The regulatory landscape for healthcare data is shifting again. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has issued a Notice of Proposed Rulemaking to significantly strengthen the HIPAA Security Rule, with final rules expected to take effect in or before 2026.
For covered entities and business associates, especially small to mid-sized organizations, these changes are not just a legal concern. They directly affect how you plan, budget, and prioritize cybersecurity investments for the next several years.
This article explains the most important elements of the proposed HIPAA changes, what they mean in practical terms, and how to align your cybersecurity strategy and spending so your organization remains both secure and compliant.
Important note
The Security Rule changes discussed here are based on current HHS and OCR proposals and related regulatory initiatives. Details may change before finalization. Organizations should consult legal counsel for specific compliance advice.
Why HIPAA Is Changing Now
The original HIPAA Security Rule dates back to an era before cloud-first architectures, widespread ransomware, and AI-enabled threats. Since then:
- Ransomware has become the leading cause of healthcare data breaches.
- Most organizations now rely on cloud services, SaaS platforms, and remote work.
- Attackers increasingly target third-party vendors and managed service providers.
OCR has been signaling for years that the Security Rule needs modernization. The proposed changes aim to:
- Clarify expectations that were previously described at a very high level.
- Reflect modern security controls such as multi-factor authentication and encryption by default.
- Tighten requirements around risk analysis, vendor oversight, and incident response.
For healthcare organizations, this is both a challenge and an opportunity. It forces you to modernize security, but it also gives you a clearer roadmap for where to invest.
Key Proposed HIPAA Security Rule Changes That Affect Your Security Program
The proposals build on the existing Security Rule structure. Many familiar requirements remain. The difference is that OCR is making expectations more explicit and more prescriptive.
Below are the areas that will most directly impact your cybersecurity planning and budget.
1. More Specific and Ongoing Risk Analysis and Risk Management
What is changing
Risk analysis has always been required, but the proposed rules:
- Expect a more formal, documented, and repeatable process.
- Emphasize that risk analysis must be updated regularly, not performed once and filed away.
- Clarify that cloud services, remote work, and third-party vendors must be fully included.
What this means for you
You will need:
- A structured risk assessment process, not an ad hoc checklist.
- Clear documentation that shows how you identify, prioritize, and mitigate risks.
- Evidence that risk analysis actually drives your security decisions and budget.
Where InfiniTech helps
- Managed IT Services and InfiniCare Managed IT provide continuous monitoring, documentation, and reporting that support both risk assessments and ongoing risk management.
- Managed Security Services and MDR supply continuous detection and response data, which can be used to show how you are actively managing identified risks.
2. Stronger Requirements for Access Controls and Authentication
What is changing
The proposed updates move toward:
- Explicit expectations for multi-factor authentication, especially for remote and privileged access.
- Tighter controls around user provisioning and deprovisioning.
- More granular access controls based on roles and least privilege.
What this means for you
You should plan to:
- Implement multi-factor authentication across critical systems such as EHR platforms, VPN, remote desktop, and administrative access.
- Formalize and automate joiner, mover, and leaver processes for users.
- Review privileged access to servers, cloud consoles, and administrative tools and reduce access where possible.
Where InfiniTech helps
- Managed Network Services can implement secure remote access, VPN, and identity-aware controls.
- Endpoint Protection and Device Security and Firewall and Network Security support least-privilege and zero-trust style controls that align with stricter access requirements.
3. Encryption as the Practical Default
What is changing
Encryption has long been an “addressable” implementation specification. In practice, regulators increasingly expect encryption by default. The proposed rules push this further by:
- Raising expectations for encryption of data at rest and in transit.
- Tightening expectations for secure communications, remote access, and data sharing with third parties.
What this means for you
You should assume:
- Unencrypted laptops, portable devices, and endpoints that handle ePHI will be seen as a serious risk.
- Data in cloud environments must be encrypted both at rest and in transit, with strong key management.
- Communication platforms such as email, messaging, and file sharing must meet encryption and secure transmission expectations.
Where InfiniTech helps
- Data Encryption and Secure Communication solutions protect data wherever it resides or moves, including cloud, data center, and remote endpoints.
- Cloud Infrastructure Management and Hybrid Cloud Solutions allow you to design and manage cloud environments with encryption and key management built in.
4. Incident Response, Breach Detection, and Audit Logging
What is changing
The updated rules place more emphasis on your ability to detect, investigate, and contain incidents quickly. This includes:
- More detailed expectations for audit logging and monitoring of systems that store or transmit ePHI.
- Clearer requirements for incident response plans and documented procedures.
