ComposableStack.AI CDP
Back to agent
Constraintconstraint.hipaa-security-rule-2026

HIPAA Security Rule — 2026 Modernization

The HIPAA Security Rule underwent its first major overhaul since 2003. Final rule published early 2026; compliance deadline approximately September 2026 (180 days from effective date). Mandatory requirements: MFA for all ePHI access; encryption at rest and in transit (elevated from addressable to required); comprehensive asset inventories; documented systematic risk analyses; annual penetration testing; biannual vulnerability scanning; 72-hour critical-system RTO; annual written vendor verification of technical safeguard implementation; shortened breach-reporting windows. The addressable-vs-required safeguard distinction is eliminated. No changes to the HIPAA marketing rule or PHI marketing authorization requirements.

confidence 82%v2reviewed Jun 4, 2026hipaa, security-rule, mfa, encryption, penetration-testing, vulnerability-scanning, breach-notification, ephi, healthcare, cdp, baa, 2026, rto, vendor-verification, asset-inventory

HIPAA Security Rule — 2026 Modernization

The HIPAA Security Rule underwent its first major overhaul since its 2003 introduction. The final rule was published by HHS in early 2026. Compliance deadline: approximately 180 days from the effective date, estimated as September 2026.

Status

Final rule published early 2026. Effective approximately 60 days after Federal Register publication. 180-day compliance grace period. Estimated compliance deadline: ~September 2026. (Source: HIPAA Vault, January 2026; Chess Health Solutions, November 2025.)

Note: The addressable-vs-required safeguard distinction that existed in the 2003 Security Rule is eliminated. All safeguards are now mandatory with no documented-equivalent substitutions.

Mandatory Requirements

Multi-factor authentication (MFA). All access to electronic Protected Health Information (ePHI) — by covered entity staff and by business associates (CDPs, data processors, activation vendors) — must use MFA.

Encryption — required. Encryption of ePHI at rest and in transit is now mandatory (previously "addressable"). CDPs and data warehouses holding ePHI must provide encryption at rest and in transit.

Annual penetration testing. All ePHI-handling systems must undergo annual penetration testing by a qualified party. This is distinct from the existing risk analysis requirement.

Biannual vulnerability scanning. Systematic vulnerability scans of ePHI-handling infrastructure required twice per year. CDPs, CDWs, and activation pipelines touching ePHI are in scope.

72-hour recovery time objective. Critical systems must be restorable within 72 hours following a security incident or failure. CDPs serving covered entities must confirm their RTO for ePHI-handling components meets this threshold.

Annual written vendor verification. Covered entities must obtain annual written confirmation from business associates — including CDPs, CDWs, and activation vendors — that they have implemented the required technical safeguards. BAA language must be updated to reflect this obligation.

Comprehensive asset inventories. Covered entities and business associates must maintain documented inventories of all systems that handle ePHI, including CDP integrations, activation destinations, and CDW connections.

Documented risk analyses. Regular, systematic risk analyses (not one-time assessments) are required. For CDP deployments: periodic architectural reviews covering all data flows, new integrations, and vendor access points.

Shortened breach notification. Business associate breach notification windows may be shortened to 24 hours in some categories (from 60 days). CDP vendors in BAA relationships must update incident-response workflows.

Marketing Rule: Unchanged

The HIPAA Privacy Rule marketing authorization requirements are not affected by the 2026 Security Rule update. PHI marketing use restrictions remain as documented in constraint.hipaa-phi-cdp-healthcare.

CDP Implications

CDPs serving healthcare organizations (covered entities, health plans, specialty care networks) that process ePHI must:

Vendors with existing "HIPAA-ready" tiers should update their compliance posture documentation:

Relationship to constraint.hipaa-phi-cdp-healthcare

This constraint governs how systems holding ePHI must be built and secured. constraint.hipaa-phi-cdp-healthcare governs what you may do with PHI in marketing contexts. Both apply simultaneously to CDPs serving covered entities.

Sources

Related

← Referenced by

  • governed-byvendor.adobe-experience-platformAEP Healthcare Shield is the primary HIPAA-tier vendor for healthcare-CDP buyers. The 2026 Security Rule modernization (MFA mandatory for ePHI access, encryption elevated to required, shortened breach notification) directly governs the AEP Healthcare Shield deployment posture. Translation note: TC-76 proposal authored edge as constraint→constrains→vendor; Synthesizer translated to schema-valid reverse-direction governed-by edge.
  • governed-byvendor.freshpaintFreshpaint is a HIPAA-compliant healthcare analytics platform. The 2026 HIPAA Security Rule modernization (MFA, mandatory encryption, asset inventories, 24-hour breach notification for business associates) applies to all access paths to ePHI in Freshpaint's pipeline. Translation note: TC-76 proposal authored edge as constraint→constrains→vendor; Synthesizer translated to schema-valid reverse-direction governed-by edge.
  • governed-byarchetype.aep-locked-healthcare-cx-evaluatorOC-045. The 2026 HIPAA Security Rule modernization (MFA mandatory for ePHI access, encryption elevated to required, shortened breach reporting) applies to this archetype: VP Engineering is RACI-Accountable (Security Rule is an engineering governance question); AEP Healthcare Shield and CDW BAA scope must both be confirmed against the updated Security Rule requirements before path selection.
  • governed-byarchetype.healthcare-provider-hipaa-performance-marketingOC-045. The 2026 HIPAA Security Rule modernization applies to the tracking-layer PHI suppression architecture: event-collection SDKs (Freshpaint, Ours Privacy), server-side processing, and any system handling ePHI must implement MFA and mandatory encryption when the revised rule is finalized.