HIPAA enforcement reached record levels in 2025. The Office for Civil Rights (OCR) imposed over $10 million in penalties across dozens of enforcement actions, with settlements ranging from $25,000 for small practices to multi-million dollar fines for large health systems. The message is clear: HIPAA compliance is not optional, and OCR is actively investigating organizations of every size.
More significantly, the HIPAA Security Rule received its first major update since 2013. The updated rule, finalized in late 2025, introduces new technical requirements, tightens existing ones, and eliminates the distinction between "required" and "addressable" implementation specifications — making every requirement mandatory.
If you're a healthcare organization — or a business associate that handles protected health information (PHI) — here's what you need to have in place in 2026.
What Changed in the Security Rule Update
All Specifications Are Now Required
Under the previous rule, implementation specifications were designated as either "required" or "addressable." The "addressable" designation was widely misunderstood as "optional." It was not — organizations were required to implement the specification or document why an equivalent alternative was appropriate. But in practice, many organizations used "addressable" as a reason to skip controls.
The updated rule eliminates this ambiguity. Every specification is now required. This means controls that some organizations previously considered optional — such as encryption of data at rest, automatic logoff, and audit controls — must be fully implemented.
Mandatory Encryption
The updated rule explicitly requires encryption of ePHI both at rest and in transit. Previously, encryption at rest was an "addressable" specification, and many organizations chose not to implement it (particularly on workstations and portable devices). This is no longer an option.
All devices that store or access ePHI must use full-disk encryption. All communications containing ePHI must use encrypted protocols (TLS 1.2+, encrypted email, VPN, or ZTNA). USB drives and portable storage must either be encrypted or prohibited by policy.
Technology Asset Inventory
Organizations are now required to maintain a complete inventory of all technology assets that create, receive, maintain, or transmit ePHI. This includes servers, workstations, laptops, mobile devices, medical devices, network equipment, and cloud services. The inventory must be reviewed and updated at least annually.
Incident Response and Reporting
The updated rule tightens incident response requirements. Organizations must have a tested incident response plan (tabletop exercises satisfy this requirement) and must be capable of restoring critical systems within defined timeframes. The breach notification timeline has also been shortened.
Vulnerability Management
Regular vulnerability scanning is now explicitly required, along with a documented process for prioritizing and remediating discovered vulnerabilities. Annual penetration testing is "strongly recommended" — which, given OCR's enforcement posture, should be treated as a requirement.
Your 2026 HIPAA Compliance Checklist
Risk Assessment
- [ ] Completed a comprehensive HIPAA risk assessment within the past 12 months
- [ ] Risk assessment covers all facilities, systems, and business associates that handle ePHI
- [ ] Identified risks are documented in a risk register with remediation plans and timelines
- [ ] Risk assessment methodology and findings are documented for auditor review
Technical Safeguards
- [ ] Encryption enabled at rest on all devices that store ePHI (full-disk encryption)
- [ ] Encryption in transit for all ePHI communications (TLS 1.2+, encrypted email)
- [ ] Multi-factor authentication on all systems that access ePHI
- [ ] Role-based access controls with least-privilege principles
- [ ] Automatic logoff configured on all workstations and applications
- [ ] Audit logging enabled on all systems that access ePHI with centralized collection
- [ ] Endpoint Detection and Response (EDR) deployed on all endpoints
- [ ] Network segmentation isolating clinical systems from general networks
- [ ] Technology asset inventory complete and current
Administrative Safeguards
- [ ] Designated HIPAA Security Officer with documented responsibilities
- [ ] Written HIPAA policies and procedures reviewed within the past 12 months
- [ ] Workforce Security Awareness Training completed by all staff (annually at minimum)
- [ ] Incident response plan documented and tested via tabletop exercise
- [ ] Business Associate Agreements (BAAs) in place with all vendors that access ePHI
- [ ] Sanctions policy documented for workforce members who violate HIPAA policies
- [ ] Workforce access provisioning and de-provisioning procedures documented and followed
Physical Safeguards
- [ ] Physical access controls to areas where ePHI is stored or accessible
- [ ] Workstation security policies (screen locks, clean desk, device positioning)
- [ ] Device and media disposal procedures (certified data destruction)
- [ ] Visitor policies for areas with access to ePHI systems
Backup and Disaster Recovery
- [ ] Automated backups of all ePHI at least daily
- [ ] Backup encryption (at rest and in transit)
- [ ] Off-site or cloud backup storage
- [ ] Backup restoration tested within the past 90 days with documented results
- [ ] Disaster recovery plan with defined RTOs and RPOs for critical systems
- [ ] DR plan tested within the past 12 months
Vulnerability Management
- [ ] Vulnerability scans conducted at least quarterly (monthly recommended)
- [ ] Critical vulnerabilities remediated within 30 days
- [ ] Patch management program with documented timelines for critical and routine patches
- [ ] Annual penetration test conducted by a qualified third party
How Layer27 Supports HIPAA Compliance
Layer27 has supported HIPAA compliance for healthcare organizations across the United States since 2011. Our Protect Pro managed services tier is built around the security and operational requirements of the HIPAA Security Rule:
- Risk assessments conducted by experienced compliance professionals
- 24/7/365 monitoring with MDR and SOC that satisfies audit and accountability requirements
- Encrypted backup and DRaaS with tested recovery and documented RTOs/RPOs
- Security Awareness Training with HIPAA-specific modules and phishing simulations
- Compliance documentation maintained continuously for audit readiness
- Technology asset inventory managed and updated as part of ongoing service
We've supported 100% of our healthcare clients through successful HIPAA audits — including organizations that came to us after a failed audit.
Need help with HIPAA compliance? Contact Layer27 for a HIPAA risk assessment and learn how Protect Pro keeps your practice compliant and secure.