The healthcare industry is on the threshold of one of the most substantial updates to HIPAA regulations in over a decade. The US Department of Health and Human Services (HHS) proposed changes to the HIPAA Security Rule in direct response to the growing cybersecurity threats in our nation and abroad, which are intended to take effect this year, pending finalization of the rule.  

Note: as of the writing, the proposal remains a Notice of Proposed Rulemaking (NPRM) and has not been finalized as a Final Rule with effective and compliance dates. For more information, please visit the Federal Register at https://www.federalregister.gov/documents/2025/01/06/2024-30983/hipaa-security-rule-to-strengthen-the-cybersecurity-of-electronic-protected-health-information.  

The HHS proposed updates will affect both covered entities and business associates covered under HIPAA. The updates presented in the Federal Register include stricter compliance requirements, enhanced documentation standards, and more robust cybersecurity protocols. 

Proposed Changes to HIPAA in 2026 

While your agency needs to understand all the proposed factors and digest how they affect your business, some are much more impactful updates that regulated entities should be prepared for well in advance. 

1. Mandatory Annual Compliance Audits 

Business Associates will be required to conduct formal audits annually and share results with every covered entity with which they are connected. This annual exercise enhances overall transparency and responsibility throughout the entire healthcare ecosystem. 

2. Enhanced Business Associate Agreements (BAAs) 

BAAs will shift to include granularity in areas of specific security requirements, such as: 

• Multifactor authentication 

• Encryption standards 

• 24-hour incident reporting timelines 

• Annual audit obligations 

• Alignment with NIST cybersecurity practices (broadly encompassing the practices of “identify, protect, detect, respond, and recover”)  

3. Expanded Risk Assessment Requirements 

Organizations must conduct more detailed, documented risk analyses to identify threats, vulnerabilities, and impacts to electronic protected health information (ePHI). Conducting the assessment is essential; however, based on this expanded assessment, reflecting on how your organization addresses both opportunities and risks that arise will be an ongoing exercise.  

4. Removal of “Addressable” vs. “Required” Standards 

All implementation specifications will become mandatory, eliminating the flexibility previously allowed under the “addressable” category.  

5. Stronger Cybersecurity Safeguards 

Entities must adopt: 

• Encryption and MFA as standard safeguards 

• Regular penetration testing and vulnerability scans 

• Technology asset inventories and network mapping 

• Data restoration procedures within 72 hours  

6. Expanded Scope of ePHI 

The scope of Protected Health Information will broaden to include data types, such as digital footprints from patient interactions. The intent and focus of the proposed rule are on how this ePHI information is protected, especially in its electronic form.  

7. Increased Penalties for Non-Compliance 

HHS proposes in the Federal Register to increase penalties for non-compliance primarily by expanding enforcement and moving toward a more rigorous and proactive compliance model. Covered entities that fail to meet the new standards may face higher fines through review from the Office for Civil Rights (“OCR”), which is tasked with focusing on a broader range of HIPAA requirements in the proposal.  

What Does This Mean for Healthcare Organizations?  

The proposed changes published by HHS on the Federal Register convey a transition from a flexible, risk-based method surrounding HIPAA security compliance to a more prescribed, standardized strategy. While larger organizations may already have many of these securities and practices in place, smaller practices may face a greater learning curve and increased working costs to comply with and maintain the proposed changes.  

How Qualifacts Is Ready to Support You 

At Qualifacts, we recognize the significance of these changes and the challenges they may present. That’s why we have already proactively aligned our EHR platforms and assistance with the proposed HIPAA requirements. Here are some ways we’re helping our partners stay ahead: 

• Qualifacts Security Framework: Our systems are built with industry-leading security protocols, including encryption, MFA, and continuous monitoring. 

• Audit-Ready Documentation: We provide detailed compliance documentation and support to optimize annual audit processes. 

• Enhanced BAA Support: Our legal and contracting teams are prepared to assist customers with the BAA to incorporate the new proposed requirements. 

• Risk Assessment Tools: Qualifacts provides integrated tools to help organizations conduct careful risk assessments and implement effective mitigation strategies. 

• Client Education & Resources: Through webinars, white papers, and direct consultation, Qualifacts ensures our customers are informed and empowered to meet new compliance standards. 

The proposed changes to HIPAA are not merely updates to regulations, they represent a significant call to action for the entire healthcare industry to enhance security and safeguard patient data. Qualifacts is dedicated to being a reliable partner in this endeavor, providing the tools, expertise, and support essential for successfully navigating the evolving landscape of compliance. 

Let’s prepare together. Contact us today to learn how Qualifacts can help your organization meet the new proposed HIPAA standards and thrive in a more secure healthcare environment.