The first quarter of 2026 has brought a wave of regulatory activity, enforcement actions, and emerging compliance challenges under HIPAA. From a proposed overhaul of the Security Rule to new obligations around substance use disorder records, artificial intelligence, and vendor oversight, healthcare organizations are navigating one of the most consequential periods for health information privacy in over two decades.
This article surveys the key developments from late 2025 through early 2026 and outlines the practical steps healthcare providers and covered entities should be taking right now.
The Security Rule Might Get Its First Major Update in Over Twenty Years
Healthcare has been the number one targeted industry for cyberattacks for thirteen consecutive years. In 2024, data breaches affected more than 182 million individuals across more than 670 reported incidents — a figure likely understated given the scale of the Change Healthcare ransomware attack that year. The existing HIPAA Security Rule, largely unchanged since its original publication, has simply not kept pace.
In December 2024, the Department of Health and Human Services published a proposed update to the Security Rule — commonly referred to as “HIPAA Security Rule 2.0.” Finalization is expected in May 2026, with the rule likely becoming effective by July or August of that year. While that may seem like runway, the scope of the proposed changes is significant enough that organizations should begin preparing now.
What the Proposed Rule Requires
The most consequential change is the elimination of the distinction between “required” and “addressable” implementation specifications. Under the current rule, many organizations have treated “addressable” safeguards as optional. The proposed update makes all safeguards mandatory — fully implemented, documented, and enforced. Other key requirements include:
- Encryption of all electronic protected health information, both at rest and in transit.
- Multi-factor authentication on all systems that access ePHI.
- 24-hour access termination for departing employees.
- 72-hour system recovery following a cyber incident.
- Annual compliance audits, technology asset inventories, and network mapping.
Manual compliance approaches — spreadsheets, human-led audits — will no longer meet the standard. For healthcare providers relying on electronic health record vendors that do not understand their obligations under the updated rule, this creates significant downstream risk.
A Divided Industry Response
The proposed rule has drawn sharp reactions. CHIME (the College of Healthcare Information Management Executives) and more than 100 hospital systems sent a letter to HHS Secretary Robert F. Kennedy Jr. in December 2025 calling for the rule to be withdrawn entirely, citing “crushing regulatory burdens.” The rule spans more than 390 pages, and OCR is now reviewing over 4,700 public comments.
On the other side, OCR Director Paula Stannard has defended the proposal, arguing that the cost of cyberattacks — in ransom payments, system remediation, lawsuits, reputational damage, and regulatory penalties — far exceeds the cost of compliance. Even the industry groups opposing the rule acknowledge that cybersecurity is a patient safety issue.
The rule’s future remains uncertain under the current administration’s deregulatory agenda, but experts recommend that organizations adopt best practices like the NIST Cybersecurity Framework now rather than waiting for a mandate.
New OCR Guidance on System Hardening
Separately from the proposed Security Rule update, OCR issued guidance in January 2026 establishing system hardening and patching as mandatory components of current HIPAA Security Rule compliance. Regulated entities must maintain IT asset inventories, monitor vulnerability alerts from NIST and CISA, conduct vulnerability scanning, and implement formal vulnerability management programs. Patching must be treated as a continuous process, not an episodic task. When patches are unavailable — for legacy systems or zero-day vulnerabilities — OCR requires compensating controls such as network segmentation and access restrictions.
The guidance specifically identifies unused software, default administrator accounts, and improperly configured security tools as enforcement targets.
Notice of Privacy Practices: A Deadline That Has Already Passed
February 16, 2026 marked a deadline that required virtually every HIPAA-covered entity to update its Notice of Privacy Practices. The primary driver was the alignment of 42 CFR Part 2 — the regulations governing substance use disorder (SUD) records — with HIPAA standards. HHS published the rule in February 2024, giving covered entities two years to comply.
Under the new framework, patients may grant blanket consent for use of their SUD records for treatment, payment, and healthcare operations, replacing the prior requirement for separate consent for each disclosure. However, SUD records retain heightened confidentiality protections: they cannot be used in civil, criminal, administrative, or legislative proceedings without patient consent or a court order. Updated NPPs must disclose these restrictions, include redisclosure warnings, and provide opt-out opportunities for fundraising communications involving SUD records.
