ARTICLE
2 January 2026

HIPAA Changes Coming In 2026

OG
Outside GC

Contributor

Outside GC logo
OGC is a unique law firm that offers the relationship and experience of a traditional law firm with the cost savings and speed of an ALSP. By combining top-notch legal talent and significant business acumen, we deliver the value and efficiency of an in-house lawyer, without adding to our client’s headcount or sacrificing quality.
Explore Firm Details
Over the next 12–18 months, healthcare providers can expect meaningful updates to the Health Insurance Portability and Accountability Act (HIPAA) affecting reproductive health information, security controls...
United States Food, Drugs, Healthcare, Life Sciences
Holly Little
Your Author LinkedIn Connections
Outside GC are most popular:
  • with readers working within the Transport industries

What Providers Need to Know — and Do — Now

Over the next 12–18 months, healthcare providers can expect meaningful updates to the Health Insurance Portability and Accountability Act (HIPAA) affecting reproductive health information, security controls, interoperability, and patient access rights. While some rules are already final, others are pending but well signaled. Taken together, all point in the same direction: HIPAA compliance is becoming more operational, more documented, and more closely scrutinized.

The changes coming in 2026 are meant to reinforce HIPAA's fundamental purpose—ensuring that protected health information (PHI) is confidential, secure, and accessible when needed for patient care and operations while raising expectations that compliance obligations are more than just having written policies on file. Rather, they are intended to be embedded into providers' daily workflows, technology decisions, and staff behavior.

Key HIPAA-Related Changes in 2026

1. Reproductive Health Privacy

(Final rule published April 2024; phased compliance through December 2026)

New HIPAA restrictions limit how PHI may be used or disclosed in connection with lawful reproductive health care. Specifically under this new rule, covered entities and business associates are prohibited from using or disclosing PHI to conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating lawful reproductive health care.

For certain non-treatment disclosures — including some law enforcement and government requests — organizations must now obtain a signed attestation from the requesting party stating that the PHI is not intended to be used to investigate or impose liability on any person for seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it is provided.

What this means:
Providers can expect new routing, review, and documentation requirements for subpoenas, warrants, and out-of-state requests, along with updates to Notices of Privacy Practices (NPPs) and targeted staff training.

2. Security Rule Modernization

(Rulemaking anticipated; likely compliance into 2026)

The Department of Health and Human Services' Office for Civil Rights (OCR) has signaled through recent enforcement actions and guidance that it expects more prescriptive security measures around:

  • Risk analysis and risk management
  • Asset inventories (including cloud, SaaS, and medical devices)
  • Authentication and multi-factor authentication
  • Vulnerability management and patching
  • Logging, monitoring, and incident response
  • Backup and recovery capabilities

While final rule text and deadlines are still pending, providers should consider beginning preparations, as compliance periods typically range from 180 days to 2 years after publication and may extend into 2026 or beyond.

3. Recognized Security Practices Matter in Enforcement

(Ongoing)

Under the HIPAA Safe Harbor law, OCR is required to consider whether an organization has implemented Recognized Security Practices (such as NIST Cybersecurity Framework, HITRUST CSF, or other recognized frameworks) for at least the prior 12 months when determining penalties and the length of audits following a breach.

What this means:
Documented, sustained implementation — not just policies — may reduce enforcement exposure and can help streamline investigations.

4. Interoperability and Information Exchange

As TEFCA (Trusted Exchange Framework and Common Agreement) networks and APIs required under the 21st Century Cures Act scale through 2025–2026, providers will exchange significantly more electronic health information across organizational boundaries. HIPAA considerations increasingly intersect with:

  • Minimum-necessary standards
  • Business Associate Agreements and Data Use Agreements
  • Identity proofing and access controls
  • Audit logging and monitoring

5. Right of Access Remains a Top Enforcement Priority

OCR continues to prioritize enforcement of patient right-of-access requirements under 45 CFR 164.524, which requires responses within 30 days (with one 30-day extension if needed). Common violations include:

  • Delayed responses
  • Failure to provide records in the requested format
  • Excessive or improperly calculated fees (fees must be limited to labor costs for copying, postage if mailed, and preparation of a summary if requested).

As electronic access expands through patient portals and third-party apps, turnaround times and fee controls will likely face continued scrutiny. Note that, under HIPAA, when records are maintained electronically, they should be provided in electronic format if requested by the patient.

Practical HIPAA Safeguards

Most HIPAA enforcement actions do not stem from sophisticated cyberattacks. According to OCR data, they most commonly arise from preventable operational failures such as lost or stolen unencrypted devices, misdirected communications (wrong fax numbers or email addresses), untrained staff accessing records without authorization, or weak access controls allowing unnecessary access to PHI.

As regulatory expectations rise, the most effective compliance measures will be those focused on practical safeguards that demonstrate diligence, accountability and a culture of privacy. Covered entities may want to consider implementing security safeguards, controls and policies for their staff such as the following:

  1. Securing Access to Systems and Devices
    • Do not share passwords or store them in visible locations; use unique, complex passwords and consider implementing a password manager
    • Enable automatic log-off on all workstations after a reasonable period of inactivity (typically 5-15 minutes depending on the environment)
    • Prevent unauthorized screen viewing in shared or patient-facing areas

  2. Managing Physical Access to PHI
    • Restrict access to servers and networking equipment
    • Never leave PHI-containing devices unattended in vehicles; if devices must be transported, ensure they are encrypted and stored out of sight in locked compartments
    • Do not allow unauthorized use of PHI-enabled devices

  3. Protecting Against Cyber Threats
    • Maintain up-to-date antivirus and endpoint protection software with automatic updates enabled on all devices that access PHI
    • Prohibit installation of unapproved software
    • Train staff regularly (at least annually) to recognize phishing, social engineering, and other cyber threats, and establish clear procedures for reporting suspicious emails or incidents immediately to IT or security personnel

  4. Maintaining Reliable Backup and Recovery
    • Perform regular backups, including off-site or secure cloud storage
    • Test recovery procedures at least annually to ensure backups are functional and data can be restored within acceptable timeframes
    • Ensure retired devices and media are properly sanitized or destroyed using NIST-approved methods to render PHI unreadable and unrecoverable (e.g., degaussing, physical destruction, or certified data wiping)

  5. Tracking PHI-Containing Devices
    • Maintain an inventory of all PHI-enabled devices
    • Monitor where PHI resides (including cloud services, mobile devices, and third-party systems) and conduct regular access reviews to ensure only authorized individuals retain access based on current job responsibilities

  6. Handling PHI Communications Carefully
    • Limit discussions of PHI to what is necessary
    • Use discretion in public or patient-facing areas
    • Verify fax numbers and secure mailed communications

Next Steps for Healthcare Providers

To prepare for upcoming changes under HIPAA, providers may wish to consider the following steps:

  • Stand up compliance workflows relating to RHCI
  • Conduct an enterprise-wide risk analysis across cloud, SaaS, and medical devices
  • Formalize recognized security practices and brief leadership/boards
  • Strengthen right-of-access protocols
  • Update business associate agreements (BAAs) to address reproductive health data, incident reporting, and subcontractors
  • Align participation agreements and DUAs with TEFCA and information-blocking rules
  • Refresh policies, playbooks, and training programs
  • Schedule periodic compliance checkpoints through 2026

At OGC, we work with healthcare providers and healthcare-adjacent businesses to move HIPAA compliance beyond checklists and into real-world operations, including HIPAA risk assessments, policy and procedure development, workforce training, incident response planning, and vendor and Business Associate Agreement (BAA) review.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Holly Little
Holly Little
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More