Taction Software®
Custom Software

HIPAA Security Rule 2026: Key Changes for Health IT

The HIPAA Security Rule hasn’t received a major update since 2013. That changes now. HHS has proposed and is finalizing significant updates that reflect the current threat landscape — ransomware targeting healthcare organizations, cloud-based infrastructure replacing on-premises systems, remote work expanding the attack surface, and AI-powered tools processing patient data at scale. For healthcare IT teams, these updates mean concrete new technical requirements that affect every system handling PHI.

Certification

Tell Us Your Requirements

Our experts are ready to understand your business goals.

What is 1 + 1 ?

100% confidential & no spam

Trusted Partners

Trusted by Industry Leaders Worldwide

Recognition

Awards & Recognitions

Clutch AI Award
Top Clutch Developers
Top Software Developers
Top Staff Augmentation Company
Clutch Verified
Clutch Profile

Executive Summary

The HIPAA Security Rule updates address gaps that the original 2003 rule and 2013 Omnibus update didn’t anticipate. Key changes convert many “addressable” specifications into “required” specifications, add explicit technology requirements that the original rule left ambiguous, and tighten incident response and notification timelines.

Major changes:

Multi-factor authentication (MFA) becomes required. The original rule’s “access control” specifications were interpreted flexibly — some organizations used password-only authentication for systems containing PHI. The updated rule explicitly requires MFA for all access to systems containing ePHI, with limited exceptions for certain clinical workflow scenarios.

Encryption requirements become explicit. Encryption of ePHI at rest and in transit was “addressable” under the original rule — meaning organizations could implement alternative measures if encryption wasn’t reasonable. The updated rule makes encryption required — AES-256 for data at rest, TLS 1.2+ for data in transit — with very narrow exceptions.

Inventory and asset management. Organizations must maintain a complete, current inventory of all technology assets that create, receive, maintain, or transmit ePHI — including cloud infrastructure, mobile devices, IoMT devices, and third-party hosted systems.

Network segmentation. The updated rule requires network segmentation between systems that handle ePHI and those that don’t — limiting lateral movement in the event of a breach.

Vulnerability management and patching. Explicit requirements for vulnerability scanning frequency (at least annually, with continuous scanning recommended), patch management timelines (critical patches within defined timeframes), and penetration testing.

Incident response timeline tightening. Breach notification timelines are being tightened — the 60-day notification window may be shortened, and organizations must demonstrate faster detection and containment capabilities.

Business associate compliance verification. Covered entities must verify — not just contractually require — that business associates are meeting HIPAA Security Rule requirements. Annual security assessments of business associates become expected practice.

Key Requirements and Deadlines

01

Multi-Factor Authentication

What’s required: MFA for all workforce members accessing systems containing ePHI — including EHR systems, email (when containing PHI), cloud management consoles, VPN connections, and remote desktop access.

Acceptable MFA methods: Something you know (password) plus something you have (hardware token, authenticator app, push notification) or something you are (biometric). SMS-based OTP is discouraged due to SIM-swapping vulnerabilities but may be acceptable as a transitional measure.

Clinical workflow considerations: Emergency access scenarios (break-glass procedures) must still allow timely access to patient data during life-threatening situations, with appropriate logging and post-event review.

02

Encryption Standards

At rest: AES-256 encryption for all ePHI stored in databases, file systems, backups, removable media, and cloud storage. Full-disk encryption counts for endpoint devices but application-level encryption is preferred for databases.

In transit: TLS 1.2 or higher for all ePHI transmission — API calls, FHIR endpoints, HL7v2 interfaces, email (when containing PHI), and telehealth video. TLS 1.0 and 1.1 are explicitly prohibited.

03

Technology Asset Inventory

What’s required: A comprehensive, current inventory of all technology assets that handle ePHI — servers, workstations, mobile devices, network equipment, medical devices, cloud services, and SaaS applications. The inventory must include asset owner, data classification, location (on-premises, cloud, mobile), and security controls applied.

