HIPAA Security Rule Changes: January 2026 Update & What Practices Need to Know

by | Jan 22, 2026 | Articles, Clinician Resources |

HIPAA Security Rule Changes: January 2026 Update & What Practices Need to Know

Every January seems to bring a fresh wave of HIPAA anxiety — and January 2026 is no exception. Over the past year, speculation, silence, and conflicting information about proposed HIPAA Security Rule changes have left many practice owners wondering whether a sudden, disruptive compliance overhaul is coming.


The short answer? No.

What is happening is slower, more deliberate, and far less dramatic than much of the chatter suggests. In this article, we’ll break down where things actually stand, what the proposed changes are really about, and what — if anything — you should be doing right now.

An image that reads: a client's records are mote than just clinical notes

Why We’re Talking About This Again

In January 2025, the Office for Civil Rights (the OCR), the HIPAA regulatory authority under the U.S. Department of Health and Human Services published a Notice of Proposed Rulemaking (NPRM) outlining potential updates to the HIPAA Security Rule. The public comment period closed in March 2025 after an enormous response from stakeholders across healthcare — solo practitioners, group practices, hospitals, insurers, and vendors alike.

After that? Silence.

For much of 2025, there was no public-facing communication from OCR, and many assumed the proposed rule would be quietly abandoned — especially given broader political trends toward deregulation.

That assumption changed in January 2026.

OCR has now placed the HIPAA Security Rule update on its Unified Regulatory Agenda, with a target milestone of May 2026. That placement tells us one important thing:

The NPRM has not been abandoned.

At the same time, it’s critical to understand what this doesn’t mean.

What Agenda Placement Actually Signals (and What It Doesn’t)

Seeing a May 2026 agenda date has understandably raised questions:

  • Is this really happening?
  • What’s going to change?
  • Do we need to scramble?

Here’s the key clarification:

Agenda placement is a signal of intent — not an enforcement deadline.

A May agenda date does not mean the rule takes effect in May, that practices must be compliant immediately, or that enforcement suddenly begins. It tells us the OCR is continuing to work on the rule rather than abandoning it. Which is, honestly, a good thing for everyone. We’ll explain why. 

Why This Rule Is Still Moving Forward

One important piece of context that’s easy to miss in the noise is why the Office for Civil Rights is continuing to move this rule forward at all.

The OCR has been explicit that the NPRM is a response to the current cybersecurity threat landscape — particularly the sharp increase in large-scale breaches driven by ransomware and hacking, as well as the growing reliance on complex, interconnected technologies across health care. In recent years, breaches have become not only more frequent, but far more disruptive and costly.

The OCR has also pointed to widespread confusion and inconsistency in how regulated entities interpret and apply the HIPAA Security Rule, especially when it comes to what “reasonable and appropriate” safeguards look like in modern environments.

In that sense, this NPRM is less about raising the bar and more about closing the gap between an outdated regulatory text and present-day practice realities.

It’s also important to understand that this effort is not happening in a political vacuum. Strengthening cybersecurity protections for healthcare information has unusual bipartisan support, largely because the consequences of weak healthcare cybersecurity are now impossible to ignore.

When healthcare systems are compromised, the harm isn’t abstract. Disruptions can delay or derail care, expose deeply sensitive personal information, and create cascading impacts for individuals, families, and entire communities. At scale, widespread vulnerabilities in healthcare infrastructure are increasingly recognized as a national security concern, not just a regulatory or compliance issue.

In other words, the NPRM reflects a broad consensus that safeguarding health information is critical both to individual patient safety and to the resilience of essential domestic infrastructure.

What the Proposed Changes Are Actually About”

This is not a brand-new security regime. It’s a modernization and clarification of expectations that the OCR is already enforcing — and has been for years, as discussed in Episode 603 of the Practice Tech Podcast.

At its core, the NPRM applies existing HIPAA Security Rule standards to the current technological and threat landscape, with clearer expectations around safeguards and verification.

That context matters, because the HIPAA Security Rule — as written — is significantly behind the times.

A Rule Written for a Very Different Era

The HIPAA Security Rule was finalized in 2003, and it has remained largely unchanged despite dramatic shifts in how healthcare is delivered, documented, and secured. While there were limited updates through HITECH (2009) and the Omnibus Rule (2013), the core Security Rule standards have not been meaningfully modernized in over two decades.

