HIPAA Security Rule Overhaul and Shifting Sands With AI

This article first appeared on March 18th, 2026 as the third edition of the Risk Realist Newsletter. 

Here’s the question I’ve been asking healthcare security leaders lately: When is the last time your HIPAA security program was truly modernized?

Not just assessed or audited with no material findings; I mean modernized and improved to reflect how threats have changed and how healthcare, technology, and AI realities are very different from what they were even a decade ago.

For many organizations, HIPAA has been on compliance autopilot, engaging just enough to remain affordably compliant without prompting OCR investigations or fines.

The HIPAA Security Rule has been largely unchanged since its last major update in—wait for it—2013. In the meantime, ransomware has paralyzed hospital systems, AI-powered phishing and social engineering continue to get past compliance-trained employees, and business associates (your third-party vendors and supply chain) have become a preferred entry point for attackers who know the front door is locked.

HHS noticed. In January 2025, they published the most sweeping proposed overhaul to the HIPAA Security Rule since it was first introduced in 2003. The final rule is targeted for May 2026, with compliance deadlines potentially falling before the end of 2026 or in early 2027.

But… the jury is still out on whether the overhauled regulation will get slimmed down, rebooted, or published in full.

Just last week at HIMSS 2026, Paula Stannard, Director of the Office for Civil Rights at HHS, spoke about the agency's role in enforcing health information privacy and security laws. She emphasized the importance of risk analysis and risk management, noting a 12 percent decrease in large breaches in 2025 but a significant increase in hacking.

Let’s be clear about this: the OCR Director showing up to talk risk analysis at HIMSS while the final rule is pending certainly signals OCR is still engaged and active regardless of rule finalization status.

Coincidentally and unfortunately, while these HIMSS talks were all happening, Stryker, the well-known medical technology company, was hit with a cyberattack that wiped thousands of servers and medical devices.

Many of the controls being proposed by HHS are common tenets of a modern cybersecurity program, and waiting and hoping that even some of the requirements will be slimmed down is not a viable strategy for compliance or cyber risk management.

Rather than providing yet another full regulatory summary, or trying to convince you to not procrastinate and turn your work into a “Hail Mary” end-of-year scramble, I want to focus on how to ensure you have the core controls covered, and how to integrate your changes to better align with your company’s AI initiatives and the demands of your changing business.

This is an opportunity in front of you. It’s not about adding compliance controls to meet an expanding regulation. It’s a chance to use some of the momentum and excitement from AI to make things better and more usable for your organization.

But before we do that, let’s hit the basic changes:

The Single Biggest Change: Every Safeguard Is Now Mandatory

Under the current HIPAA Security Rule, implementation specifications are split into two categories: required and addressable.

Required controls must be implemented. Addressable controls are supposed to be implemented, but organizations are allowed to document a rationale for why a given control is not reasonable or appropriate for their environment, and skip it.

In practice, this has already created significant inconsistencies across the industry. Predictably, some organizations use "addressable" as a loophole to avoid privacy and security controls. Meanwhile, the OCR has watched this play out for twenty years and concluded that the ambiguity causes more harm than flexibility.

The proposed rule eliminates the distinction entirely. All implementation specifications become required, with only very specific, limited exceptions. The era of “we documented why we did not do it” is ending.

What this means in practice: If your security program has controls you have been deferring under the addressable category, including encryption in certain environments, certain access controls, and network segmentation, you need to be planning now for how to implement them, not rationalizing why you haven’t.

The Specific Technical Controls That Will Be Mandatory

The proposed rule introduces some new and explicit technical requirements and tightens the language on others. These reflect where OCR enforcement has been heading for years, but seeing them in writing changes the compliance calculus significantly.

1. Multi-factor authentication (MFA) on all systems accessing ePHI, no exceptions for legacy systems unless documented
2. Encryption of ePHI at rest and in transit, previously an addressable specificatioN
3. Annual penetration testing, not just vulnerability scanning, but actual adversarial testing of your environment
4. Biannual vulnerability scans with documented remediation plans
5. Comprehensive technology asset inventory and network map, maintained and updated annually
6. Network segmentation, separating ePHI environments from general network access
7. Security incident response and restoration within 72 hours, not just a plan, but a tested capability
8. Annual formal compliance audits, documented and structured, not just a self-attestation

For many mid-market healthcare, med device, insurer, and pharma organizations, several of these controls are already in place. For others, this is an intimidating list that will require serious investment and planning to address; security leaders are being presented with yet another list of gaps they will have to close. Rural and regional hospitals are particularly exposed, and are understandably where most of the industry pushback is coming from.

It’s worth bearing in mind, though—this compilation is still a list of "minimums". As our HIPAA Service Lead Holly Wendricks points out,:

“It’s about setting internal standards that exceed compliance, not just meeting the minimum threshold defined by regulation.”

