May 2026 HIPAA Security Rule: Complete Guide to New Requirements
Everything healthcare practices need to know about the May 2026 HIPAA Security Rule update. Covers all 13 new mandatory requirements, eliminated addressable specs, compliance timeline, and step-by-step preparation guide.
Overview: What Is Changing
The Department of Health and Human Services (HHS) finalized updates to the HIPAA Security Rule that take effect in May 2026. This is the most significant update to HIPAA's technical requirements since the original Security Rule was published in 2003.
The update was driven by the explosion of healthcare cyberattacks — particularly the 2024 Change Healthcare ransomware attack that affected over 100 million patients and disrupted healthcare operations nationwide for weeks.
Key Changes at a Glance
| Change | Current Rule | May 2026 Rule |
|---|---|---|
| Encryption at rest | Addressable (can skip with documentation) | Mandatory — no exceptions |
| Encryption in transit | Addressable | Mandatory — no exceptions |
| Multi-factor authentication | Not specifically required | Mandatory on all ePHI systems |
| Technology asset inventory | Not required | Mandatory — complete inventory |
| Network map | Not required | Mandatory — all ePHI data flows |
| Network segmentation | Not required | Mandatory |
| Vulnerability scanning | Not specified | Mandatory — every 90 days |
| Patch management | Not specified | Mandatory — 15/30 day timelines |
| Compliance verification | Not required | Annual verification by qualified person |
| Incident response | General requirement | 72-hour HHS notification for severe incidents |
| Risk analysis | Required (vague) | Required with specific methodology documentation |
| Addressable vs Required | 42 specs are "addressable" | Nearly all specifications mandatory |
Why This Is Happening Now
The Catalyst: Change Healthcare (2024)
In February 2024, a ransomware attack on Change Healthcare (owned by UnitedHealth Group) compromised 100+ million patient records and disrupted claims processing, pharmacy operations, and provider payments across the entire US healthcare system for weeks. The root cause: a single compromised credential with no MFA enabled.
This event demonstrated that:
- "Addressable" controls led to widespread non-implementation of critical safeguards
- Small practices connected to large ecosystems create systemic risk
- The healthcare sector's security posture was inadequate against modern threats
Enforcement Escalation (2023-2026)
OCR enforcement actions have escalated dramatically:
- 2023: Banner Health — $1.25M for risk analysis failure (2.81M affected)
- 2024: LA County Health Services — $1.3M for unauthorized workforce access
- 2024: Heritage Valley Health System — $950K for ransomware response failures
- 2024-2025: Multiple small practices fined $30K-$250K for basic security failures
- 2025: OCR announced it would pursue "wall-to-wall" enforcement of the Security Rule
The 13 New Mandatory Requirements
1. Technology Asset Inventory
What's required: Maintain a complete, current inventory of all technology assets that create, receive, maintain, or transmit ePHI.
What to include:
- Hardware: servers, workstations, laptops, tablets, phones, medical devices, network equipment
- Software: EHR systems, billing software, email clients, remote access tools, operating systems
- Cloud services: hosted EHR, backup services, patient portals, telehealth platforms
- IoT/medical devices: anything connected to your network
Requirements:
- Assign an owner to each asset
- Update inventory when assets are added, removed, or modified
- Review accuracy at least annually
- Track end-of-life dates for hardware and software
2. Network Map
What's required: Create and maintain a network diagram showing all systems, connections, and data flows involving ePHI.
Must document:
- All network segments and how they connect
- Where ePHI resides (at rest) and how it moves (in transit)
- Entry and exit points (internet connections, VPN endpoints, wireless access)
- Connections to business associates and third parties
- Data flow between internal systems
3. Mandatory Encryption at Rest
What's changing: Encryption at rest moves from "addressable" to required. You can no longer document that encryption is "not reasonable and appropriate."
Minimum standards:
- AES-256 encryption on all systems storing ePHI
- Full-disk encryption on all workstations, laptops, and portable devices
- Database-level encryption on EHR databases
- Encrypted backups
4. Mandatory Encryption in Transit
Minimum standards:
- TLS 1.2 or higher for all web-based ePHI access
- Encrypted email (TLS for server-to-server, end-to-end for sensitive messages)
- VPN or equivalent for remote access
- Encrypted connections to cloud services and business associates
- Disable all unencrypted protocols (HTTP, FTP, Telnet, unencrypted SMTP)
5. Mandatory Multi-Factor Authentication
What's required: MFA on ALL systems that create, receive, maintain, or transmit ePHI. No exceptions.
Scope: EHR/EMR systems, email accounts, remote access, administrative systems, patient portals (staff-side), backup systems, and any system accessible over the internet.
Acceptable MFA methods:
- Authenticator apps (recommended)
- Hardware security keys / FIDO2 (most secure)
- Push notifications to registered devices
- SMS-based OTP (acceptable but discouraged)
6. Network Segmentation
What's required: Isolate systems containing ePHI from general-purpose networks.
