New 2026 HIPAA Security Rule: MFA, Encryption, and What Small Practices Must Do Now

The 2026 HIPAA Security Rule changes represent the most significant overhaul of healthcare data security requirements in over two decades. If you run a small practice with 1 to 50 employees, the changes heading your way will affect how you handle encryption, multi-factor authentication, vulnerability scanning, and much more. The compliance window is tight, and the cost of inaction is steep. Here is what you need to know and what to do about it, starting today.

Why HHS Is Updating the HIPAA Security Rule in 2026

The current HIPAA Security Rule was last meaningfully updated in 2013. Since then, the healthcare industry has seen an explosion of ransomware attacks, cloud adoption, telehealth expansion, and sophisticated phishing campaigns targeting small practices. According to HHS, healthcare data breaches affected over 167 million individuals in 2023 alone.

The Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) at the end of 2024, outlining sweeping changes to the Security Rule. The HHS NPRM fact sheet makes the intent clear: close the gaps that have allowed preventable breaches, and hold every covered entity and business associate to the same baseline standard regardless of size.

The final rule is expected to be published in May 2026, with a compliance deadline approximately 240 days later, putting most practices on a timeline through early 2027. That sounds like a comfortable runway until you realize what needs to happen in those 240 days.

Key 2026 HIPAA Security Rule Changes That Affect Small Practices

The proposed rule introduces several foundational shifts. If you have been relying on the old framework's flexibility to justify lighter security measures, that era is ending. Here are the changes that matter most for small healthcare practices.

1. Elimination of "Addressable" vs. "Required" Distinction

This is the single biggest conceptual change in the 2026 HIPAA Security Rule. Under the current rule, certain safeguards are labeled "addressable," which many practices have interpreted as "optional." In practice, this has allowed smaller organizations to document why they chose not to implement a specific control and move on.

Under the new rule, every specification is required. Full stop. There is no more "addressable" category. If the rule says you need it, you need it. The only exception mechanism involves requesting a time-limited waiver from HHS for specific, documented circumstances, and those are expected to be rare.

For small practices, this means you can no longer write a one-paragraph justification for why you skipped encryption on a legacy workstation or chose not to implement audit logging on a file server. Every safeguard must be in place.

2. Mandatory Encryption of ePHI at Rest and in Transit

Encryption is no longer "addressable." The updated rule will require all electronic protected health information to be encrypted both at rest (stored on devices, servers, and backups) and in transit (sent over networks, email, or messaging platforms).

What this means practically:

• Every laptop, desktop, tablet, and phone that touches ePHI must have full-disk encryption enabled.
• Email containing ePHI must use encrypted transport (TLS 1.2 or higher at minimum).
• Cloud storage and EHR systems must encrypt data at rest using AES-256 or equivalent.
• Backup media, whether local or cloud-based, must be encrypted.
• Portable storage devices (USB drives, external hard drives) must be encrypted or prohibited by policy.

Most modern EHR platforms already handle encryption on their end. The gaps usually show up in practice-owned devices, email systems, and local file storage. Those are the areas to focus on first.

3. Mandatory Multi-Factor Authentication (MFA)

Multi-factor authentication will be required for any system that accesses ePHI. This applies to EHR systems, email accounts, cloud services, remote desktop connections, VPNs, and administrative portals.

MFA means requiring at least two of the following to log in: something you know (password), something you have (phone, hardware token), or something you are (fingerprint, face scan). A password alone will no longer satisfy the requirement.

For small practices, this often means:

• Enabling MFA on your EHR platform (most now support it).
• Enabling MFA on Microsoft 365 or Google Workspace accounts.
• Implementing MFA for any remote access tools (TeamViewer, AnyDesk, RDP).
• Requiring MFA for administrative access to routers, firewalls, and network equipment.

If your staff currently logs into the EHR with just a username and password, that needs to change before the compliance deadline.

4. Vulnerability Scanning and Penetration Testing

The new rule introduces explicit requirements for vulnerability scanning and penetration testing. Under the current rule, risk analysis is required but the methodology is left vague. The 2026 changes add specificity:

• Vulnerability scans must be conducted at least every six months on all systems that store, process, or transmit ePHI.
• Penetration testing must be conducted at least annually by a qualified professional.
• Results must be documented, and identified vulnerabilities must be remediated according to a defined timeline.