That means the rule predates:

  • Cloud-based EHRs and SaaS infrastructure
  • Remote and hybrid work as the norm
  • Bring-your-own-device (BYOD) practice environments
  • Multi-factor authentication as a baseline safeguard
  • Today’s ransomware, credential-stuffing, and supply-chain attack landscape

The result is a rule that is intentionally principles-based, but increasingly vague when applied to modern practice realities.

The NPRM is the OCR’s attempt to close that gap — not by inventing new obligations, but by making explicit what “reasonable and appropriate” safeguards look like today.

Core Themes of the Proposed Changes

The NPRM focuses on:

  • Clearer, more explicit security expectations
    Less ambiguity about what’s required
  • Stronger emphasis on verification
    Not just “we have a policy,” but “we know it’s working”
  • Alignment with modern cybersecurity realities
    Including Multi Factor Authentication (MFA,) encryption, and ongoing risk management

Some of the specific requirements that have generated reaction include:

  • A written, thorough, and ongoing Security Risk Analysis process
  • Documented risk mitigation planning
  • Asset inventories (systems, devices, and people handling Protected Health Information/PHI)
  • Information System Activity Review
  • Validation activities such as vulnerability scanning (and, in certain contexts, penetration testing)

When viewed in isolation, these can sound intimidating. But in context, they largely reflect best practices the OCR already expects — and often already enforces — today.

Why NIST Matters Here (and Why This Should Feel Familiar)

Because the Security Rule is principles-based and technologically outdated, the Office for Civil Rights — the HIPAA regulatory arm of the U.S. Department of Health and Human Services — has long relied on NIST (the National Institute of Standards and Technology) frameworks to interpret what “reasonable and appropriate” safeguards actually mean in modern environments.

NIST is widely regarded as the gold standard for cybersecurity frameworks, and it already underpins:

  • OCR enforcement actions
  • Federal healthcare cybersecurity guidance
  • Modern interpretations of HIPAA Security obligations

The NPRM largely codifies and validates this NIST-based approach, translating long-standing guidance into more explicit regulatory expectations.

This is also why the NPRM places a stronger emphasis on concepts like deploying and implementing safeguards — not merely writing policies, but ensuring controls are configured, operational, and actually working in practice.

That distinction mirrors what the OCR has already emphasized in enforcement actions — and what PCT has long taught: policies alone do not secure client information.

This is exactly why practices that have been doing things the PCT Way do not need to be distressed by the NPRM becoming a Final Rule.

PCT’s HIPAA Compliance programs were intentionally built around applying the HIPAA Security Rule Standards in modern practice and threat contexts, using the NIST framework — long before this NPRM existed.

For practices already doing real security work:

  • The direction is not changing
  • The expectations are not fundamentally new
  • And the NPRM largely confirms you’re already on the right path

Small(er) Practices, SaaS, and What This Doesn’t Mean

This is where a lot of nervous systems can settle…

For most solo and group mental health practices today, the reality is:

  • You’re software-as-a-service (SaaS — or as we like to say, “SaaSy”) based, meaning you rely on cloud-based, HIPAA‑friendly platforms rather than running your own servers for client care delivery and handling Protected Health Information (PHI) within your HIPAA scope of responsibility 
  • You’re using an EHR, Google Workspace or Microsoft 365, secure messaging, and HIPAA-friendly voice and video systems
  • You are not hosting or maintaining core infrastructure (e.g. servers) yourself

That distinction matters.

What this means you do not need to do:

  • Run enterprise-level red-team penetration tests
  • Try to “hack” your EHR, Google, Microsoft, etc.,
  • Purchase expensive security tooling you don’t understand

For SaaSy practices, penetration testing is the responsibility of your HIPAA Business Associates, not you. Vendors are required to perform that testing and provide evidence that all required safeguards are in place and effective.

What does fall within your scope is something called vulnerability scanning — which, in practice, usually means:

  • Configuration review
  • Identity and access review
  • Device security review (especially in Bring Your Own Device/BYOD environments)

If you’re already reviewing and verifying that systems are configured correctly, multi‑factor authentication is enabled where required, and devices are properly secured, access credentials are safeguarded,  then you’re already doing this work.

The OCR is not expecting solo practices or group practices to behave like hospitals. They are expecting documentation, consistency, and follow-through for the things you actually control.

Timing Matters: Effective Dates vs. Compliance Dates

Another major source of unnecessary fear is confusion about timelines.

Once a final rule is published, there are two different dates to understand:

  • Effective date
  • Often around 30 days after publication
  • Compliance date
    • When enforcement actually begins
    • Typically 6–24 months later for security rules 

    For substantive security changes, OCR historically provides long runways — especially for small entities.

