HIPAA Security Rule NPRM: Where the Proposal Stands in 2026
HHS OCR's HIPAA Security Rule NPRM would mandate encryption, MFA, and annual risk analyses. Here is the status in early 2026 and what practices should do now.
The HIPAA Security Rule is about to get its first major rewrite in more than two decades. HHS's Office for Civil Rights published a Notice of Proposed Rulemaking in the Federal Register on January 6, 2025, proposing sweeping updates to how covered entities and business associates protect electronic protected health information. As of early 2026, the NPRM is still a proposal — no final rule has been issued — but the direction of travel is clear enough that practices should start preparing.
What Changed (So Far)
The NPRM was published in the Federal Register on January 6, 2025, with a public comment period that closed March 7, 2025. Key proposed provisions:
- End the "addressable vs. required" distinction. Today, the Security Rule marks some implementation specifications as "addressable," which the industry has long treated as optional. The proposal would make nearly all specifications required, with only narrow risk-analysis-based exceptions.
- Mandatory encryption of ePHI at rest and in transit, using prevailing cryptographic standards. This moves encryption from addressable to required. In a 2021 survey, only about 50% of covered entities had fully implemented encryption under the current framework.
- Multi-factor authentication (MFA) or equivalent for system access to ePHI, embedded in expanded Information Access Management requirements with role-based access policies.
- Explicitly annual risk analyses (or more frequent when risks change), with detailed requirements for identifying vulnerabilities, assessing impacts, and documenting remediation.
- New technical safeguards, including: anti-malware deployment on all assets, network segmentation to isolate ePHI, removal of unnecessary software from workstations, disabling unnecessary network ports based on risk analysis, and patch management timelines — critical risks within 15 days, high risks within 30 days.
- Consistent configuration of systems handling ePHI, with documented standards.
The NPRM does not directly address alignment with the 2024 42 CFR Part 2 final rule on substance use disorder record confidentiality. Part 2 was harmonized with HIPAA separately; the Security Rule NPRM focuses on cybersecurity safeguards only.
OCR's own framing is that the proposed changes "codify existing best practices" and therefore impose minimal new costs. Specific compliance timelines (180 days vs. something longer) and total cost estimates were not quantified in the NPRM summary. Actual implementation deadlines will come with the final rule — if and when it is issued.
Why It Matters
Even in NPRM status, the proposal is already influencing enforcement and audits:
- OCR's interpretation of "reasonable and appropriate" is tightening. When OCR settles a breach case in 2026, the corrective action plan frequently looks a lot like the NPRM: mandatory encryption, MFA, annual risk analyses, patch management SLAs. Practices that wait for the final rule will be behind the de facto standard.
- Cyber insurance is ahead of the rule. Most cyber insurance carriers already require MFA, encryption of ePHI at rest, and documented risk analyses as a condition of issuing or renewing coverage. The NPRM is catching the regulation up to where insurance has been for two to three years.
- Small practices are in the crosshairs. Ransomware and phishing events disproportionately hit small independent practices. OCR has been unusually active in enforcement against smaller covered entities, and the proposed patch management timelines (15 days for critical risks) will be hard for practices relying on a part-time IT contractor.
- Business associate agreements will need updates. Many of the NPRM provisions explicitly flow through to business associates. If a final rule arrives this year, BAAs signed in 2024 or earlier will need to be amended.
What to Do
- Document a current-state gap analysis against the NPRM. Even without a final rule, write down where you stand on encryption, MFA, annual risk analysis, patch SLAs, network segmentation, and anti-malware coverage. This becomes both an OCR-ready document and your roadmap.
- Move MFA and encryption off the "planned" list. Both are low-controversy, already-expected, and essential. Practices that do not have MFA on EHR access and full-disk or file-level encryption on ePHI storage should prioritize these above almost anything else in their IT budget.
- Schedule an annual risk analysis — on the calendar. Pick a month, put it in the compliance calendar, and treat it as non-negotiable. Include vulnerabilities, likelihood, impact, and a remediation tracker.
- Build a patch management log. Even if you cannot hit 15-day and 30-day timelines yet, start tracking them. The documentation itself demonstrates a good-faith process.
- Ask your EHR and clearinghouse vendors for their NPRM readiness statement. You need to know which of their safeguards handle the encryption, MFA, and access management requirements and which ones you are on the hook for.
Talk to Us
DeltaRCM works alongside HIPAA-focused IT partners and compliance teams to translate regulatory pressure into workable revenue cycle and practice operations processes. If you need a calm read on what the HIPAA Security Rule NPRM means for your documentation, access controls, and business associate agreements, reach out for a focused conversation.