2026 Could Bring Major Changes to the HIPAA Security Rule

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued a Notice of Proposed Rulemaking (NPRM) on December 27, 2024 (published in the Federal Register on January 6, 2025), proposing significant modifications to the HIPAA Security Rule to strengthen cybersecurity protections for electronic protected health information (ePHI). These changes aim to tackle emerging cyber threats, incorporate current best practices, and clarify requirements. The proposals are not yet finalized; a final rule is expected in 2026.

The American Dental Association (ADA) and over 100 healthcare organizations oppose the proposed updates to the HIPAA Security Rule, arguing that they would impose high costs and operational difficulties on healthcare providers without offering substantial cybersecurity improvements. They suggest working together to develop practical cybersecurity standards. 

Proposed Changes

Key proposed changes include:

• Multi-Factor Authentication (MFA): MFA will become a mandatory requirement for accessing systems that contain ePHI, extending beyond remote access to all access points.
• Encryption: Encryption of ePHI at rest and in transmission would shift from "addressable" to required, with limited justified and documented exceptions.
• Asset Inventory: Regulated entities must keep an accurate, current inventory of all hardware, software, and systems that store, process, or transmit ePHI.
• Risk Analysis and Testing: More specific requirements for continuous risk analysis, including regular vulnerability scans (e.g., every six months) and yearly penetration testing to detect and fix vulnerabilities.
• Patch Management: Policies and procedures for the prompt implementation of software patches and updates to fix known vulnerabilities would be explicitly required.
• Documentation and Audits: All security rule policies, procedures, risk analyses, and related documentation must be documented in writing, regularly reviewed, tested, and updated. Annual evaluations of security controls, effectively internal audits, should be conducted to confirm their effectiveness.
• Formal Annual Compliance Audits: The proposals would require yearly (or every 12 months) evaluations of security measures and comprehensive documentation, both of which are essential for demonstrating compliance during OCR investigations.

Recommended Actions to Prepare

To prepare your practice for future needs and strengthen your current cybersecurity stance:

• Engage a qualified expert to conduct a comprehensive security risk assessment, identifying gaps and prioritizing remediation.
• Implement MFA for all access to ePHI systems (in-office and remote).
• Provide regular training to all staff members with access to ePHI, covering HIPAA requirements and emerging threats.
• Review and update business associate agreements to ensure alignment with current and anticipated Security Rule standards.

If you are not insured with DentistCare, A ProAssurance Program, feel free to complete this form to find out more about our coverage and get a quote!

Disclaimer: The information contained on the DentistCare Blog does not establish a standard of care, nor does it constitute legal advice. The information is for general informational purposes only. We encourage all blog visitors to consult with their personal attorneys for legal advice, as specific legal requirements may vary from state to state. Links or references to organizations, websites, or other information is for reference use only and do not constitute the rendering of legal, financial, or other professional advice or recommendations. All information contained on the blog is subject to change.