HIPAA Security Rule update: Policy changes to consider now
The rule is expected to take effect soon, making it a good time to update your compliance policies. Here are sample policy domains and examples of what regulators may expect.
May 26, 2026
May 26, 2026
Recent breach trends and proposed updates to the HIPAA Security Rule indicate a meaningful shift in regulatory expectations, particularly around policy discipline, governance, and the operationalization of security controls.
The U.S. Department of Health and Human Services Office for Civil Rights has proposed the first substantive revision to the Security Rule since 2013, which introduces new mandatory requirements and elevates several safeguards that were previously considered addressable to required baseline expectations. These changes, expected to take place soon, expand technical and administrative obligations, including documentation, risk analysis cadence, asset visibility, and contingency planning.
Large-scale breach events in the healthcare industry continue to demonstrate how gaps in policies, procedures, and oversight allow localized control failures, such as inconsistent access controls, incomplete encryption, or weak vendor governance, to scale into enterprise-wide incidents. In parallel, OCR enforcement activity has increasingly emphasized not just the presence of policies, but whether they are sufficiently detailed, kept current, and supported by repeatable processes that align with how systems are actually operated.
In this context, organizations may benefit from proactively reviewing and updating key policy and procedure domains, particularly those related to risk management, access controls, asset inventory, incident response, and third-party oversight, to align with the proposed HIPAA Security Rule requirements. Addressing these areas ahead of the final rule may help reduce implementation risk, avoid compressed remediation timelines, and support a more sustainable compliance posture once enforcement begins.
Why this matters now
The proposed HIPAA Security Rule signals a clear move away from flexibility in how safeguards are implemented. Several controls that were historically treated as addressable or implemented inconsistently are proposed to become mandatory expectations across covered entities and business associates.
Examples include:
- Encryption of electronic protected health information at rest and in transit
- Multi-factor authentication for systems accessing sensitive data
- Formal technology asset inventories and network maps
- Defined vulnerability scanning and penetration testing activities
- Documented recovery objectives, requiring critical systems to be restored within defined time frames
Although many organizations have implemented some of these controls in practice, they have not always been consistently documented, governed, or enforced through formal policy. As a result, organizations that delay updates to policies, procedures, and governance structures until the final rule is issued may face compressed timelines and increased compliance risk. Proactively aligning documentation, ownership models, and oversight mechanisms with the proposed requirements allows organizations to address underlying readiness gaps before regulatory expectations become enforceable.
What regulators are signaling through the proposed rule
Through the proposed updates to the HIPAA Security Rule, OCR has indicated that long-standing compliance gaps, particularly related to risk analysis, access management, third-party oversight, and documentation, are likely to face increased regulatory scrutiny. OCR has cited common deficiencies observed during investigations as a primary driver of the proposed changes, suggesting that future enforcement expectations may be shaped directly by prior compliance failures.
Much of the discussion surrounding the proposed rule focuses on technical safeguards. These requirements, however, cannot operate effectively without a supporting policy and governance framework. As enforcement expectations evolve, regulators are increasingly expected to assess not only whether controls exist, but whether written policies clearly define ownership, execution, escalation, and oversight, and whether those policies are reflected in how security activities are performed on an ongoing basis.
The table below highlights representative key policy domains that are likely to receive increased scrutiny. This sample list is based on OCR enforcement trends, published guidance, and the proposed HIPAA Security Rule updates, and outlines examples of what regulators are increasingly expecting to see documented by healthcare provider organizations.
