Description
The HIPAA Security Rule modernization is scheduled to be finalized around May 2026, with the rule likely effective July/August 2026. Major changes: elimination of addressable vs required distinction (all become required), mandatory MFA, mandatory encryption, 12-month risk assessment cycle, 24-hour business associate breach notification, and enhanced workforce training requirements.
Requirements
- Plan for mandatory MFA implementation across all systems
- Implement encryption for all ePHI at rest and in transit
- Update risk assessment to 12-month cycle
- Revise BA agreements for 24-hour breach notification
- Enhance workforce security training program
Applicable To
Healthcare ProvidersHealth PlansHealthcare ClearinghousesBusiness Associates
Penalty Information
âš HIPAA violations from $145 to $2,190,294 per violation depending on culpability level; criminal penalties up to $250,000 and imprisonment.