2026 HIPAA Security Rule Final Rule Published; New Compliance Requirements Effective (medcurity.com)

• Final rule published Jan 6, 2025; HHS targeting May 2026 finalization.
• Mandatory encryption, MFA, annual risk assessments, and vulnerability scanning.
• OCR enforcement signals from Jan 2026 newsletter: risk analysis must include patch management.
• HHS estimated $9B year-one cost; $34B over five years.
• Industry pushback from CHIME did not alter rule but may affect enforcement priorities.

"The final HIPAA Security Rule, published January 6, 2025, introduces mandatory annual security risk assessments, encryption of ePHI at rest and in transit, multi-factor authentication for all systems accessing ePHI, 72-hour incident reporting, annual penetration testing, and enhanced business associate oversight. HHS targets May 2026 for finalizing implementation guidance. The rule applies to all covered entities and business associates regardless of size. Compliance deadlines provide 180 days to one year after enforcement priority status."