For a small practice, this likely means hiring an outside IT security firm to perform these assessments. Expect to budget for both the testing itself and the remediation work that follows. This is one of the areas where costs can add up quickly if your infrastructure has not been well-maintained.

5. Enhanced Risk Analysis Requirements

Risk analysis has always been a HIPAA requirement, but the new rule tightens the expectations significantly. You will need to maintain a written, up-to-date technology asset inventory that includes every system touching ePHI. Your risk analysis must map specific threats and vulnerabilities to each asset and document how each identified risk is mitigated.

The days of running a generic risk assessment template once a year and filing it away are over. HHS expects a living document that reflects your actual environment.

6. Written Security Policies and Procedures with Annual Review

The updated rule requires comprehensive written policies and procedures covering every Security Rule standard. These must be reviewed and updated at least annually, and any changes must be documented with version history.

Staff training on these policies must also be documented, with records showing who was trained, when, and on what topics. Training must occur at initial hire and at least annually thereafter.

7. Business Associate Oversight

The new rule strengthens requirements around business associates. You will need to verify that your business associates have implemented the required safeguards, not just signed a BAA. This means reviewing their security practices and maintaining documentation of their compliance posture.

The Compliance Timeline: What to Expect

Based on the NPRM and HHS communications, here is the anticipated timeline for the 2026 HIPAA Security Rule changes:

• Late 2024: NPRM published, public comment period opened.
• Early 2025: Public comment period closed. HHS reviews feedback.
• May 2026 (expected): Final rule published in the Federal Register.
• ~240 days after publication: Compliance deadline for all covered entities and business associates.
• Early 2027 (estimated): Compliance enforcement begins.

There is no small-practice exemption. Whether you are a solo dentist or a 50-person multi-specialty clinic, the same requirements apply on the same timeline. HHS has explicitly stated that the elimination of the "addressable" category is intended to create a uniform baseline.

Estimated Costs for Small Practices: $20K-$50K

Cost is the question every practice manager asks first, and the answer is not comfortable. Based on industry estimates and the scope of the new requirements, small practices with 1 to 50 employees should expect to spend between $20,000 and $50,000 to reach full compliance with the updated rule.

Here is how those costs typically break down:

These numbers vary significantly depending on your starting point. A practice that already uses a modern cloud-based EHR, has MFA enabled, and keeps devices encrypted may land on the lower end. A practice running an on-premise server with outdated workstations and no formal security program could exceed the upper range.

The cost of noncompliance is worse. HIPAA penalties range from $141 per violation up to $2.1 million per violation category per year. A single breach investigation at a small practice can easily result in six-figure penalties, not counting the operational disruption, legal fees, and reputational damage.

What to Do Now: A Practical Preparation Checklist

You do not need to wait for the final rule to start preparing. In fact, waiting is the worst strategy. Most of the changes in the NPRM are directionally certain, and everything on this list is good security practice regardless. Here is what small practices should prioritize right now.

Immediate Actions (Start This Month)

• Enable MFA everywhere. Start with your EHR, email, and any cloud services. Most platforms offer MFA at no extra cost. This is the single highest-impact, lowest-cost change you can make.
• Verify encryption on all devices. Check that BitLocker (Windows) or FileVault (Mac) is enabled on every computer that accesses patient data. Enable it where it is not.
• Inventory your technology assets. Make a list of every device, system, application, and service that stores, processes, or transmits ePHI. You will need this for your risk analysis.
• Check your email encryption. If you use Microsoft 365 or Google Workspace, verify that TLS encryption is enforced for outbound email. Consider adding an encrypted email solution for messages containing ePHI.

