In December 2024, HHS proposed the most significant update to the HIPAA Security Rule since 2013. If finalized — and regulators have been clear it will be finalized — it fundamentally changes what "compliant" means for every covered entity and business associate in the US.
For small healthcare practices with 1–50 employees, the proposed changes aren't optional improvements. They're mandatory requirements with timelines. And the window to prepare is closing.
In 2025, OCR settled 21 enforcement actions totaling over $4.2M in fines. The largest settlement — $950K from a health system after a ransomware attack — revealed that basic security controls were missing for years. Small practices are now primary targets.
What's Changing Under the 2026 HIPAA Security Rule Update
The proposed rule — published in the Federal Register on December 27, 2024 (Document 2024-30983) — identifies several areas where the current Security Rule has proven inadequate in the face of modern cyber threats. Here's what's being added:
1. Mandatory Encryption — No More "Addressable" Exceptions
Under the original 2013 Security Rule, encryption of ePHI at rest and in transit was listed as "addressable," meaning covered entities could document why they chose an equivalent alternative. That flexibility is gone.
Under the proposed 2026 rule, encryption of all ePHI is required — both at rest (on servers, workstations, and mobile devices) and in transit (email, file transfers, API calls). There is no alternative. If your practice stores patient records on an unencrypted hard drive, you have until the compliance deadline to fix it.
2. Multi-Factor Authentication (MFA) Everywhere
MFA is now a specific, mandatory requirement for all access to ePHI systems. This means:
- EHR systems (Epic, Athena, Kareo, etc.) must require MFA for all logins
- Administrative systems with access to patient data require MFA
- Remote access via VPN or RDP requires MFA
- Email systems used to send or receive PHI require MFA
The rule doesn't mandate a specific MFA method — SMS, authenticator apps, hardware tokens, and biometrics all qualify. But single-factor authentication with just a password is no longer sufficient.
3. Network Segmentation Requirements
The proposed rule introduces a requirement for network segmentation — separating systems that handle ePHI from general office networks. In plain terms: your patient billing system shouldn't be on the same network segment as your front desk Wi-Fi.
For small practices using cloud-based EHRs, this primarily means ensuring your internal network is segmented from any public-facing or guest access points, and that workstations accessing ePHI are isolated from general-purpose devices.
4. Mandatory Vulnerability Scanning and Patch Management
Risk management under the Security Rule always required identifying vulnerabilities — but the frequency and documentation requirements were vague. The updated rule specifies:
- Quarterly vulnerability scans of all systems that store or access ePHI
- Patch management timelines: critical patches within 15 days, high within 30 days
- Documentation of patching decisions, including when patches are delayed and why
5. Annual Security Testing
Penetration testing — previously recommended but not required — becomes a mandatory annual requirement under the proposed rule. For small practices, this doesn't necessarily mean hiring a $50K security firm. Automated penetration testing tools certified for HIPAA environments satisfy the requirement.
Compliance Timeline
HHS has proposed a tiered implementation timeline based on organization size:
| Organization Size | Full Compliance Deadline | Risk Level If Missed |
|---|---|---|
| Large (500+ employees) | 180 days post-finalization | HIGH |
| Medium (51–499 employees) | 240 days post-finalization | HIGH |
| Small (1–50 employees) | 365 days post-finalization | MEDIUM |
The rule was proposed in late 2024. With typical 6–12 month finalization timelines, small practices should assume a compliance deadline in the Q1–Q2 2027 range — meaning preparations need to start now.
OCR has stated it will consider good-faith compliance efforts in enforcement decisions. Practices that begin implementing the proposed requirements now — even before finalization — demonstrate due diligence. Practices that wait until the deadline and fail to meet it face the highest fine exposure.
What OCR Is Actually Targeting in Enforcement
Reading enforcement actions from 2023–2025 reveals a clear pattern. OCR consistently finds the same failures:
Inadequate Risk Analysis
The single most cited violation in OCR enforcement actions is failure to conduct or maintain an adequate risk analysis. Not just "we did one once" — a current, documented, comprehensive analysis that identifies all ePHI locations, assesses threats, and quantifies risk levels. Practices that had 3-year-old risk assessments were cited even when no breach occurred.
Lack of Access Controls
Former employees retaining system access. Shared logins between staff. No process for access removal when staff leave. OCR found these issues in 9 of the 14 enforcement actions settled in 2025.
Missing Business Associate Agreements
If your EHR vendor, billing company, transcription service, or cloud storage provider handles PHI on your behalf — you need a signed Business Associate Agreement (BAA). Missing or outdated BAAs were cited in multiple 2025 enforcement actions, including cases involving cloud services that practices didn't realize were handling PHI.
Small Practice Action Plan: What to Do Right Now
Here's the minimum required action for a small practice today:
- Conduct a current risk analysis — identify every location where ePHI exists: EHR, email, billing system, cloud storage, fax, portable devices.
- Enable MFA on all systems that store or access ePHI. Most EHR platforms already support this — it may just need to be enabled.
- Audit your BAAs — list every vendor that touches PHI and verify you have a current, signed BAA with each.
- Review access controls — audit who has access to what systems and remove access for anyone who no longer needs it.
- Encrypt workstations and mobile devices — Windows BitLocker and Mac FileVault are free and built-in. Enable them.
- Document everything — OCR cares as much about documentation as implementation. If it's not written down, it didn't happen.
ComplianceStack's free HIPAA Risk Calculator walks you through the major risk domains and gives you a quantified risk score in 5 minutes. No email required.
The Penalty Structure You Need to Know
HIPAA penalties are tiered based on culpability — how much the covered entity knew about the violation and what they did to prevent it. The worst outcomes are not accidental breaches. They're breaches where the practice had warning signs and did nothing.
| Tier | Description | Per Violation | Annual Cap |
|---|---|---|---|
| Tier 1 | Did not know about the violation | $137–$68,928 | $2,067,813 |
| Tier 2 | Reasonable cause (not willful neglect) | $1,379–$68,928 | $2,067,813 |
| Tier 3 | Willful neglect — corrected | $13,785–$68,928 | $2,067,813 |
| Tier 4 | Willful neglect — not corrected | $68,928–$2,067,813 | $2,067,813 |
A small practice that ignores the 2026 requirements and experiences a breach lands squarely in Tier 3 or 4 — potentially facing $68K–$2M per violation category. That's an existential fine for a 3-physician practice.
Bottom Line
The 2026 HIPAA Security Rule update closes loopholes that small practices have relied on for a decade. The "addressable" encryption exemption is gone. MFA is mandatory. Risk analysis needs to be current and documented.
For small practices, the best time to prepare was 6 months ago. The second best time is now.
"OCR's enforcement posture has fundamentally shifted. We're no longer seeing warnings before fines — we're seeing settlements on first contact. Small practices that have been coasting on good luck need to understand that luck is not a compliance strategy." — ComplianceStack Intelligence
Know Exactly Where You Stand
Run a free HIPAA risk assessment in 5 minutes. Get a quantified score and know exactly what needs to be fixed.