The Health Insurance Portability and Accountability Act (HIPAA) was first enacted in 1996 to establish a federal standard for safeguarding protected health information (PHI). Within a decade, the HIPAA Privacy and Security Rules were added to the law, mandating that organizations protect both physical and electronic protected health information (ePHI).
Since then, there haven’t been many major updates to HIPAA—but that’s likely to change in 2026.
Here’s the big picture:
- A major HIPAA Security Rule update is expected to take effect later this year, introducing new cybersecurity requirements and stricter compliance expectations.
- Proposed changes to the HIPAA Privacy Rule would shorten timelines for patient record access and expand patient rights.
- New compliance requirements tied to substance use disorder (SUD) records became mandatory earlier this year.
Let’s break down the five most impactful potential changes to keep on your radar in 2026.
1. Expanded Cybersecurity Requirements Under the Security Rule
One of the most anticipated updates involves sweeping changes to the HIPAA Security Rule—its first major revision since 2013.
According to the HIPAA Journal, the proposal, first published in late 2024, introduced several new mandatory cybersecurity controls that align with modern best practices. These changes are intended to strengthen protections for ePHI as cyberattacks continue to increase across the healthcare sector.
Some of the most significant proposed requirements include:
- Mandatory multi-factor authentication (MFA)
- Encryption of all ePHI, both at rest and in transit
- Routine vulnerability scanning every six months
- Annual penetration testing
- Formal technology asset inventories and network mapping
- Enhanced patch management and anti-malware controls
- Stronger backup and disaster recovery capabilities
For many organizations, these changes will simply formalize practices that are already considered industry standard. The changes could take effect as early as mid-2026.
2. Elimination of “Addressable” Implementation Standards
Another major change likely to be finalized this year removes the long-standing distinction between “required” and “addressable” controls.
Historically, addressable controls gave organizations flexibility in how they implemented safeguards. However, this flexibility has led to inconsistent security practices across the industry.
“Some organizations are doing a great job and going above and beyond, while others are struggling to meet the bare minimum,” said Steve Ryan, who leads BARR Advisory’s healthcare services. “The updates would level the playing field and help improve trust between patients and their healthcare providers.”
If finalized, organizations would be expected to implement all required safeguards or adopt and document a reasonable alternative. This shift aims to reduce ambiguity and create a more consistent security baseline across regulated entities.
For healthcare organizations, this means less room for interpretation and greater emphasis on documentation and justification of security decisions.
3. Shorter Patient Record Access Deadlines
In addition to Security Rule changes, updates to the HIPAA Privacy Rule are also on the horizon.
One of the most operationally significant proposals would shorten the timeframe for providing patients access to their records. Currently, organizations have 30 days to provide requested records. Under the proposed update, the deadline would be reduced to 15 days. The proposal would allow for a single 15-day extension, the HIPAA Journal reported.
The proposal would also expand patients’ rights to:
- Inspect records in person
- Take notes or photographs of their PHI
- Direct their records to personal health applications
- Request faster sharing of records between providers
While these changes are designed to improve patient access and care coordination, they may also increase administrative workload.
As of April 2026, no final date has been set for when these changes may go into effect.
4. New Compliance Requirements for Substance Use Disorder Records
One major change that has already been etched into law involves Substance Use Disorder (SUD) records. As of February 16, compliance with these changes is now mandatory for organizations subject to the regulation.
These changes were designed to better align SUD privacy protections with HIPAA while improving care coordination and reducing administrative complexity.
Key updates include:
- Allowing single patient consent for ongoing sharing of SUD records
- Eliminating the requirement to segregate SUD records
- Applying HIPAA breach notification rules to SUD data
- Expanding patient rights to track disclosures and request restrictions
Organizations that handle behavioral health or addiction treatment data should ensure their policies, procedures, and workflows are fully aligned with these requirements.
5. Increased Focus on Risk Analysis and Annual Security Reviews
Across both proposed Security Rule updates and ongoing audit initiatives, one theme stands out: risk analysis is becoming more important than ever.
Under proposed changes, organizations may soon be required to:
- Perform formal risk analyses tied to asset inventories
- Conduct annual security reviews and audits
- Maintain detailed documentation of risk mitigation strategies
- Verify the security posture of business associates annually
At the same time, federal regulators have restarted HIPAA audit programs, placing additional attention on risk management programs and documentation practices. Organizations that lack clear, well-documented risk management processes may face increased scrutiny.
Who Must Comply with HIPAA?
HIPAA is not a voluntary framework or best practice—it is a federal law that applies to specific types of organizations and carries significant legal and financial consequences for noncompliance. Entities required to comply with HIPAA include:
- Covered entities, such as healthcare providers, health plans, and healthcare clearinghouses
- Business associates, which are vendors or third parties that create, receive, maintain, or transmit protected health information (PHI) on behalf of a covered entity
Unlike frameworks such as SOC 2, which organizations may choose to adopt, HIPAA compliance is mandatory for organizations that meet these definitions. Failure to comply can result in substantial penalties enforced by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), including civil fines ranging from hundreds to millions of dollars, mandatory corrective action plans and ongoing audits, and potential legal liability.
For organizations that handle PHI, HIPAA compliance is not optional—it is a legal obligation.
The Bottom Line
HIPAA compliance is entering a new phase—one defined by stronger cybersecurity expectations, faster patient access timelines, and more structured risk management practices.
While many of the proposed changes reflect cybersecurity best practices already recommended across the industry, formalizing them into regulatory requirements raises the stakes for healthcare organizations and their business associates.
While the new rules are finalized, now is a great time to evaluate your cybersecurity controls, your risk analysis procedures, and your vendor risk management processes. Organizations that begin preparing early will be better positioned to adapt once the final rules are released.
BARR Advisory can partner with you to future-proof your organization and ensure you’re ready to comply if and when these potential changes become law. Contact us today to find out how we can help.