HIPAA in 2026

HIPAA in 2026 will continue to evolve, presenting new challenges for healthcare professionals.

HIPAA compliance is becoming more complex and subject to increased oversight. Regulatory changes, along with a more aggressive cyber threat environment and stricter enforcement by federal agencies, state regulators, and private litigants.

For HIPAA compliance professionals, IT leaders, and owners of healthcare organizations and vendors, 2026 will require a more integrated, proactive approach to privacy and security. This article highlights key developments to monitor and the steps you should take now to prepare.

Regulatory Updates for HIPAA in 2026 – Part 2 Alignment and Security Rule Changes

Aligning Part 2 with HIPAA

Recent updates to the Confidentiality of Substance Use Disorder (SUD) Records regulations under 42 CFR Part 2 aim to better align with HIPAA. Historically, Part 2 imposed stricter restrictions on the use and disclosure of SUD treatment records, creating operational and compliance challenges for providers and health IT vendors who had to manage separate workflows and technical controls.

In 2026, HIPAA-regulated entities can expect:

  • More integrated privacy frameworks: As Part 2 aligns more closely with the HIPAA model for consent, authorization, and disclosure, compliance programs will be able to streamline some processes—but they still must address Part 2’s unique protections and consent requirements.
  • Updates to policies and forms: Notice of Privacy Practices, consent forms, Business Associate Agreements (BAAs), and internal procedures will require review and likely revision to ensure they accurately reflect how SUD information is used and shared.
  • Greater emphasis on segmentation and minimal access: Even with alignment, SUD data remains particularly sensitive. You must demonstrate your ability to appropriately identify, segment, and restrict access to SUD-related information in both EHRs and downstream systems.

Action items for 2026:

  • Inventory of where SUD-related data resides (EHR, billing, data warehouses, third-party tools) and who can access it.
  • Update policies, procedures, and training to clearly specify when Part 2 applies and how it relates to HIPAA.
  • Confirm that BAAs and data sharing agreements include provisions for SUD data handling, consent, and redisclosure limits.

Anticipated Changes to the HIPAA Security Rule

HHS indicates that updates to the HIPAA Security Rule are forthcoming, reflecting shifts in the cyber threat landscape and technological progress. Although the precise timing and wording are uncertain, organizations should prepare for:

  • More explicit expectations for cybersecurity controls: While the current Security Rule is intentionally flexible and risk-based, future updates may include clearer references to multi-factor authentication, encryption in transit and at rest, endpoint protection, logging and monitoring, and incident response capabilities.
  • Modernization of cloud and third-party services: The Security Rule’s implementation specifications may evolve to include cloud architectures, APIs, and managed security services that are now vital to healthcare.
  • Closer alignment with recognized security frameworks: Regulators may more explicitly recognize frameworks like NIST and could promote or reference them as benchmarks for “reasonable and appropriate” safeguards.

Action items for 2026:

  • Conduct a gap analysis comparing your current controls to leading frameworks such as NIST CSF, 800-53, 800-66, or HITRUST-based programs, even before the Security Rule is officially updated.
  • Document your reasoning for all security decisions—why some measures are implemented and others are not, based on risk.
  • Ensure your security program is not merely compliant “on paper,” but also demonstrably effective in practice, supported by logs, metrics, and test results.

Rising Cyber Risk: Data Breaches and Ransomware

Healthcare remains a prime target for cyberattacks. Attackers understand the value of protected health information (PHI), the reliance on ongoing clinical operations, and the often-fragmented IT environments managed by many providers and vendors.

In 2026, expect:

  • More sophisticated ransomware and extortion tactics: Attackers are increasingly focusing on exfiltration and double extortion, threatening to release or sell PHI along with encrypting systems.
  • Expanded attack surfaces: Telehealth platforms, patient portals, APIs, mobile apps, and connected medical devices all introduce more entry points.
  • Supply chain and vendor-related incidents: A single breach at a cloud provider or vendor can impact dozens or hundreds of covered entities simultaneously.

For HIPAA entities, the question is no longer if you will face an incident, but when and how prepared you will be.

Key priorities:

  • Strengthen technical controls: implement MFA wherever feasible, maintain robust patch and vulnerability management, utilize EDR/XDR tools, enforce network segmentation, and ensure reliable backup and restore capabilities.
  • Enhance detection and response: continuous monitoring when possible, clear incident response playbooks, tabletop exercises, and established partnerships with forensic and legal experts.
  • Incorporate cybersecurity into vendor management: Perform due diligence, utilize security questionnaires, request proof of audits or certifications, and include contractual provisions related to incident response and breach notification.

OCR Enforcement: Risk Analysis and Right of Access Remain Central

The Office for Civil Rights (OCR) at HHS has made clear through years of enforcement actions that two areas remain top priorities.