Policy domain | Why this area is likely to receive increased scrutiny | Examples of what regulators may expect to see documented |
|---|---|---|
Information security governance and oversight | Regulators have increasingly emphasized demonstrable accountability and management involvement in cybersecurity programs. Informal or implied ownership may be viewed as insufficient under a more explicit and enforceable security rule framework. | • Clearly defined security governance structures aligned to recognized frameworks (for example, NIST) • Assigned ownership for cybersecurity and information security decision‑making, documented management oversight, reporting, and escalation mechanisms • Evidence that leadership reviews and approves key security policies and standards |
Risk analysis and risk management | OCR enforcement actions frequently cite inadequate or outdated risk analysis as a contributing factor to noncompliance. Proposed updates reinforce expectations that risk management is an ongoing, repeatable process that informs security decisions rather than a point‑in‑time activity. | • Documented methodology for conducting enterprise‑wide risk analyses, including a documented security rule compliance review/audit at least once every 12 months • Defined risk scoring and prioritization criteria • Evidence of remediation decisions, timelines, and management approvals • Clear documentation of any accepted risks and the related rationales |
Identity and access management | Access control weaknesses remain a common contributor to healthcare breaches. Regulators are increasingly focused on whether access controls are enforceable, consistently applied, and aligned with actual system use. Expectations are trending beyond basic username and password controls toward stronger authentication for systems supporting patient information. | • Require notification of certain regulated entities within 24 hours when a workforce member’s access to ePHI or certain electronic information systems is changed or terminated • Require the use of multi‑factor authentication, with limited exceptions • Require regulated entities to establish and deploy technical controls for configuring relevant electronic information systems, including workstations, in a consistent manner • Policies that specify enforcement and monitoring mechanisms, not just access requirements |
Technology asset and data protection governance | Proposed rule changes highlight the need for visibility into systems, data flows, and data locations that support ePHI. Policies that do not reflect current operating environments, such as cloud platforms and third‑party services, may be viewed as misaligned with actual practices. | • Defined processes for maintaining accurate technology asset inventories • Documented data classification and handling requirements • Governance over ePHI data flows across internal systems and external service providers • Require encryption of ePHI at rest and in transit, with limited exceptions |
Security monitoring, testing, and incident response | Regulators increasingly expect organizations to demonstrate that monitoring and testing activities are operationalized and consistently performed. Incident response procedures are expected to support timely detection, escalation, and documented response actions. | • Defined logging, monitoring, and alerting expectations, including requiring vulnerability scanning at least every six months and penetration testing at least once every 12 months • Documented testing cadence for security controls and incident response procedures • Incident detection, escalation, and response workflows • Clearly defined roles and responsibilities during a security incident |
Business associate oversight | OCR enforcement trends continue to reinforce that responsibility for protecting ePHI extends beyond organizational boundaries. Regulators increasingly expect organizations to define and enforce third‑party security requirements, supported by periodic verification activities. | • Updated business associate agreement templates addressing security obligations and breach notification timelines • Documented procedures for evaluating and monitoring business associate security posture • Defined contractual and policy expectations for safeguarding ePHI • Clearly documented incident notification and escalation requirements |
Contingency and disaster recovery | Updated contingency and recovery expectations emphasize the organization’s ability to restore critical systems and access to ePHI following a disruptive event. Recovery capability is increasingly viewed as a core component of the security program rather than a purely operational concern. | • Documented contingency and disaster recovery plans for systems supporting ePHI • Defined recovery time and recovery point objectives for critical systems • Evidence of periodic testing and management review of recovery plans • Roles, responsibilities, and escalation procedures during recovery events |
How Kodiak supports policy readiness
- We partner with healthcare organizations. Kodiak conducts focused policy analyses to assess alignment with anticipated regulatory expectations and to identify gaps, ambiguities, or outdated language, helping your organization prioritize practical and defensible updates.
- Targeted updates. Many organizations’ policies were written for a more flexible regulatory environment. Proposed 2026 HIPAA Security Rule changes may require updates to clearly reflect enforceable expectations, such as defined governance and ownership, documented risk management practices, formalized access and monitoring standards, and alignment with cloud-based and third-party operating models.
- Kodiak emphasizes policies that are executable in day-to-day operations, helping organizations reduce regulatory risk, avoid last-minute remediation, and move beyond checkbox compliance as enforcement evolves. If you have questions about the HIPAA Security Rule update or how Kodiak can help you prepare, contact our IT risk experts today.
