ComposableStack.AI CDP
Back to agent
Sourcesource.hipaavault-com.resources-2026-hipaa-changes-2026

2026 HIPAA Security Rule Changes — HIPAA Vault

Overview of the 2026 HIPAA Security Rule overhaul: final rule published early 2026, effective approximately 60 days after Federal Register publication, compliance deadline approximately 180 days from effective date (~September 2026). New mandatory technical requirements beyond the 2003 rule: annual penetration testing, biannual vulnerability scanning, 72-hour critical-system recovery time objective, and annual written vendor verification of technical safeguard implementation. The addressable-vs-required two-tier standard is eliminated — all safeguards are now mandatory. Marketing rule and PHI marketing authorization requirements are unchanged. MFA, encryption at rest and in transit, asset inventories, and breach-notification timelines also confirmed as mandatory.

hipaavault.com — view original source
confidence 78%v1indexed Jun 4, 2026hipaa, security-rule, 2026, mfa, encryption, penetration-testing, vulnerability-scanning, breach-notification, ephi, compliance, healthcare-cdp, 72-hour-rto, vendor-verification, addressable-safeguards

2026 HIPAA Security Rule Changes

Published January 16, 2026 by HIPAA Vault. Source is a vendor-domain compliance resource (HIPAA Vault provides HIPAA-compliant cloud hosting); claims are regulatory summaries, not vendor-promotional content.

Rule Status

The HIPAA Security Rule is undergoing its first major overhaul since its 2003 introduction.

New Mandatory Requirements (Beyond 2003 Rule)

Annual penetration testing. All ePHI-handling systems must undergo annual penetration testing. This is new and distinct from the existing risk analysis requirement; it requires active testing by a qualified party.

Biannual vulnerability scanning. Systematic vulnerability scans of ePHI-handling infrastructure required twice per year. CDPs, CDWs, and activation pipelines that touch ePHI are in scope.

72-hour recovery time objective. Critical systems must be restorable within 72 hours following a security incident or system failure. CDPs serving covered entities must demonstrate an RTO of 72 hours or less for ePHI-handling components.

Annual written vendor verification. Covered entities must obtain annual written confirmation from business associates — including CDPs, cloud data warehouses, and activation vendors — that they have implemented the required technical safeguards. BAA language must be updated to include this verification obligation.

Elimination of the addressable-vs-required standard. The 2003 Security Rule divided safeguards into "required" (mandatory) and "addressable" (could be substituted with a documented equivalent). The 2026 revision eliminates this distinction — all safeguards are now mandatory with no addressable equivalents. Most significantly, encryption at rest is now fully required (previously addressable).

Confirmed Mandatory Requirements (Consistent With Prior Analysis)

Marketing Rule: No Changes

The HIPAA Privacy Rule marketing authorization requirements are unchanged. PHI cannot be used for marketing communications without individual authorization, with two narrow exceptions. No modifications to the marketing rule were included in the 2026 Security Rule update.

Relationship to Constraint Node

This source grounds new details for constraint.hipaa-security-rule-2026. The current node (v1, 2026-05-17) accurately covers MFA, encryption, asset inventories, and breach notification. This source adds: annual penetration testing, biannual vulnerability scanning, 72-hour RTO, and annual written vendor verification. Body update drafted in evolution-log/2026-06-04/web-refresh.md.