  • Enterprise-wide risk analysis and risk management
  • Patients’ right of access to their medical records

Risk Analysis and Risk Management

In nearly every major HIPAA settlement, OCR has highlighted gaps in risk analysis and risk management. Common findings include:

  • No comprehensive enterprise-wide risk analysis conducted, or an assessment that is outdated or too narrow.
  • Failure to address known vulnerabilities promptly and with proper documentation.
  • Lack of connection between risk analysis results and security investments or remediation activities.

In 2026, you should expect OCR to maintain this focus. When a breach happens, OCR will ask to see:

  • Your most recent risk analysis—and whether it comprehensively covers all systems, data flows, and locations where PHI is created, received, maintained, or transmitted.
  • Your risk management plan—prioritized actions, timelines, responsible owners, and evidence of follow-through.

Right of Access

OCR’s Right of Access Initiative has already taken numerous enforcement actions against providers that failed to provide patients with timely or reasonably priced access to their medical records.

This focus on enforcement will continue. In 2026, you should:

  • Ensure clear, documented procedures for managing access requests, including tracking, timeframes, and escalation paths.
  • Ensure staff understand time limits, reasonable fees, and acceptable formats.
  • Regularly evaluate your process by performing internal “mystery shopper” requests to identify delays or bottlenecks.

Growth of Private Litigation After Data Breaches

Beyond government enforcement, healthcare organizations and their business associates are increasingly facing lawsuits from individuals and patient groups arising from data breaches or privacy violations.

Key trends to anticipate:

  • More class actions are emerging after major breaches: Plaintiffs’ law firms quickly file lawsuits whenever a significant incident occurs. These allegations often include negligence, failure to implement reasonable security measures, and violations of state privacy or consumer protection laws.
  • Focus on harm and standing: Courts are still debating what level of harm is enough for plaintiffs to sue, but patterns are emerging where exposing very sensitive or long-lasting data (like Social Security numbers, diagnoses) supports claims.
  • Scrutiny of vendors and business associates: Vendors involved in a breach affecting multiple covered entities may face lawsuits and regulatory investigations from various sources.

For compliance and IT leaders, this means:

  • Documented, risk-based security decisions are essential. If litigation occurs, you’ll need to demonstrate that your controls and practices were reasonable and consistent with industry standards.
  • Contracts with vendors should clearly define security responsibilities, cover indemnification, and establish expectations regarding incident timelines and cooperation.
  • Breach response communications—both to regulators and to affected individuals—should be accurate, consistent, and carefully coordinated with counsel.

Expanding Role of State Enforcement and State Privacy Laws

States are becoming more proactive in privacy and cybersecurity enforcement, with many enacting or considering comprehensive privacy laws and sector-specific protections.

In 2026, HIPAA-regulated entities must account for:

  • Dual enforcement: State attorneys general can enforce HIPAA along with their own privacy and consumer protection laws. A single incident can thus lead to investigations and penalties from both federal and state regulators.
  • Stricter state standards: When state law is more strict than HIPAA—such as in breach notification timelines, data minimization requirements, or specific security obligations—these state requirements take precedence.
  • Special protections for sensitive categories of data: States often provide additional safeguards for mental health, reproductive health, SUD, minors’ information, and location or genetic data, sometimes going beyond HIPAA’s scope.

Implications for your program:

  • Keep a multi-jurisdictional compliance perspective, especially if you operate in or serve patients from multiple states.
  • Monitor state legislative and regulatory changes affecting privacy, security, and breach notification.
  • Coordinate among legal, compliance, privacy, and IT to ensure that state-specific requirements are incorporated into policies, procedures, incident response playbooks, and training.

2026 Is the Year to Strengthen the Fundamentals

Regulatory changes, evolving cyber threats, and expanding enforcement from federal regulators, state authorities, and private litigants are converging in 2026. HIPAA compliance cannot be viewed as a static checklist—it must be a dynamic, integrated program that develops alongside these changes.

To prepare, HIPAA-regulated entities and their vendors should prioritize:

Reviewing and updating policies and procedures to address:

  • Alignment of Part 2 SUD regulations with HIPAA
  • Anticipated Security Rule changes and modern cybersecurity practices
  • Clear processes for right of access, incident response, and vendor oversight
  • Performing and documenting an annual, enterprise-wide HIPAA risk analysis, and utilizing its findings to drive a realistic, prioritized risk management plan.

Reviewing and strengthening cybersecurity controls, especially around:

  • Identity and access management (including MFA)
  • Endpoint protection, patching, and vulnerability management
  • Data backup, recovery, and disaster recovery planning
  • Monitoring, logging, and incident response capabilities

Investing in ongoing workforce training, including:

  • Core HIPAA privacy and security requirements
  • Cybersecurity awareness (phishing, social engineering, password hygiene, reporting suspicious activity)
  • Role-based training for staff with elevated access or specialized responsibilities

Organizations that approach 2026 with a proactive, holistic strategy—combining legal, compliance, IT, and executive leadership—will be better positioned not only to withstand regulatory scrutiny and cyber threats but also to build patient and partner trust in an increasingly complex privacy landscape.

Free HIPAA Checklist
What best describes you?