Critically, this requirement extends beyond SUD treatment providers. Any HIPAA-covered entity that receives Part 2 records — through care coordination, payment, or operations — must update its notice. HHS did not issue an updated model notice, meaning organizations must work with counsel to draft compliant language.
State Laws Add Another Layer
HIPAA establishes a floor for privacy protections, not a ceiling. When updating their NPPs, covered entities must also account for state laws that impose stricter requirements. New York now imposes a 30-day breach notification deadline and has expanded its definition of protected data to include medical history and health insurance identifiers. Colorado prohibits disclosing patient information for out-of-state investigations of gender-affirming or reproductive healthcare. Montana and Nevada require faster patient access to records than HIPAA’s 30-day standard. New Mexico requires patient consent for electronic record disclosures. Alabama raised its age of medical consent from 14 to 16, effective October 2025.
Organizations operating in multiple states face a complex compliance matrix. Those that fail to incorporate applicable state requirements risk noncompliance with both federal and state mandates.
Artificial Intelligence Creates New Compliance Frontiers
AI is rapidly transforming healthcare delivery — and creating entirely new categories of compliance risk. HHS has proposed expanding HIPAA Security Rule requirements to explicitly cover AI systems that handle patient health data. The January 2025 proposed rule, scheduled for finalization in May 2026, establishes that ePHI used in AI training data, prediction models, and algorithms is protected under HIPAA. Covered entities and business associates will need to maintain written inventories of AI software and monitor for vulnerabilities.
Public-server tools such as ChatGPT do not comply with HIPAA Privacy and Security Rules. AI tools must use encrypted internal servers. Civil penalties can reach $50,000 per violation, and criminal penalties for knowing violations carry one to ten years of imprisonment with fines up to $250,000. Twelve states have already enacted their own AI healthcare legislation, adding further complexity.
The per-violation structure is important to understand: every patient record improperly disclosed can constitute a separate violation. Five hundred improperly disclosed records could mean five hundred individual penalty assessments.
AI Scribes Under Scrutiny
The AI medical scribing market has grown from $397 million in 2024 to a projected $3 billion by 2033. But this rapid adoption is outpacing compliance. In November 2025, a class action was filed against Sharp HealthCare in San Diego, alleging the organization used Abridge’s ambient AI documentation tool to record more than 100,000 clinical encounters without patient consent, violating California’s all-party consent wiretapping statute. The lawsuit further alleges that EHR notes contained fabricated consent language claiming patients had agreed to recording when no such consent occurred.
Thirteen states require all-party consent for recordings, and California’s AB 3030 (effective January 2025) requires healthcare providers using generative AI to include disclaimers in patient communications.
The De-Identification Problem
Researchers at New York University have demonstrated that AI language models can re-identify patients from medical notes that have been stripped of all HIPAA identifiers. Using a BERT-based model trained on nearly 223,000 clinical notes, the researchers achieved over 99.7% accuracy predicting biological sex and produced re-identification risk 37 times higher than baseline. This vulnerability exists within a multi-billion dollar market in which hospitals and data brokers sell de-identified clinical notes to pharmaceutical firms, insurers, and AI developers. The researchers recommend shifting the policy conversation from technical de-identification solutions toward legal consequences for misuse.
Enforcement Returns to Full Strength
OCR has returned to pre-pandemic enforcement levels — and in some areas has grown more aggressive. In 2025, OCR levied more than $6.6 million in HIPAA fines. Notable settlements include $250,000 against Syracuse Ambulatory Surgical Center following a ransomware incident where no risk analysis had ever been conducted, $225,000 against Deer Oaks after a coding error exposed patient information online for eighteen months, and $182,000 against Cadia Healthcare for posting patient names, photographs, and treatment information as “success stories” without written authorization.
