Preparing for the 2026 HIPAA Security Rule overhaul
Finalization of the latest HIPAA Security Rule updates is expected this May. We highlight the proposed changes, their impact on hospitals, and how to prepare.
March 2, 2026
March 2, 2026
Market and Business Development Leader, Risk and Compliance
The healthcare industry is bracing for the most significant update to the HIPAA Security Rule in more than a decade. With finalization expected in May 2026 and compliance likely in 2027, the upcoming changes will redefine how hospitals, health systems, and business associates safeguard electronic protected health information (ePHI).
What does the new rule propose?
The new rule is expected to shift from flexible, “addressable” safeguards to mandatory, enforceable cybersecurity requirements. The final language is still pending, but key elements expected to become required include:
- Multifactor authentication for technology assets that access ePHI (limited exceptions)
- Encryption of ePHI at rest and in transit, with limited exceptions
- Penetration testing at least annually and vulnerability scanning at least every six months
- Written technology asset inventory and network map of ePHI data flows, updated at least annually and after relevant changes
- Written documentation of policies, procedures, plans, and analyses
- Annual compliance audits and clarified timelines for various requirements
- Twenty-four-hour notice upon activation of a business associate’s contingency plan
These updates reflect the U.S. Department of Health and Human Services’ push to strengthen healthcare’s cybersecurity posture and align with broader national critical infrastructure standards.
The impact on hospitals
HHS’ Office for Civil Rights estimates first‑year compliance costs of roughly $9 billion across covered entities and business associates, underscoring the scale of change if the security rule is finalized as proposed. Health systems should plan now for investments in identity/MFA, encryption, asset/flow mapping, testing/monitoring, documentation, and Business Associate oversight.
Healthcare remains the most targeted sector for cyberattacks, making these changes essential for reducing risk, ensuring continuity of care, and protecting patient trust.
How Kodiak helps hospitals stay ahead
Kodiak’s HIPAA Security Rule Proposed Updates Readiness Assessment is a focused evaluation designed to help organizations understand the expected 2026 changes, assess their current-state readiness, identify control gaps, and develop a prioritized remediation road map. The assessment is structured to be completed within a four- to six-week time frame, enabling organizations to move quickly in preparing for the new requirements. The approach includes:
Current-state assessment: Targeted interviews with enterprise and operational owners, along with artifact review, to document control design, governance, evidence, and how processes are executed in practice.
Gap analysis and road map: A comparison of current practices against proposed requirements, resulting in risk-based recommendations with defined sequencing and dependencies.
Policy analysis: A review of existing policies, standards, and procedures against new HIPAA expectations, supported by a control-area toolkit to help identify gaps and guide required updates.
Measurable control indicators: Identification of available metrics, data sources, and automation opportunities to support continuous monitoring, summarized using Kodiak’s Risk Cube methodology to prioritize risks and enhance visibility.
The final deliverable: An executive-level report summarizing readiness, key gaps, and a clear path forward. The report equips leadership with actionable steps to prepare for more prescriptive HIPAA requirements and improve overall cyber resilience.
The time to prepare is now
In 2024, the healthcare sector recorded 725 large data breaches, exposing approximately 275 million patient records, a scale that underscores the cybersecurity risk environment driving OCR’s proposed overhaul of the HIPAA Security Rule. This combination of escalating threats and the anticipated shift toward more prescriptive requirements makes one thing clear: Preparation time is running out.
Hospitals that move early will be better positioned to reduce compliance exposure, strengthen operational resilience, and safeguard patient trust in an increasingly volatile threat landscape.
Kodiak stands ready to help guide your organization through this transition. Reach out to our IT Risk experts today to learn more about how we can help you prepare for the new HIPAA Security Rule.
