HIPAA Updates 2026: Changes Healthcare Organizations Should Prepare For

HIPAA compliance is entering a new era in 2026. What was once treated as a documentation exercise is now being enforced as a baseline security standard — and regulators expect organizations to prove it.

If you think a risk analysis can justify skipping standard measures like encryption or multi-factor authentication, you are putting your organization on the line. The risk is highest when you cannot explain your privacy practices easily, cannot produce evidence that controls are working, or handle substance use disorder (SUD) data inconsistently.

HIPAA’s 2026 updates signal that the existing way of compliance has not been enough to prevent breaches or downtime. So the Department of Health and Human Services (HHS) is responding with stricter, more measurable requirements.

Here’s what’s changing, and what it means for your organization, training, and documentation

What HIPAA updates are expected in 2026?

In 2026, patients will see better explanations of how their data is used, and regulators will push organizations toward security controls you can demonstrate. 

Privacy and cybersecurity will be evaluated as a single operating posture, with more documentation, tighter timelines, and less room for subjective interpretation.

Regarding this, Rachna Dutt, Infosec Consultant and Compliance at Sprinto, says that 2026 creates a two-track compliance problem for healthcare teams. 

“Some requirements are date-certain, like the Part 2 final rule and the related NPP updates. Others, like the proposed Security Rule modernization, could reshape your entire security baseline but may land on a different timeline. Don’t treat those as competing priorities. You need an execution plan for the hard deadline, and a roadmap for the controls you will be expected to prove in the next audit cycle.”

These are the biggest changes coming to HIPAA in 2026.

1. Privacy Rule updates (pending)

If finalized, the Privacy Rule changes will likely tighten the day-to-day mechanics of using and sharing PHI, especially around care coordination and routine operations. You can expect some major adjustments to your healthcare data workflows:

• You will have to clarify when PHI use and disclosure is allowed for care coordination and operations
• You will be expected to shorten or sharpen expectations for responding to access requests
• You’ll be required to have clearer handling of restrictions, accounting and documentation of disclosures

2. Security Rule modernization

Security modernization is expected to move from open-ended standards to clearer baseline controls. The changes we expect are:

• Stronger identity and access controls across staff, admins and third parties
• Expansion of mandatory use of encryption and monitoring to reduce blind spots
• Raising of the bar on incident response, testing, and validation of controls

3. Part 2 (SUD records) alignment

Part 2 alignment should make Substance Use Disorder, or SUD, confidentiality fit more smoothly alongside HIPAA while keeping extra protections against improper disclosure and redisclosure. Organizations that work with SUD records will need consistent handling across people, processes, and systems. Expect to see:

• Updates to consent flows and redisclosure rules for SUD information
• Training for clinical and front-desk teams on the changes in daily handling
• Adjustment to systems so that sensitive data follows the right permissions and segmentation

4. NPP updates and administrative changes

NPP updates will likely focus on clearer explanations and better delivery practices across intake and digital channels. Administrative expectations may also become more audit-ready, with stronger demands for traceability.

Here’s what you can do to prepare for NPP updates:

• Refresh printed and online NPP materials and standardize delivery steps
• Rework internal guidance so staff can explain practices without improvising
• Tighten documentation hygiene for complaints, audits, and policy maintenance

The biggest HIPAA privacy rule changes to watch

Privacy work breaks down when it lives only in legal language. 

Patients rarely read dense notices, and auditors look for proof that your day-to-day workflows match what your notice promises. You need a notice that anyone can follow and a program that consistently behaves as notice describes.

1. NPP updates are not optional anymore

Your NPP is a required compliance control that sets expectations for patients and anchors what you train staff to do.

After a federal court vacated most of the 2024 HIPAA rule focused on reproductive health privacy, HHS has stated that the remaining NPP changes were not disturbed and still apply. 

Compliance with those NPP changes is required by February 16, 2026, and covered entities that maintain a website must prominently post the notice there.

Dutt notes that NPP updates fail when they stay trapped in legal text. In her words, your notice is “only as strong as your frontline behavior. Treat the February 16 deadline as readiness. Refresh the notice, then equip staff with simple scripts for the most common questions, clear handoffs to a privacy lead, and a consistent delivery step at intake and online.”

