What are the new HIPAA Security Rule requirements for 2026?

The proposed HIPAA Security Rule update eliminates optional safeguards and mandates multi-factor authentication, encryption of ePHI at rest and in transit, biannual vulnerability scans, annual penetration testing, network segmentation, and 72-hour incident restoration for all covered entities and business associates.

When does the new HIPAA Security Rule take effect?

The rule is expected to be finalized in May 2026 and become effective approximately 60 days after publication, around July or August 2026. Most provisions must be implemented within 180 days of the effective date, putting compliance deadlines in early 2027.

What are the penalties for HIPAA non-compliance in 2026?

Tier 4 penalties for willful neglect of HIPAA requirements now reach $2,134,831 per violation. The Office for Civil Rights has settled 12 enforcement actions under its Risk Analysis Initiative and is expanding enforcement to cover whether identified risks were actually mitigated.

Back to Insights

The HIPAA Security Rule Is Getting Its Biggest Update in 13 Years. Here Is What Senior Living Operators Need to Know.

March 26, 2026 · Tech for Senior Living

The U.S. Department of Health and Human Services (HHS) has proposed the most significant update to the Health Insurance Portability and Accountability Act (HIPAA) Security Rule since 2013. The proposed rule, published in December 2024, is expected to be finalized by May 2026. If your community handles electronic Protected Health Information (ePHI), and every senior living community does, these changes apply to you.

The Biggest Change: No More "Optional" Safeguards

Under the current rule, many security safeguards are classified as "addressable," meaning organizations can evaluate whether a control is reasonable and appropriate for their environment and document their reasoning if they choose not to implement it. The new rule eliminates this distinction entirely. Every safeguard becomes mandatory, with limited exceptions.

In practice, this means controls that some organizations treated as optional, such as encryption, multi-factor authentication (MFA), and network segmentation, will be required for every covered entity and business associate.

What the New Rule Requires

Multi-factor authentication (MFA) for all workforce members accessing ePHI. Password-only access will no longer meet the standard.
Encryption of ePHI both in transit and at rest. This applies to email, file storage, backups, and any system that stores or transmits resident health data.
Biannual vulnerability scans of all systems that handle ePHI.
Annual penetration testing to identify exploitable weaknesses before an attacker does.
Network segmentation to limit the spread of a breach if one occurs.
72-hour incident restoration for critical systems after a security event.

The Enforcement Shift Is Already Underway

The Office for Civil Rights (OCR) is not waiting for the final rule to tighten enforcement. OCR has settled 12 enforcement actions under its Risk Analysis Initiative, with the most recent settled on March 5, 2026, involving a breach affecting 15 million individuals. OCR Director Paula Stannard confirmed that the initiative is expanding in 2026 to cover not just whether a risk analysis was performed, but whether identified risks were actually mitigated.

This matters for senior living operators because it is no longer sufficient to complete an annual risk assessment and file it away. OCR now expects documentation showing that the risks identified in the assessment were addressed with specific remediation actions.

What This Means for Your Community

Senior living communities that already work with a managed IT provider focused on HIPAA compliance are in a stronger position. Many of the new requirements, including MFA enforcement, endpoint detection and response (EDR), encryption, and documented risk assessments, are standard components of a compliance-focused managed services engagement.

The two areas most likely to require new investment are annual penetration testing and 72-hour incident restoration capability. Penetration testing requires a qualified third-party security firm. Incident restoration requires validated backup and disaster recovery infrastructure with tested recovery time objectives.

The Compliance Timeline

The rule is expected to be finalized in May 2026 and become effective approximately 60 days after publication in the Federal Register, putting the effective date around July or August 2026. Most provisions must be implemented within 180 days of the effective date, meaning compliance deadlines will fall in early 2027.

That timeline sounds distant, but penetration testing engagements, backup infrastructure upgrades, and MFA rollouts across an entire community take time to scope, procure, and implement. Organizations that wait for the final rule to begin preparation will be behind.

Three Steps to Take Now

Verify your current risk assessment includes a risk treatment plan. Not just a list of risks, but documented evidence that each identified risk was addressed. OCR is actively enforcing this.
Confirm MFA is enforced on every account that accesses resident health data. This includes clinical systems, email, and remote access. No exceptions.
Ask your IT provider about penetration testing and disaster recovery restoration targets. If they cannot demonstrate annual pen testing and a 72-hour restoration capability, those gaps need to be addressed before the compliance deadline.

Tier 4 penalties for willful neglect of HIPAA requirements now reach $2,134,831 per violation. The cost of preparation is a fraction of the cost of non-compliance.

Is your community ready for the new HIPAA Security Rule?

Tech for Senior Living provides HIPAA-compliant managed IT built specifically for senior living communities. Our Vigilance Pro stack includes MFA enforcement, endpoint detection, encrypted backups, and documented compliance binders as standard. We can assess your readiness against the proposed requirements and identify gaps before the deadline.

Schedule Your Free Assessment