HIPAA Security Rule update · Finalizing May 2026

The HIPAA Security Rule changed.
Your compliance posture probably hasn't.

The first major update since 2003 is finalizing in May 2026. Wyoming practices have roughly 240 days to comply. Most haven't been told what's in it.

Schedule a gap assessment What changed →

30 minutes · No sales pitch · No obligation

What actually changed

The proposed update, on track for finalization in May 2026 with a compliance deadline near year-end 2026 or early 2027, ends the era of "addressable safeguards." Under the current rule, encryption, MFA, and similar controls were encouraged. You could document why you didn't implement them and stay compliant. That's over.

Mandatory under the new rule

  • Encryption of all ePHI, at rest and in transit. No more "addressable" exemption.
  • Multi-factor authentication for every system that touches ePHI.
  • 72-hour incident reporting to HHS.
  • Annual penetration testing by a qualified third party.
  • Vulnerability scans every six months.
  • Network segmentation between clinical systems and the rest of your network.
  • Documented business-associate oversight — not just signed BAAs sitting in a drawer.
  • Asset inventory of every device, application, and service that handles ePHI.

There is no small-practice exemption. A solo dentist and Cheyenne Regional Medical Center face the same standard. The difference is that the hospital has a CISO, a compliance officer, and a seven-figure security budget. Most independent practices have none of those.

Why this matters for your practice specifically

In 2025, OCR levied over $6.6M in HIPAA fines. The pattern is consistent — small practices, ransomware incidents, inadequate risk assessments, weak technical safeguards. The 2026 update doesn't change what auditors look at. It changes what's defensible.

Under the current rule, "we documented why encryption wasn't feasible" was a real legal position. Under the new rule, "we didn't encrypt" ends the conversation. Documentation as a defense strategy is over. What matters now is whether the control is actually implemented.

The practices that will navigate this smoothly are the ones that start before Q4 2026. The ones that start in October will find every qualified pen-tester in the region booked solid through the deadline.

What we do, concretely

Twenty-plus years of medical security work, from solo practices through hospital networks. Wyoming-based. We're not a national help desk — we drive to your office, we look at the actual hardware, and we leave you with documentation that survives an OCR audit.

Gap assessment (the first conversation)

30 minutes, no obligation, no sales pitch. We ask twelve specific questions about your current setup and tell you honestly where you sit relative to the proposed rule. If you're already in good shape, we'll say so. If you have real gaps, you'll get a written summary of what they are, in plain English.

Remediation engagements

Where gaps exist, we scope the work — encryption rollout, MFA deployment, network segmentation, MDM for staff devices, BAA review, incident-response runbook, asset inventory. Fixed-price where we can, time-and-materials where the scope is genuinely unknown. You'll always know what you're paying for before we start.

Ongoing compliance operations

After the rebuild, the work doesn't stop — annual pen testing, six-month vulnerability scans, quarterly tabletop incident drills, business-associate audits, documentation upkeep. Monthly retainer or per-engagement, your choice.

The certifications we're not going to claim

"HIPAA certification" isn't a thing — anyone advertising as "HIPAA certified" is misrepresenting the law. There is no federal body that certifies compliance. What we provide is documented evidence that your controls match the rule, designed to hold up under audit.

What we don't do

  • We don't write you a legal opinion. We're engineers and security practitioners, not attorneys. If you need a HIPAA lawyer for a specific question, we can refer you to qualified HIPAA counsel.
  • We don't guarantee you won't be breached. Anyone who guarantees that is selling you something. What we guarantee is that when an incident happens, your response, documentation, and recovery posture are defensible.
  • We don't move your data into our cloud. Your ePHI stays on infrastructure you own or co-locate, with backups in places you approve. That's the point.

The realistic timeline

May – July 2026

You have time for a complete gap assessment, scoped remediation, and a calm rollout. Pen testing slots are still available.

August – September 2026

You're on a tight schedule but it's workable. Expect some compressed timelines.

October 2026 or later

You're in trouble. Every qualified pen-tester in the region will be booked. Encryption rollouts done in panic mode create their own incidents. Document why you started late — it won't get you out of the rule, but it matters for enforcement discretion.

The first conversation is free. The longer you wait, the fewer options you have.

Schedule a gap assessment

30 minutes. By phone or in person if you're within driving distance of Cheyenne.

Email info@pst.co Phone (307) 314-2350

We'll send you the twelve questions in advance so you can have the right people in the room. No prep deck, no slides — we'll just walk through your environment with you and tell you what we see.

Frequently asked questions

We already have an MSP. Do we need to switch?

No. Most of what we do for HIPAA work is project-scoped — gap assessment, remediation, annual pen test, incident-response runbook. Your existing MSP can keep running day-to-day operations. We work alongside them, not against them. If they're doing good work, we'll tell you that too.

We're a small practice. Can we afford this?

The gap assessment is free. The remediation work scales with your environment — a solo provider on a single Windows server is a much smaller engagement than a five-location practice with a dozen workstations and an on-prem EHR. We'll give you a fixed-price quote before you commit to anything. As a rule of thumb, the cost of getting compliant is dramatically less than the cost of a single breach fine.

We use a cloud EHR (Epic, Athena, eClinicalWorks). Does that cover us?

Partially. Your EHR vendor is a Business Associate, and they're responsible for the security of their platform. You're still responsible for everything else — the workstations that access the EHR, your network, your staff's mobile devices, your backups, your BAA paperwork, your incident response. The new rule explicitly expands business-associate oversight obligations on the covered entity (that's you).

What's the actual deadline?

The final rule is on OCR's regulatory agenda for May 2026, with a 240-day compliance window after publication. That puts the practical deadline in late December 2026 or January 2027. Some specific requirements may have longer phase-in periods for business associates.

How are you different from the big regional MSPs?

They're competent firms doing real work. The honest answer is: scope. The big MSPs are managed-service operations — they want a multi-year contract for ongoing day-to-day support. We're set up to handle compliance projects as projects: scoped, fixed-price where possible, finite. If you want someone to take over your full IT operations, an MSP is a better fit. If you want a specialist for the 2026 Security Rule work specifically, that's us.