changing

The "Addressable" Loophole Is Gone

This is the single most consequential change in the proposed rule.

Under the current HIPAA Security Rule, implementation specifications are classified as either "required" or "addressable." In practice, "addressable" has allowed organizations to document why a particular control is not reasonable or appropriate and implement an alternative — or in some cases, do nothing at all.

The proposed rule eliminates this distinction entirely. Nearly all specifications become mandatory, with very limited exceptions.

What this means in plain terms: if the rule says you need encryption, you need encryption. Not a memo explaining why you chose not to encrypt. Not an alternative compensating control. Encryption.

Encryption Becomes Non-Negotiable

All electronic protected health information (ePHI) must be encrypted at rest and in transit using NIST-aligned encryption standards. This applies across every system that handles patient data — including legacy systems.

There are no exceptions for older systems or smaller practices. If a system touches ePHI, it must encrypt it.

Multi-Factor Authentication Is Mandatory

Multi-factor authentication (MFA) becomes a required control for all interactive workforce access to ePHI systems. This includes standard user access, privileged accounts, and remote access.

For organizations that have already deployed MFA broadly, this is validation. For organizations that have been deferring MFA rollout — and many have — this becomes an urgent implementation project.

Network Segmentation Is Required

The proposed rule requires network segmentation as a documented safeguard. Organizations must separate IT and operational technology environments, document their segmentation strategy, continuously monitor its effectiveness, and regularly test that controls are functioning.

This is a significant lift for organizations with flat network architectures — which is still common in healthcare, particularly in smaller practices and ambulatory settings.

Mandatory Testing Frequencies

For the first time, the proposed rule establishes minimum testing frequencies:

  • Vulnerability scans at least every six months
  • Penetration tests at least annually
  • Business continuity testing with a specific requirement for 72-hour system recovery capability

These are not suggestions. Under the proposed rule, they are requirements with defined intervals.

Expanded Documentation and Compliance Obligations

The rule expands requirements around risk assessments, incident response planning, audit logging, vendor management, and workforce training. Documentation must be more detailed, more current, and more readily available for regulatory review.

What This Will Cost

HHS estimates the cost at approximately $9.3 billion in the first year across all regulated entities, with a total five-year implementation cost of roughly $34 billion.

HHS has argued that if the proposed changes reduce breach-affected individuals by 7 to 16 percent, the rule would effectively pay for itself through avoided breach costs.

That macro-level argument may hold, but it does not change the reality for individual organizations — particularly smaller ones — that will need to fund encryption deployments, MFA rollouts, penetration testing contracts, network segmentation projects, and expanded compliance staffing within a tight implementation window.

For a mid-size healthcare organization, the practical cost implications include:

  • Technology investments — encryption tools, MFA platforms, network segmentation infrastructure, vulnerability scanning and penetration testing services
  • Staffing — additional compliance personnel, or expanded responsibilities for existing staff, to meet documentation and testing requirements
  • Third-party assessments — annual penetration testing and biannual vulnerability scanning will likely require external vendors for many organizations
  • Vendor management — expanded due diligence and oversight of business associates and their security posture

For smaller practices and rural hospitals, these costs represent a significant burden relative to their operating budgets. This is one of the primary concerns raised by industry coalitions opposing the rule.

Where It Stands Right Now

Here is the current timeline:

  • December 27, 2024 — HHS published the NPRM
  • January 6, 2025 — Rule added to the Federal Register
  • January 20, 2025 — President Trump issued an Executive Order requiring a "Regulatory Freeze Pending Review," creating uncertainty about whether the rule would proceed
  • March 7, 2025 — Public comment period closed
  • May 2026 — Finalization target date, still on the OCR regulatory agenda as of late 2025
  • Late 2026 / Early 2027 — Expected compliance deadline (180–240 days after finalization)

Despite significant industry pushback — including a coalition of over 100 healthcare organizations led by CHIME petitioning HHS to withdraw the rule — the OCR has kept the rule on its regulatory agenda. The final rule may be issued in a slimmed-down form, but some version of these changes is likely coming.

Industry Opposition

The pushback has been substantial. More than 100 healthcare organizations signed a letter asking HHS to reconsider. The primary concerns center on:

  • Cost burden on smaller providers who are already financially stretched
  • Implementation timeline that may not give organizations enough time to comply
  • One-size-fits-all approach that treats a rural critical access hospital the same as a major health system
  • Potential to divert resources from other security priorities to checkbox compliance

These are legitimate concerns. But they are unlikely to stop the rule entirely — the regulatory momentum behind healthcare cybersecurity requirements has been building for years, driven by the escalating volume and severity of healthcare data breaches.

What You Should Be Doing Now

Regardless of whether the final rule looks exactly like the NPRM, the direction is clear: the bar for healthcare cybersecurity compliance is going up significantly. Organizations that wait for the final rule to start preparing will find themselves scrambling.

Assess your current state against the proposed requirements. Specifically:

  • Do you have encryption at rest and in transit across all ePHI systems?
  • Is MFA deployed for all workforce access to ePHI, including remote access?
  • Is your network segmented, and is that segmentation documented and tested?
  • When was your last penetration test? Your last vulnerability scan?
  • Can you recover critical systems within 72 hours?
  • Is your risk assessment current, comprehensive, and documented?

Identify the gaps that will require the most time and budget to close. Network segmentation and encryption of legacy systems are typically the longest lead-time projects. Start planning those now.

Engage your leadership and board. These changes will require budget. The conversation about funding cybersecurity compliance is easier to have now — before the rule is finalized and the clock starts — than six months from now when every healthcare organization is competing for the same vendors and consultants.

Review your vendor and business associate agreements. The proposed rule expands vendor oversight requirements. Your business associates will need to meet these standards too, and you will need to verify that they do.

The Bottom Line

The proposed HIPAA Security Rule changes represent the most significant regulatory shift in healthcare cybersecurity in over a decade. The elimination of the "addressable" distinction, mandatory encryption, required MFA, network segmentation, and defined testing frequencies will collectively raise the compliance floor for every organization that handles ePHI.

The financial impact will be real and significant, particularly for smaller organizations. The implementation timeline will be tight. And the operational changes required are substantial.

But the threat landscape that prompted these changes is also real. Healthcare ransomware attacks are escalating. Breaches are growing in scale and impact. Patient data and clinical operations are at risk every day.

Whether you view these changes as overdue or overreaching, the time to start preparing is now.

Jackal Group provides cybersecurity advisory services to healthcare organizations navigating regulatory compliance, risk management, and security program maturity. Contact us to discuss how these changes affect your organization.

Share

Written By

Paul Alcock

Cybersecurity executive with 20+ years of experience across IT and information security, specializing in healthcare and regulated environments.

Want daily threat intelligence?

Our threat intelligence portal delivers daily executive briefs, vulnerability tracking, and healthcare-specific analysis from 50+ sources.

Join the Waitlist →