Practical example for a small practice:
- VLAN 1: Clinical systems (EHR workstations, clinical printers)
- VLAN 2: Administrative (billing, scheduling, general office)
- VLAN 3: Guest/patient WiFi (completely isolated)
- VLAN 4: IoT/medical devices (isolated, restricted internet access)
7. Vulnerability Scanning — Every 90 Days
Remediation timelines:
- Critical vulnerabilities: remediate within 15 days
- High vulnerabilities: remediate within 30 days
- Medium vulnerabilities: remediate within 90 days
- Low vulnerabilities: track and address at next maintenance window
8. Patch Management — Defined Timelines
Timelines:
- Critical security patches: apply within 15 days of release
- High security patches: apply within 30 days
- All other patches: apply within reasonable timeframe
9. Risk Analysis with Specific Methodology
Must document: Methodology used, all assets and threats identified, vulnerability assessment results, likelihood and impact ratings, risk prioritization, remediation timelines and responsible parties.
10. Annual Compliance Verification
A qualified individual must verify annually that security measures are implemented and functioning. This can be internal (Security Officer) or external (third-party consultant).
11. Incident Response Enhancements
- 72-hour notification to HHS for incidents meeting severity thresholds
- Written incident response plan tested annually
- Rapid containment procedures
- Forensic preservation requirements
12. Business Associate Requirements — Enhanced
- Business associates must notify covered entities within 24 hours of discovering a security incident
- Must implement the same mandatory controls (MFA, encryption, scanning, segmentation)
- Covered entities must verify BA compliance (not just trust attestation)
13. Elimination of "Addressable" Specifications
Nearly all specifications become mandatory. You can no longer claim that encryption is "too expensive" or MFA is "too complex." Every covered entity must meet the same baseline.
Compliance Timeline
| Timeframe | Action |
|---|---|
| Now | Begin technology asset inventory |
| Now | Assess current MFA coverage and encryption status |
| 3-6 months before | Implement network segmentation |
| 3-6 months before | Deploy vulnerability scanning tool |
| 2-3 months before | Update all BAAs with new requirements |
| 1-2 months before | Complete first compliance verification |
| 1 month before | Conduct staff training on new procedures |
| May 2026 | Full compliance required — enforcement begins |
Cost Considerations for Small Practices
| Requirement | Typical Cost (Small Practice) |
|---|---|
| MFA implementation | $5-15/user/month |
| Encryption (full-disk) | $0 (built into Windows Pro/Mac) |
| Vulnerability scanning | $100-500/month |
| Network segmentation | $2,000-10,000 one-time |
| Patch management tool | $50-200/month |
| Compliance verification | $2,000-5,000/year (external) |
| Asset inventory tool | $50-150/month |
Total estimated annual increase: $5,000-$25,000 depending on current security maturity.
Perspective: This is a fraction of the $4.82M average breach recovery cost.
What Happens If You're Not Compliant
Not implementing mandatory controls after the effective date constitutes Tier 3 or Tier 4 willful neglect, carrying penalties of $14,232-$2,134,831 per violation.
Additionally:
- Breaches are more likely without mandatory controls
- Cyber insurance may deny claims if controls weren't in place
- Business associates may refuse to work with non-compliant entities
Check Your May 2026 Readiness
Your HIPAA Agent Compliance Score™ evaluates your practice against all current and upcoming HIPAA requirements, including the May 2026 mandates. The scan specifically checks:
- Whether MFA is enabled on internet-facing systems
- Whether email authentication (SPF, DKIM, DMARC) is configured
- Whether encryption is implemented for data in transit
- Whether known vulnerabilities exist in public-facing infrastructure
- Whether exposed services (RDP, SMB, LDAP) indicate network segmentation gaps
Get your free HIPAA Agent Compliance Score™ at hipaaagent.ai/check — see exactly where you stand on the May 2026 requirements before enforcement begins.
This guide reflects the finalized May 2026 HIPAA Security Rule amendments. Last updated: May 2026.
Regulatory references: 45 CFR Parts 160 and 164, Subpart C. Federal Register: 2024-30983 (NPRM), final rule 2025.
Frequently Asked Questions
When does the new HIPAA Security Rule take effect?
The updated HIPAA Security Rule takes effect in May 2026. All covered entities and business associates must be in full compliance by the effective date. There is no grace period — OCR can begin enforcement immediately. Practices should begin preparation now, as many of the new requirements (asset inventory, network segmentation, vulnerability scanning) require significant implementation time.
What is the biggest change in the May 2026 Security Rule?
The most significant change is the elimination of the "addressable" vs "required" distinction for most security specifications. Under the current rule, practices could document why certain controls (like encryption or MFA) were not reasonable and appropriate. Under the 2026 rule, encryption and multi-factor authentication are mandatory for ALL covered entities regardless of size. There are no more exceptions for small practices.
Does the May 2026 rule apply to small practices?
Yes. The May 2026 Security Rule applies equally to all covered entities regardless of size — solo practitioners, small group practices, large health systems, and all business associates. The elimination of addressable specifications means small practices can no longer document that certain controls are "not reasonable and appropriate" for their size. Every practice must implement MFA, encryption, asset inventory, vulnerability scanning, and network segmentation.
Ready to Automate Your Compliance?
HIPAA Agent handles all of this for you automatically.
Book a Free Consultation