- Stronger alignment between technical detection capabilities and breach notification timelines.
What this means for you
You will need to:
- Maintain centralized logging and monitoring across servers, endpoints, network devices, and cloud services.
- Have a documented incident response plan that defines roles, responsibilities, escalation paths, and decision criteria for breach determination.
- Demonstrate that you can identify and respond to suspicious activity in a timely, repeatable way.
Where InfiniTech helps
- Managed Detection and Response (MDR) provides 24/7 monitoring, threat hunting, and response. It supports audit and incident response requirements by generating the evidence and timelines regulators expect.
- Managed Backup and Continuity with InfiniVault helps you recover quickly from ransomware and other destructive incidents, reducing operational impact and supporting continuity plans.
5. Vendor Management and Business Associate Oversight
What is changing
As more PHI moves into the cloud and into third-party platforms, OCR is:
- Raising expectations for due diligence before you engage vendors.
- Expecting more detailed and actively managed Business Associate Agreements.
- Looking more closely at how you verify that vendors actually meet their security obligations.
What this means for you
You should:
- Treat vendor and cloud security as a core part of your HIPAA program, not a side policy.
- Implement a vendor risk management process that includes questionnaires, security reviews, and periodic reassessments.
- Ensure your contracts clearly define security controls, breach notification timelines, and responsibilities.
Where InfiniTech helps
- Data Center and Cloud Modernization and Hybrid Cloud Solutions reduce the complexity of multi-vendor environments by providing a cohesive, secure infrastructure.
- As a trusted technology partner, InfiniTech can serve as a primary managed services and security provider, reducing the burden of coordinating multiple disparate vendors and supporting a more unified, auditable security architecture.
6. Updated Contingency Planning and Business Continuity
What is changing
The proposed rules modernize expectations around availability and resiliency. This includes:
- More explicit requirements for disaster recovery planning, testing, and documentation.
- Greater emphasis on resilience against ransomware and cyber extortion.
- Stronger alignment between backup practices and your overall continuity strategy.
What this means for you
You should ensure:
- Your backup and recovery capabilities are tested regularly and documented.
- RTO and RPO objectives are clearly defined and aligned with business needs.
- Continuity plans consider not only natural disasters but also prolonged cyber incidents such as ransomware or supply chain attacks.
Where InfiniTech helps
- Disaster Recovery and Business Continuity services provide automated backups, real-time replication, and failover planning that meet modern expectations for availability.
- InfiniVault managed backup gives you end-to-end protection of your information, with centralized monitoring and management and a focus on reliable recovery.
How the Proposed Rules Change Your Cybersecurity Investment Strategy
Many healthcare organizations treat cybersecurity as a compliance checkbox rather than a strategic investment. The new HIPAA proposals make that approach risky. Regulators are increasing scrutiny. Attackers are targeting healthcare more aggressively. Insurance carriers are tightening underwriting standards.
The organizations that will fare best are those that:
- Treat cybersecurity as an enterprise risk management function.
- Use HIPAA as a baseline, not a ceiling.
- Invest in modern, scalable, and well-managed security capabilities.
Here is how to rethink your budget and roadmap.
1. Shift Spending from Reactive to Proactive
Legacy models focus on break/fix support and after-the-fact remediation. The proposed HIPAA changes favor organizations that:
- Monitor continuously instead of responding only when something breaks.
- Identify and mitigate risks before they become incidents.
- Build security into infrastructure and workflows rather than bolting it on later.
How InfiniTech supports this shift
- InfiniCare Managed IT delivers proactive monitoring and maintenance that prevent many outages before they occur and keep your environment aligned with best practices.
- Managed Security Services and MDR give you continuous visibility across endpoints, networks, and cloud services to detect and neutralize threats early.
2. Prioritize Controls That Address Multiple Requirements at Once
When budgets are limited, you need investments that deliver both risk reduction and compliance value. Consider:
- Multi-factor authentication
Supports access control, remote access security, ransomware defense, and insurance requirements. - Centralized logging and MDR
Improves detection and response, supports incident investigation, and documents due diligence for regulators. - Encrypted, managed backups with tested recovery
Supports HIPAA contingency requirements, business continuity, and resilience against ransomware. - Security awareness training
Reduces phishing risk, supports privacy requirements, and demonstrates a culture of compliance.
How InfiniTech aligns with this approach
- Security Awareness Training turns employees into a security asset and provides a measurable control that supports HIPAA’s administrative safeguards.
- Endpoint Protection, MDR, and Firewall and Network Security work together as a multi-layered defense that touches almost every part of the Security Rule.