Right of Access enforcement continues to be a priority. In March 2025, OCR imposed a $200,000 penalty against an academic medical center for delays in providing patient records — the agency’s 53rd-plus enforcement action on patient access. Proposed rule updates may reduce the required response time from 30 days to 15 days.
Updated Penalty Structure
The HIPAA penalty structure was updated effective January 28, 2026, under the Federal Civil Penalties Inflation Adjustment Act. For the most serious category — willful neglect not corrected within 30 days — penalties now range from $73,011 to $2,190,294 per violation, with an annual cap of $2,190,294. Criminal penalties can reach $250,000 per violation and include one to ten years of imprisonment. A 2019 Notice of Enforcement Discretion remains in effect that lowers maximum penalties in three of four tiers, but organizations should not count on it remaining indefinitely.
Data Breaches and Vendor Risks at Scale
Healthcare data breaches affected 184 million individuals in 2024 and over 31 million in the first half of 2025 alone. A survey of 613 healthcare professionals found that 60% of organizations have experienced a HIPAA-related incident or near miss, with 49% of incidents caused by internal employee error rather than external attacks.
Third-party risk is particularly acute. More than one-third of healthcare data breaches stem from third-party supplier compromises, yet only 33% of organizations conduct annual vendor risk assessments and just 69% require HIPAA training from vendors. Business associate agreements do not absolve providers of responsibility when breaches occur at the vendor level. Tracking pixels embedded in patient portals and telehealth platforms have incurred over $100 million in fines for unauthorized data sharing to analytics and social media companies.
Legacy PHI in email systems represents another underappreciated risk. A single business email compromise can expose PHI for tens of thousands of individuals, and internal emails — which typically contain the most PHI — often fall outside encryption requirements. Organizations should implement email archiving, encrypt PHI in transit, and deploy filters to detect PHI before transmission.
Legal and Legislative Developments
Several legal and legislative developments merit attention. A Texas lawsuit that challenged both the 2024 reproductive health privacy rule and the validity of the entire 2000 HIPAA Privacy Rule was dismissed in November 2025 by joint stipulation — a significant outcome for HIPAA’s continued authority. The proposed Health Information Privacy Reform Act (HIPRA) would extend HIPAA-style obligations to wearables, health apps, wellness programs, retail clinics, and data vendors that currently operate outside HIPAA coverage. HHS initiated information blocking enforcement in September 2025 under the 21st Century Cures Act, with penalties up to $1 million per violation, though no public actions have been announced as of late 2025.
HHS itself is undergoing reorganization, reducing its workforce from 82,000 to 62,000 employees and creating a new Assistant Secretary for Enforcement. The impact on regulatory pace and enforcement capacity remains to be seen.
Six Action Items for Healthcare Organizations
The regulatory landscape is shifting rapidly. Here is what organizations should prioritize:
- Update your Notice of Privacy Practices. The February 16, 2026 deadline has passed. If your NPP has not been revised to address Part 2 substance use disorder requirements and applicable state mandates, act immediately.
- Begin preparing for Security Rule 2.0. Even if the rule’s final form is uncertain, start your gap analysis. Encrypt all ePHI, implement multi-factor authentication, inventory your technology assets, and establish 72-hour system recovery capability.
- Audit your AI tools. Inventory every AI system that touches patient data — including tools employees may be using without your knowledge. Ensure encrypted internal servers and establish consent protocols, particularly for AI scribes.
- Strengthen vendor oversight. Conduct annual vendor risk assessments, customize business associate agreements to address AI-driven analytics and behavioral tracking, and implement continuous monitoring.
- Address email and legacy risks. Archive old emails, encrypt all PHI in transit, deploy email filters to detect PHI, and review data retention policies.
- Conduct a thorough risk analysis. The single most common finding in OCR enforcement actions is the failure to complete a comprehensive risk analysis. Documenting your analysis and taking meaningful steps to close identified gaps will put your organization in a significantly better position if a breach occurs.
The pace of change in healthcare privacy regulation shows no signs of slowing. Organizations that take proactive steps now — rather than waiting for mandates or enforcement actions — will be best positioned to protect both their patients and themselves.