Skip to content
Close
Get Started
Get Started
VC3 is the bar

We Make IT Easy

With VC3, it’s never license this, per hour that. Instead, it’s good people. Good people who work tirelessly .

Learn More
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals."
City of Valdosta, GA
Get out of the IT trenches

Municipal Disaster Recovery Checklist

Download the guide for real-life scenarios, containing data backup lessons and a checklist to help ensure you are ready for a disaster. 


Learn More

Municipal League Partnerships

VC3 is the IT partner that focuses on municipalities. We understand your budgeting cycles and critical concerns.
Get Started

2025 Managed IT Services Cost & Pricing Guide

You’ve probably heard about how managed IT services saves businesses money and are wondering if that’s possible for your organization too. This guide will help walk you through different pricing strategies and costs you can expect.

 

Get the Guide
Get Started
Healthcare audit

Proposed 2026 HIPAA Security Rule Updates: What Healthcare Leaders Need to Do Now

What You’ll Learn in This Guide

If you’ve seen the headlines about the HIPAA Security Rule update but still are not sure what actually changes, this guide helps connect the dots.

  • A clear before-and-after comparison of the most important proposed HIPAA Security Rule changes
  • The compliance, operational, and cybersecurity risks of waiting too long
  • A practical roadmap for healthcare organizations working with limited staffing and budget
  • The security controls most likely to require action first, including MFA, encryption, vendor oversight, and incident response
  • What smaller and resource-constrained providers should prioritize now

Download Your Copy

Why This Guide Matters

The HIPAA Security Rule has not been substantially modernized in more than a decade. That may soon change.

The proposed updates signal a move away from flexible, loosely interpreted safeguards and toward more explicit security requirements. For many healthcare organizations, that means controls once treated as optional or addressable may soon become mandatory.

That shift has real implications for:

  • Compliance programs
  • IT operations
  • Cybersecurity budgets
  • Vendor accountability
  • Downtime and ransomware resilience
  • Patient data protection

Healthcare organizations that wait for the final rule to act may find themselves trying to close major gaps under time pressure.

Who This Guide is For

This guide is built for healthcare organizations that need a realistic path forward, including:

  • Healthcare executives and operational leaders
  • IT directors and IT managers
  • Compliance officers
  • Privacy and security leaders
  • Clinic administrators
  • Hospital and practice leadership teams
  • Smaller providers balancing security demands with limited resources



Inside the Guide: Key Proposed HIPAA Security Rule Changes

  • Stronger Security Requirements

    Learn how the proposed rule shifts key safeguards from flexible to required, with limited exceptions.

  • MFA and Encryption Expectations

    See how multifactor authentication and encryption of ePHI at rest and in transit are expected to become more prescriptive.

  • Asset Inventory and ePHI Flow Mapping

    Understand why maintaining a technology asset inventory and network map is becoming foundational for HIPAA compliance.

  • Risk Analysis and Documentation

    Learn what a more detailed, written, and defensible risk analysis process may need to include.

  • Vulnerability Testing and Incident Response

    Review the proposed expectations around vulnerability scanning, annual penetration testing, and 72-hour recovery planning.

  • Vendor Oversight and Annual Audits

    See how third-party accountability and formal verification may become a much bigger compliance issue.

Why Delaying HIPAA Preparation Creates More Risk

For many healthcare organizations, the challenge is not knowing that change is coming. It is figuring out how to respond without overwhelming internal teams or disrupting care delivery.

This guide outlines the risks of waiting, including:

  • Falling behind on likely compliance requirements
  • Increased exposure to ransomware and patient data breaches
  • Costly last-minute remediation projects
  • More pressure on already stretched IT and compliance teams
  • Greater operational disruption when controls are rushed into place
  • Reputational damage tied to security incidents and audit findings

The proposed rule is not final yet, but the direction is clear enough to start planning now. If your organization is trying to make sense of the proposed 2026 HIPAA Security Rule updates, this guide gives you a clearer path forward. 

Frequently Asked Questions About the Proposed HIPAA Security Rule Updates

What are the proposed 2026 HIPAA Security Rule updates?

The proposed 2026 HIPAA Security Rule updates are expected changes from HHS OCR that would strengthen cybersecurity requirements for healthcare organizations handling electronic protected health information, or ePHI. Proposed updates include stronger requirements around MFA, encryption, asset inventories, risk analysis, vulnerability scanning, incident response, and vendor accountability.

When will the new HIPAA Security Rule take effect?

The final timeline has not been confirmed. Many expect a Final Rule in 2026, with an effective date typically 60 days after publication and compliance generally required within 180 days unless a different compliance period is specified.

Will MFA be required under the proposed HIPAA Security Rule?

Under the proposed rule, multifactor authentication would become required across systems with limited exceptions, rather than being treated as an addressable safeguard.

Will encryption become mandatory under the HIPAA Security Rule?

The proposed updates would require encryption of ePHI at rest and in transit with limited exceptions, replacing the current more flexible approach.

Why should healthcare organizations prepare now?

Waiting increases the risk of rushed remediation, higher compliance costs, operational disruption, and greater exposure to ransomware, breaches, and audit findings. Starting early gives organizations more time to prioritize budget, staffing, technology, and documentation needs.

Who should read this guide?

This guide is intended for healthcare leaders, IT teams, compliance officers, and operations stakeholders who need to understand the proposed changes and plan a practical response.