3. Use Cloud and Modern Infrastructure to Improve Both Security and Compliance
Modernized infrastructure can be more secure, easier to manage, and simpler to audit than aging on-premises systems. The proposed rules do not discourage cloud usage. Instead, they expect you to manage it appropriately.
Benefits of modern infrastructure
- Consistent patching and configuration management.
- Built-in encryption and identity controls from major cloud platforms.
- Easier logging, monitoring, and automation across environments.
How InfiniTech helps
- Cloud Infrastructure Management and Data Center Modernization services move you toward a modern, secure, and scalable environment that is easier to align with updated HIPAA requirements.
- Hybrid Cloud Solutions allow you to keep sensitive workloads where they make the most sense while still leveraging the flexibility and security features of the cloud.
Action Plan: Preparing Now for the 2026 HIPAA Security Landscape
Even though the proposed rules are not yet final, waiting to act is risky. Many of the expected changes are simply codifying what is already considered best practice.
Here is a practical roadmap for the next 12 to 24 months.
Step 1. Perform a Thorough, Documented Risk Assessment
- Inventory systems, data flows, vendors, and cloud services that handle PHI or ePHI.
- Identify technical, administrative, and physical risks, and prioritize them by likelihood and impact.
- Document remediation plans, owners, and timelines.
InfiniTech’s managed services platform and monitoring capabilities provide the visibility and documentation you need to make this assessment meaningful, not just a paper exercise.
Step 2. Strengthen Identity, Access, and Endpoint Security
- Implement multi-factor authentication for remote access, privileged access, and critical systems.
- Enforce least privilege across systems, especially for administrative accounts.
- Standardize endpoint protection with centralized policy management, monitoring, and reporting.
InfiniTech’s Managed Network Services and Endpoint Protection and Device Security deliver these controls at scale while keeping them manageable for internal IT teams.
Step 3. Modernize Backup, Recovery, and Continuity
- Ensure all critical systems and PHI repositories are protected by encrypted, regularly tested backups.
- Define and document RTO and RPO metrics that align with clinical and business needs.
- Integrate backup and recovery into your incident response plan, especially for ransomware scenarios.
InfiniTech’s InfiniVault managed backup and Disaster Recovery and Business Continuity services are specifically designed to support these goals.
Step 4. Implement Centralized Monitoring, Logging, and Incident Response
- Aggregate logs across endpoints, network devices, servers, and cloud services.
- Establish a documented incident response plan that includes playbooks for common scenarios such as ransomware, lost devices, and compromised accounts.
- Use MDR to provide 24/7 coverage, rapid response, and detailed incident reporting.
InfiniTech’s Managed Detection and Response gives you an enterprise-grade security operations capability without the cost and complexity of building it in-house.
Step 5. Build a Culture of Security and Compliance
- Provide regular, role-based security awareness training for all staff.
- Conduct periodic phishing simulations and use the results to target additional training.
- Review and update policies and procedures to reflect actual practices and the new regulatory expectations.
InfiniTech’s Security Awareness Training programs and managed services help ensure that policy, practice, and technology move together.
Key Takeaways for IT and Business Leaders
- HIPAA is being modernized to reflect the current threat landscape, and the proposed 2026 rules significantly sharpen expectations for security controls, risk management, and incident response.
- Many of the forthcoming requirements align with what insurers, auditors, and industry best practices already expect, especially around MFA, encryption, backup, and continuous monitoring.
- The most effective cybersecurity investments are those that both reduce real risk and support multiple regulatory requirements simultaneously.
- Partnering with a managed services provider that understands healthcare, cloud, and cybersecurity allows you to transform compliance from a burden into a strategic advantage.
How InfiniTech Can Help You Move Forward
InfiniTech Consulting specializes in four pillars that align directly with the evolving HIPAA landscape:
- Managed IT Services to provide proactive, reliable IT operations and documentation that support risk management and compliance.
- Cybersecurity Services including MDR, endpoint security, firewall and network protection, encryption, and awareness training to protect critical business systems from evolving threats.
- AI and Automation to streamline processes, improve monitoring and reporting, and free your teams to focus on higher-value work.
- Data Center and Cloud Solutions to modernize and automate your infrastructure, making it more secure, scalable, and compliant by design.
If you are evaluating how the proposed 2026 HIPAA changes will affect your cybersecurity roadmap and budget, this is the right time to assess where you stand and to plan a modernization path. InfiniTech can help you perform that assessment, prioritize investments, and implement solutions that keep your organization secure, compliant, and ready for what comes next.