Here’s what to do now:

• Rewrite your NPP like you actually want patients to understand it
• Add a section that explains sensitive categories you handle, including SUD-related data flows if applicable
• Make sure your website version and your in-office version match

2. Interoperability pushes you toward clearer patient rights

Interoperability means people can pull their data through portals and apps, and payers and providers exchange more information through standardized APIs. As access expands, patients download and share their records more often and demand clearer answers about who can access their data, where it travels, and how it is used.

CMS has been going in this direction for years, and its more recent interoperability and prior authorization rule adds new requirements and reporting starting in 2026, including payer reporting about data requests made through the Patient Access API.

There are two big reasons why this matters for your NPP now:

• Patients will not accept vague statements like ‘we may share your information’
• Your notice must clearly explain where patient data goes, who receives it, and for what purpose, whether through portals, connected apps, payer data exchanges, or care coordination activities.

3. Part 2 changes force better consent discipline

If your organization handles SUD treatment records, your privacy program needs a refresh because 42 CFR Part 2 rules are being matched more closely with HIPAA as required by the CARES Act. 

In simple terms, the rules aim to make appropriate information sharing easier while keeping extra protections against misuse and against using SUD records against a patient in certain legal settings.

One of the biggest changes is that a single consent can cover future uses and disclosures for treatment, payment, and health care operations, which can simplify billing and care coordination. 

That only helps if your intake and downstream workflows can reliably capture, store, and honor that consent, including being able to show it in an audit and apply any limits consistently. 

Dutt adds that Part 2 alignment is really a workflow engineering project. 

“A single consent that includes future treatment, payment, and operations only helps if your systems can capture it once and honor it everywhere. That means your EHR, billing and patient portal, and any downstream partner need to mirror the same permissions and redisclosure limits.”

What’s changing with the HIPAA Security Rule update

Security is where privacy promises either hold up or fall apart. If systems are down, staff will route around controls, share files in insecure ways, and create exactly the kind of exposure your policies claimed would not happen.

The Security Rule update is still a proposed rule, so details can change. But the direction is clear: regulators are moving away from flexible, organization-defined safeguards and toward specific, prescriptive requirements that are measurable and easier to audit.

Why regulators are being stricter now

HHS and OCR have been pointing to a sharp rise in major breach activity, driven largely by hacking and ransomware. 

OCR has said that from 2018 to 2023, the number of reported large breaches increased by 102% and the number of affected individuals increased by 1,002%, and in 2023, more than 167 million people were affected by large breaches.

That context explains the policy shift. Regulators tend to stop relying on flexible language and start demanding baseline controls that most organizations should be able to implement when incidents are frequent and disruptive.

What changes are expected (in terms of specificity)

The proposed updates try to remove ambiguity. Many safeguards that were previously ‘addressable’ are being pushed toward ‘you must do this, unless you document a narrow exception and implement something equally effective.’

The proposal also dwells a lot on cyber hygiene, which can be checked on a calendar. This included routine scanning, periodic penetration tests, formal inventories, and maps of where ePHI lives and how it moves, as well as reviews of incident response and contingency planning.

Here’s what auditors are likely to ask you to prove::

What the proposal is pushing toward	What’s the standard now?	Evidence auditors expect
MFA for systems that handle Electronic Protected Health Information (ePHI)	MFA should be turned on broadly, with stronger controls for admin accounts and clean, documented exceptions	MFA enrollment report, exception log, access review records
Encryption for ePHI in transit and at rest	Encryption must be the default, key ownership is defined, exceptions are rare and justified	Encryption settings, key management documentation, exception approvals
Vulnerability scanning and penetration testing on a schedule	Scans and tests must happen on time, findings must get tracked to closure, owners and deadlines must be clear	Scan reports, pen test summary, remediation tickets with closeout proof
Inventory and map of ePHI systems	You must be able to point to where ePHI resides, how it moves and which vendors get access to it	Asset inventory, data flow map, vendor list tied to systems
Backups that support real recovery	Backups must be isolated from ransomware paths, restores should be tested and critical systems must be brought back quickly	Backup architecture diagram, restore test results, recovery time objectives

A useful rule of thumb is this: if your evidence is scattered across inbox threads and screenshots you chase the week before an audit, you do not have evidence.