Aligning Your HIPAA Program with Your AI Initiatives

The 2026 HIPAA Security Rule proposal does overhaul baseline cybersecurity expectations. But it doesn’t necessarily modernize them. The rule was designed to address the threat environment of a few years ago, not the one being built right now.

At HIMSS 2026 last week, agentic AI dominated conversations. Health system CIOs are moving quickly to deploy autonomous systems that manage clinical documentation, prior authorizations, care coordination, and patient outreach with minimal human oversight. That is a fundamentally different operating model than HIPAA was built for.

HIPAA assumes data is static, stored in known locations, and accessed by a small set of identified people. An agentic AI workflow breaks every one of those assumptions.

A single patient interaction can now involve an AI agent pulling ePHI from multiple systems, reasoning across that data autonomously, calling external APIs, and passing outputs to other agents. The compliance question is no longer simply who has access. It is what the AI does with the data, where it sends it, and whether any human reviewed those decisions.

The numbers show how fast this is already getting away from organizations. Research published in early 2026 found that 66% of U.S. physicians now use AI tools in clinical practice, but only 23% of health systems have Business Associate Agreements in place covering those tools. That gap is not a future risk. It is a current violation, at scale.

Three things to address before the final rule lands:

1. Map your AI data flows as part of your asset inventory. The proposed rule requires a comprehensive technology asset inventory. Most organizations will interpret this as servers and endpoints. The actual exposure is the AI agents operating across your EHR, billing, scheduling, and communication systems. If you cannot see them, you cannot govern them.
2. Audit your BAA coverage for AI vendors specifically. Every AI tool that touches ePHI must have a BAA (Business Associate Agreement), and that BAA must reflect AI-specific use cases. Most existing BAA languages predate large language models entirely. Demand updated agreements that address training data use, inference-time data access, and subprocessor chains.
3. Define human review requirements before regulators do it for you. The proposed rule does not address AI oversight or accountability for autonomous decisions. That is a gap your governance program needs to close internally. Decide which AI-driven decisions affecting patient care require a human review step, and build the audit trail to prove it.

The organizations that will handle this transition well are not waiting for a final rule to tell them what AI governance looks like. They are asking the hard questions now, while there is still time to build the right foundation.

The Timeline, and Why You Should Not Wait for the Final Text

"I want to address something I keep hearing from compliance teams: we will wait until the final rule is published before we act."

That is a reasonable instinct for low-stakes regulatory changes with a long implementation timeline. This is not one.

The final rule is currently targeted for May 2026. If published on that timeline, it would become effective 60 days later. Regulated entities then have 180 days to comply, pushing the compliance deadline to late 2026 or early 2027.

OCR launched a new round of compliance audits in March 2025. Enforcement has been active: in 2025 alone, OCR levied more than $6.6 million in HIPAA fines. We can expect more of the same in the next twelve months.

Organizations that begin gap assessments and remediation planning now will have 12 to 18 months of runway. Organizations that wait for the final rule will have 6 months to comply. In cybersecurity program development, that difference is enormous.

Sure, there is meaningful uncertainty about the final rule's exact language. There was significant industry pushback during the comment period, and some provisions may be modified. But the direction is clear, and the major changes, including mandatory safeguards, MFA, encryption, pen testing, asset inventory, and tighter BA oversight, are not going away. Waiting for perfect information before acting is a bet I simply would not make as a security professional in 2026.

As HIPAA Service Lead and Senior Consultant, Holly Wendricks points out:

“While the new standards from OCR build on what’s already written, which is a positive step, they still fall short of what we would ever recommend to our clients. Regulations, by design, are reactive; they tend to address the last major breach or compliance failure, not the next one."

True security, however, is proactive.

"Being proactive means staying ahead and anticipating emerging threats, adopting best practices before they’re required, and understanding that "good enough" is never good enough when patient data, trust, and reputation are at stake.”

Holly is right. We need proactive security to be the standard. The FBI's 2024 report found that healthcare had the highest combined total of ransomware and data theft attacks of any U.S. critical infrastructure sector, with 444 reported incidents including 238 ransomware attacks and 206 data breach incidents.

The healthcare sector is the most targeted industry for ransomware. AI-generated deepfake attacks are now bypassing clinical and administrative workflows in ways that were not possible even two years ago. Business associates have become the primary breach vector at large health systems, not because those systems have weak programs, but because their vendors do. The 2026 HIPAA Security Rule update is the forcing function to change that. The window to do this well is open right now. Use it.

Ready to see where your program stands against the new requirements?

We help healthcare and pharma organizations run gap assessments against the proposed HIPAA Security Rule changes, prioritize remediation, and build the documentation framework OCR will expect. If you want a clear picture of what needs to change before the compliance clock starts running, let's talk.

Book a 30-minute scoping conversation: https://meetings.hubspot.com/aaron531/30-min