HIPAA Updates for 2026 – Where is Medical Privacy Headed?

Description

The rapidly evolving regulatory environment for health information privacy and security, driven by heightened federal scrutiny, major rulemaking initiatives, and the intensification of cyber threats targeting the healthcare sector – this has all lead to anticipated changes for 2026.  Against these anticipated changes, the direction of the new Presidential administration and its pro-business and anti-regulatory perspective may prevail.

This signals that covered entities and business associates should expect more prescriptive requirements, more expansive enforcement, and significantly higher expectations for technical rigor.

The U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have indicated that their long-planned Security Rule modernization remains on track, with finalization expected in 2026.

Unlike the current flexible, risk-based structure adopted in 2003, the proposed rule introduces specific and mandatory technical safeguards, such as stricter encryption requirements, required multifactor authentication, mandated vulnerability and penetration testing, improved patch management practices, enhanced workforce training provisions, and clearer expectations around incident response and system monitoring.

The message is unambiguous: the era of broad discretion in HIPAA security implementation is ending, and organizations will need concrete, demonstrable controls rather than high-level policies.

Enforcement activity is also expanding, most notably through OCR’s newly delegated authority to enforce the confidentiality protections governing substance use disorder (SUD) treatment records under 42 C.F.R. Part 2.

This shift brings Part 2, long considered one of the most stringent privacy frameworks in the U.S., squarely into OCR’s enforcement portfolio. Entities that operate SUD treatment programs or hold Part 2 records now face potential civil monetary penalties, compliance reviews, and corrective action plans similar to those used in HIPAA enforcement.

While HHS declined to fully align Part 2 with HIPAA’s security requirements, organizations that are subject to both regimes must nevertheless apply robust technical safeguards to ensure that highly sensitive SUD information is adequately protected against cyber risk.

The third major theme is escalating enforcement pressure stemming from the healthcare sector’s ongoing vulnerability to ransomware and other cyberattacks. OCR has launched initiatives specifically targeting inadequate or superficial security risk analyses (SRAs), a requirement that remains the backbone of HIPAA’s risk-based approach even ahead of the new rule.

Regulators are signaling that cursory, checklist-style assessments are no longer acceptable. At the same time, OCR continues aggressive enforcement of the patient right-of-access standard and is increasing expectations around compliance with reproductive health information protections and interoperability rules that took effect in late 2024.

Taken together, these developments reflect a broader regulatory posture: more prescriptive standards, more consistent enforcement, and an emphasis on measurable, accountable security practices. Healthcare organizations must prepare for a compliance environment characterized by short implementation timelines, heightened documentation expectations, and increasing penalties for failure to modernize.

Why should you Attend?

Learn about the upcoming HIPAA privacy and security changes that may affect your   practice that are anticipated in 2026.

Areas Covered in the Session

• Regulatory Context: Why Significant Changes Are Coming
• Why These Changes Matter for Daily Clinical Practice
• New Expectations Under the Modernized HIPAA Security Rule
• HIPAA Security Rule Modernization: Legal Requirements Practitioners Must Know
• Expanded Enforcement: OCR’s Heightened Focus on Individual Responsibility
• Cybersecurity Expectations and Ransomware Response
• Practical Compliance Steps for Practitioners to Reduce Legal Risk

Who will Benefit?

Healthcare practitioners and practices operating in 2026 and going forward