HIPAA Is Changing. Here’s What You Need to Know.
The HIPAA Security Rule is about to go through its most significant overhaul in over 20 years. If your organization touches electronic protected health information, or works with partners who do, this affects you, and the time to start preparing is now.
At Bastionpoint, we’re a business associate to many of our healthcare clients, so these changes land on us, too. Here’s where things stand and what we’re doing about it.
Quick Overview
| Key Point | What It Means |
| Proposed rule published | HHS proposed the biggest HIPAA Security Rule update since 2003. The proposed rule was published January 6, 2025. |
| Final rule status | As of June 2026, the final rule has not been published, and the original May 2026 target has passed. |
| Compliance timeline | Once finalized, organizations are expected to get roughly 240 days to comply, likely putting the deadline around Q1 2027. |
| Major proposed changes | Key changes include mandatory encryption, MFA, annual penetration testing, vulnerability scanning, documented risk analysis, and 72-hour incident response expectations. |
| Separate NPP deadline | A separate deadline for updating your Notice of Privacy Practices was February 16, 2026. |
| Current enforcement risk | OCR is actively enforcing the current Security Rule now, so compliance gaps carry real risk today. |
What’s Happening
HHS published a Notice of Proposed Rulemaking in late 2024, marking the first major HIPAA Security Rule update since 2003. As of June 2026, the final rule has not been published. There has been real industry pushback, and the original May 2026 target has passed.
But the direction is clear. OCR has already shifted enforcement priorities toward the controls this rule would require. Once a final rule lands, organizations get roughly 240 days to comply, putting the deadline around Q1 2027. That is not much runway.
Note: This is still a proposed rule, not final law. But waiting for finalization before you start preparing is the wrong move.
What’s Changing
The biggest shift is that the current rule’s “addressable” safeguards, which gave organizations flexibility to document why a control was not practical, may go away. Under the proposed changes, nearly everything becomes mandatory.
- Encryption: ePHI at rest and in transit must be encrypted. No workarounds.
- Multi-Factor Authentication: MFA is required across all systems accessing ePHI. “Our vendor doesn’t support it” will not be acceptable.
- Security Testing: annual penetration tests and vulnerability scans every six months must be documented.
- Risk Analysis: general assessments will not hold up. Structured, evidence-backed methodologies will be required.
- Asset Inventories and Network Maps: you will need current documentation of every ePHI-touching system and how data flows through your environment.
- Annual Compliance Audits: formal audits will be required at least once every 12 months.
- 72-Hour Incident Response: business associates, including Bastionpoint, must report incidents and demonstrate the ability to restore critical systems within 72 hours. Paper disaster recovery plans will not cut it.
These proposed changes make one thing clear: HIPAA compliance is moving from flexible documentation to provable security execution. Organizations will need to show not only that policies exist, but that encryption, MFA, testing, audits, recovery planning, and ePHI visibility are actually in place.
That is why preparation matters now. Even before the final rule is published, reviewing your current safeguards against these proposed requirements can help uncover gaps, reduce last-minute costs, and put your organization in a stronger position when the compliance clock officially starts.
What Should You Do Now?
The rule is not final, but OCR’s enforcement posture has already moved. Organizations that start now will be in a different position than those that wait.
If you are a current client and want to know where you stand, reach out. If you are not a client yet and are trying to get ahead of this, we would be glad to talk. We are already doing most of this for clients, and we are tightening the belt to meet the new requirements.
Ready to Know Where You Stand?
HIPAA compliance is not a once-a-year checkbox anymore, and the proposed changes will raise the bar significantly. Whether you are a covered entity or a business associate, getting ahead of this now is the right move.
Bastionpoint Technology helps small and mid-size organizations in the Richmond area and beyond navigate HIPAA compliance alongside the rest of their IT and security strategy.
Schedule a free HIPAA readiness conversation with us today.
Frequently Asked Questions About HIPAA Changes
Is the new HIPAA Security Rule already in effect? Not yet. As of June 2026, the updated Security Rule is still a proposed rule. OCR’s May 2026 finalization target has passed without a final rule being published. That said, OCR is actively enforcing the current Security Rule, especially risk analysis requirements, so compliance gaps still carry real risk today.
Does HIPAA apply to my business if we’re not a healthcare provider? Yes, if you handle, store, transmit, or access protected health information on behalf of a covered entity, you are a business associate and HIPAA applies to you. The proposed rule significantly expands direct liability and documentation requirements for business associates, including IT firms, billing companies, and practice management vendors.
What does “addressable vs. required” mean, and why does the change matter? Under the current rule, some safeguards are “addressable,” meaning organizations can document why a control is not practical and use an alternative measure when reasonable and appropriate. The proposed rule would eliminate that distinction. Encryption, MFA, penetration testing, and other previously addressable controls would become universally mandatory, with no opt-out.
How long will we have to comply once the final rule is published? The proposed rule includes a 240-day compliance window from the date of final publication. If a final rule issues later in 2026, that puts the deadline around Q1 2027. Organizations that start gap assessments now will have more time and significantly lower costs than those that wait.
What’s the first step we should take to prepare? Start with a security risk analysis tied to your actual asset inventory. The security risk analysis is the foundation every other requirement builds on, and it is also one of the most common deficiencies OCR cites in current enforcement actions. If you do not have a current, documented security risk analysis, that should be your first priority.




Leave a Reply
Want to join the discussion?Feel free to contribute!