Update frequency: The inventory must be maintained continuously — not created once during a risk assessment and forgotten. Automated asset discovery tools are strongly recommended.

04

Network Segmentation

What’s required: Network architecture that isolates ePHI-handling systems from general network traffic. Clinical systems, administrative systems, guest networks, and IoMT devices should be on separate network segments with controlled inter-segment access.

Implementation: VLANs, firewalls, microsegmentation, and zero-trust network architecture. The goal is limiting blast radius — if an attacker compromises a workstation on the general network, they can’t reach the EHR database without crossing a controlled boundary.

05

Vulnerability Management

Scanning: Vulnerability scanning of all ePHI-handling systems at least annually, with more frequent scanning (quarterly or continuous) recommended.

Patching: Critical vulnerabilities must be patched within defined timeframes — typically 30 days for critical, 90 days for high, 180 days for medium. Organizations must document patching decisions, including risk acceptance for patches that can’t be applied within the standard window.

Penetration testing: Annual penetration testing of internet-facing systems and systems handling ePHI. Results must be documented with remediation plans for identified vulnerabilities.

Technical Implementation Details

Implementing MFA at Scale

Identity provider integration. Deploy MFA through a centralized identity provider (Azure AD/Entra ID, Okta, Duo, Google Workspace) that federates authentication across all ePHI-handling systems. This provides a single MFA enforcement point rather than configuring MFA application by application.

EHR-specific considerations. Major EHR platforms (Epic, Oracle Health, MEDITECH) support MFA through SAML/OIDC federation with external identity providers. Configure your EHR to delegate authentication to the MFA-enabled identity provider rather than managing authentication internally.

API MFA. For FHIR APIs and other programmatic access, MFA applies to the user authorization flow (SMART on FHIR app launch). System-to-system access (backend services, Bulk FHIR export) uses certificate-based authentication rather than interactive MFA.

Encryption Implementation

Database encryption. Enable transparent data encryption (TDE) for relational databases containing ePHI. For cloud databases (AWS RDS, Azure SQL, Cloud SQL), enable encryption with customer-managed keys (CMK) rather than provider-managed keys for maximum control.

Application-level encryption. For sensitive data elements within ePHI (SSN, financial data, substance use records), consider field-level encryption in addition to storage-level encryption — ensuring data is protected even if database access controls are compromised.

Key management. Use a dedicated key management service (AWS KMS, Azure Key Vault, HashiCorp Vault) with key rotation, access logging, and separation of duties between key administrators and data administrators.

Compliance Checklist

Multi-factor authentication:

  • MFA enabled for all workforce access to ePHI systems
  • Identity provider configured with MFA enforcement policies
  • Break-glass emergency access procedures documented and tested
  • MFA event logging active

How Taction Ensures Compliance

At Taction, our team builds healthcare systems with updated HIPAA Security Rule requirements integrated from the architecture level.

What we do:

  • HIPAA security architecture — We design healthcare system architectures with MFA, encryption, network segmentation, and access controls built in — meeting updated Security Rule requirements from day one.
  • Gap analysis and remediation — We assess existing healthcare systems against updated HIPAA requirements, identify gaps, and build remediation plans with prioritized implementation.
  • Cloud security implementation — We configure HIPAA-compliant cloud environments on AWS, Azure, and GCP — encryption, access controls, network segmentation, logging, and monitoring aligned with the updated Security Rule.
  • Vulnerability management programs — We implement vulnerability scanning, patch management, and penetration testing programs that meet updated HIPAA requirements.

Ready to Discuss Your Project With Us?

Your email address will not be published. Required fields are marked *

What is 1 + 1 ?

What's Next?

Our expert reaches out shortly after receiving your request and analyzing your requirements.

If needed, we sign an NDA to protect your privacy.

We request additional information to better understand and analyze your project.

We schedule a call to discuss your project, goals. and priorities, and provide preliminary feedback.

If you're satisfied, we finalize the agreement and start your project.