The first major update to the HIPAA Security Rule since 2013 is on track for finalization in May 2026. Here's what's actually changing, what it means for Business Associates, and how to start preparing now - not after the final rule drops.

The HIPAA Security Rule has been essentially untouched for more than a decade. That is about to change in a significant way.

On December 27, 2024, HHS' Office for Civil Rights published a Notice of Proposed Rulemaking proposing the most sweeping overhaul of the Security Rule since the HIPAA Omnibus Rule of 2013. The comment period closed in March 2025 with nearly 5,000 submissions. As of early 2026, the final rule remains on OCR's regulatory agenda with a target date of May 2026.

If you are a Business Associate - a SaaS vendor, billing service, IT provider, cloud host, or any other entity that handles electronic protected health information on behalf of a Covered Entity - this is not something you can afford to wait on. The compliance clock starts ticking the moment the final rule is published, and the proposed timeline gives you just 180 days to get there.

This article breaks down the nine most impactful proposed changes, what they mean operationally, and how to start closing gaps today.

---

The Regulatory Context: Why This Is Happening Now

This proposed rule did not come out of nowhere. OCR has been signaling for years that the Security Rule's flexible, high-level structure was not driving the compliance outcomes they expected.

The numbers tell the story: 747 large data breaches were reported to OCR in 2023 alone, affecting more than 168 million records. OCR investigations have repeatedly identified the same issues - weak risk analyses, missing encryption, lack of multi-factor authentication, and policies that exist on paper but are not actually deployed.

The preamble to the rule is blunt. OCR believes too many organizations interpreted flexibility as permission to do less. This proposal is the response.

---

The Nine Proposed Changes That Matter Most

1. No more "addressable" implementation specifications

The proposal would eliminate the required vs. addressable distinction. Every implementation specification would become required, except for limited, risk-documented exceptions.

What this means for Business Associates: if you have been treating addressable specifications as optional, that approach is effectively over.

2. Mandatory encryption

Encryption of ePHI at rest and in transit would become explicitly required. This affects databases, file transfers, backups, laptops, mobile devices, email, and any other system storing or transmitting ePHI.

What this means for Business Associates: any system touching ePHI without encryption becomes an immediate remediation priority.

3. Multi-factor authentication becomes required

The proposal would require MFA for all systems that access ePHI, not just remote access or privileged access.

What this means for Business Associates: if your workforce is still using username/password-only access into systems containing ePHI, you need to change that before the final rule lands.

4. Written asset inventory and network mapping

Organizations would need a written inventory of all technology assets and a network map showing how ePHI moves through electronic information systems.

This also reaches systems that do not directly store ePHI but still affect its confidentiality, integrity, or availability.

What this means for Business Associates: you need to think beyond obvious PHI systems and map identity, infrastructure, and operational dependencies too.

5. Annual risk assessments

The rule would require annual risk assessments, with annual reviews of policies, procedures, and risk management plans.

What this means for Business Associates: if your last risk assessment is over 12 months old, you are already behind the expected cadence.

6. Vulnerability scans every six months and annual penetration testing

The proposal introduces explicit technical testing intervals: vulnerability scans at least every six months and penetration testing at least annually.

What this means for Business Associates: if these are not already in your operating rhythm, they need to be budgeted and scheduled now.

7. 72-hour disaster recovery capability

Organizations would need the ability to restore critical systems and data within 72 hours of a disruption.

What this means for Business Associates: disaster recovery must be tested, not just documented.

8. Annual Business Associate compliance verification to Covered Entities

Covered Entities would need annual written verification from Business Associates confirming that required technical safeguards are deployed.

What this means for Business Associates: compliance evidence will need to be organized and producible on demand, every year, for every customer that requires it.

9. "Deploy" replaces "implement"

OCR is explicitly focusing on safeguards being configured, operating, and actually in use - not merely described in policy.

What this means for Business Associates: every documented safeguard needs to be operationally verifiable.

---

The Compliance Timeline

If the final rule is published in May 2026, the expected schedule looks like this:

• Final rule publication: expected May 2026
• Effective date: roughly 60 days later, around July 2026
• Compliance deadline: 180 days after effective date, around January 2027
• BAA update deadline: one year after effective date, around July 2027

That 180-day compliance window is tight. The organizations waiting for the final publication before they start will be operating on compressed timelines immediately.

---

What the $9.3 Billion Cost Estimate Signals

HHS estimated that regulated entities and plan sponsors would incur about $9.3 billion in combined first-year compliance costs. That figure drew significant pushback, especially from smaller organizations.

But the more important signal is that HHS published the proposal anyway. That tells you how seriously OCR views the current state of healthcare cybersecurity and control failures.

For Business Associates serving multiple Covered Entities, the economics favor early investment in repeatable compliance infrastructure. Automated evidence collection, recurring risk workflows, and policy management scale. Manual compliance does not.

---

How to Start Preparing Today

You do not need to wait for the final rule to start. The proposal is already specific enough to support meaningful preparation.

• Conduct a gap analysis against the proposed requirements
• Start your asset inventory and network mapping now
• Deploy MFA and verify encryption coverage everywhere ePHI is stored or transmitted
• Update your risk assessment process to support annual review
• Review your training program and connect it to your actual risk findings and policies

That last point matters. OCR does not just want to see completed training. They want training that reflects your real environment, your actual risks, and the way your organization handles ePHI.

---

Iron Fort builds compliance training directly from your organization's risk assessments, policies, and operational practices - not from generic templates.

This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your organization.