Short-Term Actions (Next 30-90 Days)

• Conduct a gap assessment. Compare your current security posture against the proposed rule requirements. Identify the biggest gaps and estimate remediation costs.
• Update your risk analysis. If your last risk analysis was more than a year ago, or if it does not include a complete asset inventory with threat mapping, it is time for a new one.
• Review your Business Associate Agreements. Make a list of every vendor that touches ePHI. Verify you have a signed BAA with each one. Plan for how you will verify their compliance under the new rule.
• Budget for penetration testing. Get quotes from qualified security firms. A penetration test for a small practice network typically costs $4,000 to $10,000. Build this into your annual budget starting now.
• Schedule staff security training. Conduct a training session on phishing awareness, password hygiene, and the proper handling of ePHI. Document who attended and what was covered.

Medium-Term Actions (90-180 Days)

• Develop or overhaul written policies. You need documented policies covering access control, encryption, incident response, backup and recovery, device management, and workforce training. These need to be specific to your practice, not generic templates.
• Run your first vulnerability scan. Hire a qualified firm or use an approved scanning tool to assess your network and systems. Address critical and high-severity findings immediately.
• Implement audit logging. Ensure that access to ePHI is logged across all systems. EHR platforms typically have built-in audit logs, but you need to verify they are enabled and that logs are reviewed regularly.
• Establish an incident response plan. Document exactly what your practice will do in the event of a breach or security incident, including who to contact, how to contain the threat, and how to notify affected individuals and HHS.
• Replace or upgrade legacy systems. If you are running outdated operating systems, unsupported hardware, or software that cannot support encryption or MFA, now is the time to upgrade.

Why Small Practices Are Most at Risk

Large health systems have dedicated compliance departments, CISO-level leadership, and IT budgets in the millions. Small practices typically have none of these. The practice manager is often the de facto compliance officer, the IT person, and the front desk scheduler.

This is exactly the gap that cybercriminals exploit. Small practices are targeted precisely because they tend to have weaker security controls, less monitoring, and slower incident response. The new rule is designed to raise the floor for everyone, but the lift required is proportionally heavier for smaller organizations.

The good news is that small practices also tend to have simpler environments. Fewer systems, fewer users, and fewer vendors mean the scope of the compliance effort is smaller, even if the relative burden is larger. With the right approach and tools, getting compliant is entirely achievable.

The Role of Technology in Managing Compliance

Trying to manage all of this with spreadsheets, Word documents, and a filing cabinet is a recipe for failure. The new rule's emphasis on documentation, continuous monitoring, and regular review practically requires a systematic approach.

Compliance management platforms designed for small healthcare practices can significantly reduce the time and cost of meeting the new requirements. The right tool should help you conduct and maintain your risk analysis, generate practice-specific policies, track staff training, manage your asset inventory, and monitor your compliance posture over time.

This is not about checking a box once. The 2026 HIPAA Security Rule changes demand an ongoing compliance program. The practices that invest in a sustainable approach now will be in far better shape than those scrambling to catch up after the final rule drops.

What Happens If You Do Nothing

Let's be direct. If the final rule publishes in May 2026 and you have not started preparing, you will be facing a 240-day sprint to overhaul your entire security program. That means simultaneously implementing encryption, deploying MFA, writing policies, conducting risk analyses, scheduling penetration tests, training staff, and upgrading infrastructure.

The IT vendors and security consultants you need will be overwhelmed with demand. Prices will increase. Availability will decrease. The practices that started early will have their pick of resources. The ones that waited will be competing for whatever is left.

And if you miss the deadline entirely, you are operating out of compliance from day one. Every day of noncompliance is a day of risk: risk of breach, risk of investigation, risk of penalties, and risk of the kind of reputational damage that small practices cannot easily recover from.

The Bottom Line for Small Practices

The 2026 HIPAA Security Rule changes are coming, and they are substantial. The elimination of the "addressable" distinction, mandatory encryption, required MFA, and new vulnerability testing requirements represent a genuine step change in what HHS expects from every covered entity.

But this is not cause for panic. It is cause for action. The practices that start now, even with small steps like enabling MFA and verifying encryption, will be well-positioned when the final rule arrives. The checklist above gives you a clear path forward. Pick the first item you have not done yet, and start there.

Your patients trust you with their most sensitive information. The new rule is designed to make sure that trust is backed by real, verifiable security. That is good for patients, good for the industry, and ultimately good for your practice.