The tailwind every clinic must answer

The 2026 HIPAA Security Rule, in plain English.

The proposed overhaul (NPRM Dec 2024, final rule expected ~2026) ends the "addressable" loophole and makes a long list of safeguards mandatory. Every small practice has to re-baseline. Here's the short version.

Check your readiness →

What actually changes

These are the headline shifts most likely to affect a 1–50 person practice. Ward maps each one to a live readiness item.

Encryption everywhere

ePHI must be encrypted at rest and in transit — full-disk encryption on every laptop and phone, TLS and encrypted email for data in motion. Narrow, documented exceptions only.

MFA on all ePHI

Multi-factor authentication becomes mandatory for access to systems holding patient data — the EHR, email, remote and cloud access. One of the biggest new lifts for small clinics.

No more "addressable"

The old "required vs. addressable" distinction is gone. Safeguards you may have skipped — audit logging, automatic logoff, integrity controls — become required.

Scans & pen tests on a cadence

Vulnerability scans at least every six months and a penetration test at least annually, with findings tracked and fixed.

Asset inventory & data map

A written inventory of everything that touches ePHI, plus a map of how data flows — mandatory, not optional.

Business-associate verification

A signed BAA is no longer enough. You must obtain verification that vendors actually have the safeguards in place.

Tested backups & rapid recovery

Regular, separately-stored, tested backups with defined recovery times — your best defense against ransomware.

~72-hour breach expectations

Tighter coordination and faster notification between business associates and covered entities. Know your clock before it starts.

2026 HIPAA Security Rule: quick answers

Is encryption required under the 2026 HIPAA Security Rule?
Under the proposed rule, yes — encryption of ePHI at rest and in transit becomes an explicit requirement, with only narrow, documented exceptions. That means full-disk encryption on laptops and phones, plus TLS and encrypted email for data in motion. The old "addressable" wiggle room is removed.
Is MFA a HIPAA requirement in 2026?
The proposed rule makes multi-factor authentication mandatory for access to systems that hold ePHI — your EHR, email, and remote/cloud access. For most small clinics this is one of the biggest new lifts, and it's one of the items Ward's readiness meter checks directly.
What changed in the 2026 HIPAA Security Rule?
The headline changes: encryption everywhere, MFA on ePHI, removal of the "addressable vs. required" distinction, vulnerability scans at least every six months, a penetration test at least annually, mandatory asset inventory and data-flow mapping, business-associate verification (not just a signed BAA), tested backups with defined recovery, and tighter ~72-hour breach coordination.
When does the 2026 HIPAA Security Rule take effect?
The NPRM was published in December 2024 with a final rule expected around 2026 and roughly a 240-day compliance clock after it's finalized. The specifics could shift, so Ward ships its mapping as a versioned content pack and labels it "based on the proposed rule."
How do I know if my practice is ready?
Run Ward's free SRA and open the 2026 Readiness tab. It maps your answers to each new mandatory item — Ready, Partial, or Gap — with plain-English guidance on what to do next. No security background required.

One click: am I ready for 2026?

Answer Ward's questions and the readiness meter shows exactly which new mandatory items you've met — and what to do about the rest.

Check my 2026 readiness