The HIPAA Security Rule

The HIPAA Security Rule overhaul expected in 2026 is one of the most significant changes since 2003. It is still based on a proposed rule (NPRM), but industry consensus—and HHS direction—indicates a shift from flexible, risk-based guidance to prescriptive, enforceable cybersecurity requirements.

Below is a structured breakdown of the most important expected changes and what they mean operationally.

1) Elimination of “Addressable” Safeguards → Mandatory Controls

Current state: Many controls (e.g., encryption) are “addressable”

2026 shift: Most become required

• Encryption, MFA, logging, and other safeguards can no longer be skipped with justification
• Removes variability across organizations
• Forces baseline security standardization

Impact:

• Small practices lose flexibility
• Audits become binary: implemented vs. not implemented

2) Mandatory Encryption (At Rest + In Transit)

• Encryption of **all ePHI** required
• Applies to:
• Servers and databases
• Workstations/endpoints
• Backups and archives

Likely standard: AES-256 (or equivalent), TLS 1.2+

Impact:

• Legacy systems become a liability
• Backup platforms and imaging systems (CBCT, etc.) must comply

3) Multi-Factor Authentication (MFA) Required Everywhere

• MFA required for:
• All systems accessing ePHI
• Privileged/admin access
• Remote access

Impact for dental/medical workflows:

• Shared logins and “no phones in operatories” become compliance risks
• Requires alternative MFA methods (hardware tokens, workstation-based auth, etc.)

4) Formal Security Testing Requirements

New minimum standards expected:

• Vulnerability scanning: at least every 6 months
• Penetration testing: annually

Impact:

• Moves organizations from “reactive IT” to **continuous security validation**
• MSPs/SOC providers become operationally required, not optional

5) Stricter Risk Analysis & Ongoing Risk Management

• Risk analysis must be:
• Comprehensive
• Documented
• Continuously updated
• Must show:
• Identified risks
• Remediation actions
• Evidence of progress

OCR focus for 2026 enforcement:

• Proof—not just documentation—of risk management

6) Asset Inventory & Data Flow Mapping (New Requirement)

Organizations must maintain:

• Full asset inventory (hardware, software, cloud)
• Data flow maps showing where ePHI travels

Impact:

• Requires visibility across:
• SaaS (Open Dental cloud, imaging integrations)
• Vendors and APIs
• Critical for incident response and compliance audits

7) Enhanced Vendor / Business Associate Requirements

• More detailed **BAA requirements**
• Mandatory:
• Security controls (MFA, encryption)
• Faster breach notification (often 24–72 hours)
• Demonstrated compliance

Impact:

• Third-party risk becomes a primary audit area
• MSPs and SaaS vendors are directly accountable

8) Faster Incident & Breach Reporting

• Expected requirement: **~72-hour reporting window**
• Aligns more closely with modern regulatory frameworks (e.g., GDPR-like timelines)

Impact:

• Requires:
• SIEM / log aggregation
• Incident response plans
• 24×7 monitoring capability

9) Network Segmentation & System Hardening

• Required segmentation of systems handling ePHI
• Mandatory controls around:
• Unsupported software removal
• Anti-malware
• Patch management

Impact:

• Flat networks (common in dental offices) become non-compliant
• VLANs and firewall segmentation become required architecture

10) Shift From “Policy-Based” to “Proof-Based” Compliance

This is the most important strategic change:

• Old model: “Have policies and documentation”
• New model: “Prove controls are implemented and working”

Examples:

• Logs must exist and be reviewed
• Controls must be tested
• Risk remediation must be tracked

Timeline (Expected)

• Proposed rule issued: **Jan 2025**
• Likely final rule: **~May 2026**
• Estimated compliance window: **~180 days** (late 2026)

What This Means for MSP / Dental Clients (Practical View)

For your environment (dental/medical MSP):

Immediate gaps most practices will have:

• No MFA on shared workstations
• Incomplete encryption (especially backups, imaging systems)
• No formal asset inventory or data mapping
• No documented risk management lifecycle
• Limited or no SIEM/log retention

Services that become “required,” not optional:

• 24×7 SOC + SIEM
• Vulnerability scanning + annual pen testing
• Endpoint detection & response
• Backup with immutable + encrypted storage
• Identity & access control modernization

Bottom Line

The 2026 HIPAA Security Rule changes are not incremental—they are a forced modernization of healthcare cybersecurity:

• Less flexibility
• More technical enforcement
• Shorter timelines
• Higher accountability (including vendors)