Preparing for the 2026 HIPAA Security Rule Changes: Five Things Healthcare InfoSec Leaders Need to Know Now

If you work for a healthcare provider or an organization which provides software or services to one, you’ll have heard about the proposed updates to the HIPAA Security Rule, sometimes referred to as “HIPAA 2.0.” While the headlines about its introduction came out in late 2024, the real work starts now, with the rule expected to be finalized in the coming weeks. 

Since compliance will be required within roughly 180 days of the effective date, organizations should be shifting their stance from awareness to execution. If you haven’t aligned your security processes to comply with these incoming requirements, the time to act is now. Here’s what you need to know: 

From “Addressable” to Required

The most important shift isn’t about introducing new regulations, but rather enforcement of the requirements. Historically, many HIPAA Security Rule controls were labeled “addressable,” giving organizations flexibility in how (or whether) to implement them. The proposed revisions remove much of that ambiguity, and controls are becoming explicitly required, with defined timelines.

For both covered entities (i.e. healthcare providers) and their business associates (i.e. vendors and technology providers) this means fewer judgment calls about what needs to be implemented and by when, and provides far less room to defer foundational security practices.

What Will Actually Change

While the update touches several areas, here are a few requirements that will have the most immediate operational impact:

• Penetration testing (frequency: annual)
  Pentesting will no longer be optional. Organizations will need to validate real-world exploitability of their systems every year.
• Vulnerability scanning (frequency: at least every six months)
  Regular vulnerability scanning will become a baseline expectation, not a best practice.
• Annual HIPAA compliance reviews (frequency: annual)
  Self-assessments are still allowed, but they must be performed consistently and defensibly.

Additional updates such as more prescriptive expectations around asset inventories, risk analysis, MFA, and encryption reinforce the same theme that security programs must be structured, repeatable, and documented.

Timeline: Sooner Than It Feels

The expected timeline is tight, so security leaders should already be finalizing their plans to ensure they are compliant. The final rule publication will likely be in May (yes – next month!) with an effective date of about 60 days later, and a compliance deadline about 180 days after that. 

In practice, this timeline only gives organizations until late 2026 or early 2027 to comply. For teams without mature security programs, six months isn’t a long runway, especially if vendor coordination or contract updates are involved.

What “Good” Looks Like Moving Forward

In most cases, these changes won’t require reinventing your security program, but they will demand greater oversight and accountability.

Here are five practical steps that you should follow:

1. Formalize your risk analysis process
   If your risk assessment is ad hoc or outdated, start here. Many of the new requirements build on this foundation.
2. Review Penetration Testing and Vulnerability Scanning Processes
   Annual penetration tests and biannual vulnerability scans shouldn’t be one-off projects. Treat them as recurring, scheduled activities with defined scopes informed by your risk analysis. 
3. Document your work
   The shift toward prescriptive requirements means auditors (and regulators) will expect clear evidence and not just intent.
4. Review vendor relationships
   Business associate agreements may need updates, and vendors will need to meet the same standards.
5. Decide how you’ll validate compliance
   Whether you choose self-assessment or a third-party audit, there should be objective and separate evaluations of your overall program on a consistent basis. 

The Bigger Picture

These updates signal a broader shift in healthcare security, as it has evolved from flexible guidance to enforceable baselines. For organizations that have historically treated HIPAA as a checkbox exercise, this will feel like a step change. For those with existing security programs, it’s more about tightening existing processes. 

Either way, the takeaway is the same: waiting for the final rule is the wrong strategy, and organizations that start building repeatable, testable security practices now will be the ones best positioned when the deadlines arrive.

If you’re unsure how to approach these new regulations, talk to us today and learn how Thoropass can take the pain out of HIPAA compliance.

‍