    A reasonable (but not guaranteed) forecast looks like this:

    • Final rule: mid-to-late 2026, at the earliest
    • Compliance deadlines: late 2026 into 2027 (at the earliest), but — most likely — late 2027 or in 2028

    Which means:

    This is not a cliff. It’s a runway.

    Why Many PCT Clients Are Already Well Positioned

    If you’ve done real HIPAA Security work — not ‘performative compliance’ — this NPRM likely doesn’t change your posture in any meaningful way.

    PCT’s comprehensive HIPAA Compliance programs already require and provide for:

    • Written, thorough Security Risk Analysis
    • Risk mitigation planning
    • MFA
    • Encryption
    • Asset inventories
    • Information System Activity Review
    • Access Controls
    • Application of Standards to Modern Technology, Practice, and Threat Context 
    • In-Practice Implementation 

    Our approach is grounded in NIST-based security frameworks, which are widely considered the gold standard in cybersecurity — and which the NPRM itself largely reflects and validates.

    That means there’s no scrambling, no wholesale rewriting of policies, and no dramatic pivot required.

    What to Do (and Not Do) Right Now

    Do:

    • Stay informed
    • Focus on real, in-practice security
    • Make sure your risk analysis and mitigation plan are documented and current
    • Ensure your written HIPAA Security Policies & Procedures are implemented and actually followed in-practice

    Don’t:

    • Panic
    • Buy tools you don’t understand
    • Assume silence means nothing is happening

    Want Help Orienting Where Your Practice Stands?

    If you want help translating all of this into your own practice context, our Mini Risk Tool offers a quick, structured check-in to help you see where you’re already solid — and where focused attention would most meaningfully strengthen your security foundation.

    The Mini Risk Tool walks through the same core areas the proposed Security Rule updates emphasize — your tech stack, workforce training, device security, risk analysis and mitigation planning, and written policies and procedures — not because these are new requirements, but because they’re foundational.

    Seeing something “outside the circle” doesn’t mean you’re failing. It simply highlights where proportionate, intentional work can further protect your clients and your practice.

    Not sure where you land?

    Use the Mini Risk Tool to check where your practice currently stands

    This (free!) mini risk analysis is like a gentle check-in for your practice’s security, compliance, and functionality — designed to help you identify what will most meaningfully support, optimize, and fortify your practice.

    Check In With the Mini Risk Tool

    Talk It Through In Office Hours

    And if you’re someone who thinks best by talking things through, you’re always welcome to bring questions to Office Hours. We regularly walk through how these proposed Security Rule updates apply in real-world practice settings — and help folks separate what’s noise from what actually matters.

    For Solo Practitioners
    For Group Practice Leaders

    Centering This in the Context of Client Care

    At its core, HIPAA Security isn’t at odds with client care — it supports it. In a healthcare landscape where cyber vulnerabilities can disrupt care and expose sensitive information at scale, strong security practices are part of maintaining public trust in essential healthcare infrastructure. Safeguarding client information is part of ethical, competent practice.

    If you’re already doing what’s reasonable and appropriate within your control, you’re in a strong position. And if there are areas to improve, you have time to address them incrementally — without fear-driven decision-making or urgency pressure.

    We’ll Keep Translating What Matters

    We’ll continue tracking this closely, filtering out the noise, and translating what actually matters for mental health practices.

    You don’t need clickbait. You need clarity, context, and calm — and that’s exactly what we’ll keep providing.

    See our comprehensive HIPAA programs for group practices and solo practitioners:

    Group Practices
    Solo Practitioner


    v2.10.0

    Continuing Education National Approvals

    Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

    Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

    Continuing Education State Approvals

    • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
    • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
    • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

    Policies and Terms

    Training Resources

    About Us

    Email: [email protected]

    Customer Service Hours: M-F 9AM-3PM PST

    Address:
    Person Centered Tech Incorporated
    PO Box 42494
    Portland, OR 97242

    Where's our phone number?

    Scheduled Maintenance

    We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss

    jQuery( document ).ready(function() { if (typeof Boxzilla !== 'undefined' && Boxzilla !== null) { Boxzilla.on('box.show', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.show', }); }); Boxzilla.on('box.dismiss', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.dismiss', }); }); Boxzilla.on('box.hide', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.hide', }); }); Boxzilla.on('ready', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.ready', }); }); } });