Dutt also points out that the proposed Security Rule modernization is forcing teams to operationalize proof instead of intentions. 

“Multi-factor authentication and encryption stop being a choice when auditors expect enrollment reports, key management records and exception logs on demand. The same is true for scanning and testing. It is not enough to run a vulnerability scan. You have to show the schedule, the findings, the owner, and the closure.”

What to start doing now, even before the rule is final

• Make your risk analysis audit-ready: Keep it written and tied to specific systems and vendors, with a named owner and a scheduled review date
• Automate evidence collection: Use scheduled reports, ticket trails, and saved access reviews so proof exists without last-minute scrambling
• Assign clear control owners: Have one accountable person per key area like access or patching, with a simple exception process
• Test response and recovery: Run ransomware drills and do restore tests for critical systems, then document fixes
• Inform leadership on what breaks first: Identify the systems that would halt care or billing, set recovery targets and fund the gaps

A word on timing

The government’s Unified Agenda timetable lists May 2026 as the target for final action on the HIPAA Security Rule cybersecurity strengthening effort.

The proposal also indicates a typical structure where the final rule becomes effective about 60 days after publication, and the compliance date is proposed to be 180 days after the effective date unless the final rule sets a different timeline. 

In practice, that is often about 240 days after publication.

Important compliance deadlines you cannot ignore

Healthcare compliance calendars are going to face unusual compression in 2026, because major deadlines are clustered in the first and fourth quarters.

Date	What happens	Who it impacts
February 16, 2026	Compliance is required for the remaining HIPAA NPP modifications after the 2024 reproductive health privacy rule partial vacatur	Most HIPAA-covered entities
February 16, 2026	Compliance is required for the 42 CFR Part 2 final rule	Part 2 programs and any organization handling Part 2 records
May 2026 (target)	Unified Agenda target for the Security Rule final action by the government	Covered entities and business associates preparing for stricter protections
Ongoing	Annual risk analysis expectations, annual audits and vendor scrutiny trend upward	Anyone who wants to survive an OCR inquiry

What the February 16, 2026, NPP deadline means for you

This deadline is non-negotiable and immediate. HIPAA-covered entities must update their NPPs to address Part 2 SUD records and post the revised notices prominently on their websites.

The update must include specific language regarding limitations on using SUD records in legal proceedings and patient rights under Part 2 .

Self-insured group health plans also face a lot of complexity. Unlike fully insured plans that may rely on insurer NPPs, self-insured plans must maintain and distribute their own notices.

Plan sponsors should verify that their NPPs do not reference the reproductive health care privacy amendments finalized in 2024 but subsequently vacated, as these provisions are no longer in effect .

What challenges would you face due to changing HIPAA regulations?

Most healthcare teams fall short because they try to run HIPAA security and privacy by hand across too many systems, too many vendors, and too many moving parts.

Here are the different challenges you are likely to face while you grapple with more demanding HIPAA compliance:

1. Your systems sprawl will outgrow your documentation

Every year, you add more SaaS tools, more cloud services, and more integrations that use ePHI. If your asset list is outdated, your risk analysis becomes useless because you cannot confidently say where ePHI lives or how it moves.

The proposed direction toward asset inventories and ePHI flow mapping is essentially regulators asking you to stop operating on assumptions and start operating from a map.

2. Your business associate oversight is probably too casual

Vendors are not someone else’s risk. They are part of your environment, so their access paths become your exposure paths.

If you only review business associates when a contract renews, you are likely missing changes in sub-processors, hosting locations, and security posture. A stronger approach is routine verification, along with a clear expectation of fast notification when an incident affects your data.

3. Your incident response plan likely exists only on paper

Many organizations have an incident response plan, but it is not practiced and is not tied to real-life recovery steps. That mistake costs you during ransomware attacks because the threat is operational, and felt throughout your digitally connected systems.

Having backups is not a sign of resilience. Resilience is being able to say, ‘we can restore what matters quickly, under stress, and prove we tested it.’

4. Your privacy notice might not match reality

Your Notice of Privacy Practices is a public promise about how you use and disclose information. If the notice is vague or outdated, it will not align with how patients access data through portals and apps, or with how information flows across payers and care teams.

When the notice says one thing and operations do another, enforcement gets simpler for regulators and the outcome gets uglier for you.

5. You will underestimate breach impact until you live through it

Breach impact is not just an IT problem. It becomes downtime, diverted care, delayed revenue, and sustained leadership attention.

For scale, IBM’s 2025 Cost of a Data Breach has cited healthcare as the costliest industry, including an average breach cost of $7.42M and an average time to identify and contain of 279 days.

What do you need to prepare for the changing HIPAA regulations

Dutt, speaking from her experience, recommends treating readiness and training like a new program rollout. She lays out the preparation phase:

“Stand up a HIPAA 2026 working group that includes privacy, legal, security, HIM, patient access and vendor management, because these changes cut across all of them. Then move on to train on real scenarios.”

Training works when it is tied to practical actions people take every week. That is why the annual slide deck rarely changes behavior. Instead, teach each role what to do in the moments that matter and reinforce it with repeatable workflows.

• Front desk and patient services teams need practice delivering the NPP correctly, handling restriction requests, and routing sensitive questions to the right privacy lead.
• Clinical teams need minimum necessary habits and guidance on how to document and share SUD-related information when Part 2 applies.
• IT and Security teams need operational standards for MFA coverage, encryption and scanning, and they need routine backup-restore drills that produce evidence.
• Compliance and vendor management teams need clean BAA management and steady evidence collection to maintain continuous readiness.

This is another place where automation helps. When evidence is collected automatically from the systems people already use, teams spend less time chasing screenshots and more time fixing gaps.

What are some immediate steps healthcare organizations can take now?

You do not need to do everything this week. You do need to start the work that requires coordination, because that is what always takes longer than expected.

These actions will position you for compliance regardless of regulatory timing:

1. Conduct a Part 2 readiness assessment

Identify whether your organization receives or maintains SUD records from any source. If yes, begin NPP revisions immediately to meet the February 16 deadline.

2. Inventory your technology assets

Document every system that stores, processes, or transmits ePHI. Identify which systems lack MFA capabilities, encryption at rest, or automated logging. This inventory itself becomes a compliance requirement under the proposed rules.

3. Evaluate your MFA deployment

Audit whether MFA covers all ePHI access points or merely remote access. Test fallback authentication methods and ensure they do not create bypass vulnerabilities.

4. Assess encryption gaps

Verify that databases, file servers, backups, and archived data are encrypted at rest. Document any exceptions with detailed risk analyses – the proposed rules allow limited exceptions only with thorough justification. 

5. Schedule penetration testing

Engage qualified firms now if you have never conducted formal penetration testing. The results will inform your security roadmap and demonstrate good faith compliance efforts even before mandates take effect. 

6. Review and update BAAs

Ensure contracts with business associates specify the technical controls required under the proposed rules. Consider requiring proof of annual penetration testing and biannual vulnerability scanning from critical vendors.

7. Test your incident response plan

Simulate a ransomware attack and measure whether you can restore critical systems within 72 hours. Document gaps and remediation steps.

8. Map your data flows

Create network diagrams showing how ePHI moves through your organization and to business associates. This mapping exercise often reveals unauthorized shadow IT or forgotten legacy systems.

Get HIPAA compliant with Sprinto AI

HIPAA updates in 2026 will show up in daily operations, not just policies. The biggest cause of failure will be manual compliance. If you’re finding evidence 1 year later, rebuilding workflows at audit time, and losing consistency as systems and vendors change, you’ll struggle to stay HIPAA compliant.

But don’t worry! With an automated, AI-powered compliance platform, manual compliance becomes a thing of the past. 

Sprinto integrates with your systems and then turns ongoing compliance into a set of repeatable workflows. Instead of relying on memory and manual checklists, it keeps controls and evidence connected to the tools that generate them.

• Sprinto connects to common cloud and SaaS tools and can automate a large portion of evidence capture, while keeping timestamps and an audit trail.
• Sprinto is built around always-on compliance so gaps and risks surface earlier, not at the end of the quarter.
• Sprinto centralizes vendor data and automates assessments so vendor oversight does not depend on endless back-and-forth.
• Sprinto has workflows aimed at HIPAA safeguards, policy enforcement and ongoing monitoring to support HIPAA programs. 

If you are building your 2026 HIPAA plan now, schedule a Sprinto demo and map your biggest evidence gaps to the first automations.

FAQs