2026 HIPAA Update: All you need to know - Will your company be ready?

by Denisse Landau

The tech industry never sits still. New frameworks, new architectures, new AI capabilities ship every quarter, and engineering teams are expected to keep pace. Healthcare software, though, plays by a different rule. Ensuring our software is compliant with HIPAA regulations is rather stable.

Now, we're looking at some important upcoming HIPAA changes, quite a tight schedule for software updates, hence the need for prompt planning and clean, transparent execution.

Before diving into the changes and timeline, let's take a look at the context for updating HIPAA regulations, shall we?

Table of Contents

  1. Why is HIPAA updating?
  2. What do the HIPAA changes imply for healthtech companies?
  3. When are the HIPAA updates due?
  4. What are the expected 2026 HIPAA Updates?
  5. Closing Remarks

Why is HIPAA updating?

Over the last couple of years, attention has increased towards cyberattacks, as they aim to expose not only sensitive health data but also pose a challenge to real-time, life-saving care. Furthermore, as these attacks have a large blast radius, they also raise concerns about rural communities that have fewer capabilities to prevent or promptly respond to ongoing attacks. [1]

Numbers shared by the HHS are astonishing, yet not all surprising. Between 2018 and 2023, reports showed that large data breaches increased by 102%, and the number of individuals affected by them increased by 1002%. These are attributed to increased hacking and ransomware attacks, with over 167 million individuals affected by large breaches. [2].

The proposal for HIPAA's latest considerations addresses the following [3]:

  • Changes in the environment in which health care is provided.
  • Significant increases in breaches and cyberattacks.
  • Common deficiencies OCR has observed in investigations into Security Rule compliance by covered entities and their business associates.
  • Other cybersecurity guidelines, best practices, methodologies, procedures, and processes.
  • Court decisions that affect the enforcement of the Security Rule.

What do the HIPAA changes imply for healthtech companies?

Now with the why cleared. What's in store for the industry? Who needs to take action?
The official publication stated that both covered entities and business associates are expected to take action and update their systems and operations accordingly.
As the official website for tracking states here, it's a matter of ensuring cybersecurity for our sector, the healthcare sector, to be secure enough and safeguard all electronic data. The proposed ruling puts a magnifying glass on prevention, detection, containment, mitigation, and finally recovery, to be fully prepared in the case of a cyberattack.

When are the HIPAA updates due?

At this time, we’re looking at tracking with RIN: 0945-AA22. The rule proposal’s listed under Spring 2025, awaiting and with the Final Action projected for May 2026, and no current Legal Deadline as of today.

One thing is clear: this change is expected to be major. Just as they shared on their website, it's not only a matter of how operationally substantial the change is, but also in matters of execution, which is economically significant. This is a clear sign to leaders to be ready for it.

Even though the proposed ruling is for the USA, all vendors, whether local or international (those who act as business associates or subcontractors and handle ePHI), are expected to perform all necessary changes to be compliant with the latest updates. As with other regulatory changes, once finalized, compliance windows can become operationally demanding, but expected to be performed within a relatively short time frame.

What are the expected 2026 HIPAA Updates?

As the Fact Sheet states, there are 15+ updates to be expected, from general policy addressing to end-to-end operational changes, to even more rigorous auditing.
As shared earlier in this very article, these updates are mostly focusing on prevention for known concerns around the healthcare ecosystem. A gap in software's infrastructure can directly result in a real person's medical treatment blockage.
With that in mind, let's dive into a couple of the changes proposed. It's important to highlight once more, that none of the below are yet enforced as final-rule requirements yet; the current Security Rule remains in effect. Many of the items could already be covered by a variety of vendors and companies; the difference is the enforcement and expectation of the following.

Technology asset inventory & network map for ePHI

In the tech industry, items such as these have been widely covered, whether for auditing and certifications, or for the mere rise of Infrastructure as Code popularity. What is more, what for many is a baseline, now becomes an additional layer of professionalism.

HHS proposes a clear inventory of all technology assets, a clear network map for all data end-to-end. This is a closure of the loop between platform engineering and cloud governance.

Organizations need to know where ePHI lives and moves

This proposal would continue with our prior point, require a technology asset inventory, and a network map. Now, we're also looking at clearly showing the movement of ePHI through electronic information systems.

This is one of the most important changes for platform, cloud, and architecture teams. It forces organizations to answer basic but often messy questions, such as:

  • Where is ePHI stored?
  • Which systems process it?
  • Which integrations move it?
  • What infrastructure supports it?

Previously, while not directly tied to HIPAA, cloud engineering teams were often confronted with contractual requirements such as “data cannot leave” a given country, state, or region. In many cases, this was treated primarily as a hosting location decision. Now, the proposed HIPAA updates push the conversation further: teams need clearer visibility into where ePHI is stored, processed, transmitted, logged, backed up, and restored.

Incident response and recovery become measurable.

For companies that are already all about following best practices, this should have already been done to begin with. But in reality, prioritizing resilient systems and clear operations for situations that have not yet happened or are hoped never to happen is a sector-wide gap.

Now, knowing how resilient systems should work is not the same as consistently funding, testing, and maintaining them. The proposed rule makes recovery more measurable, pushing organizations to prove they have written procedures, restoration priorities, and tested incident response plans.

The proposal aims for stronger contingency planning and incident response requirements, including written procedures to restore certain systems and data within 72 hours. Making recovery less of a vague compliance promise and more of an operational requirement.

For those teams leveraging AWS, this connects directly to backup strategy, restore testing, incident runbooks, logging, monitoring, snapshots, recovery priorities, and evidence that the process actually works. From the very first certification onwards, this is a topic of high importance as prevention is always better than reactive practices.

Security testing and segmentation become recurring work.

For our last, but surely not least, we’re circling back to security prevention through active testing and vulnerability scanning as the norm. With expectations of, not limited to:

  • Vulnerability scanning every six months as the baseline
  • Penetration testing once every twelve months
  • Network segmentation
  • Test the effectiveness of certain security measures at least once every 12 months.

This is a major practical shift, as it turns security from a static once setup, to a recurring operational expectation. For those cloud architectures that were vaguely aligned with prior regulations, this will translate directly into redesigning, migrating, patching, remediating, and additional actions to ensure everything adheres once updates are rolled out.

Closing Remarks

All in all, most, if not all, of the updates have been key topics for the tech industry. From calling these the AWS well-architected framework to best practices to DevSecOps and operational strategies, none come across as far-fetched; they read as the expected foundation of a mature healthcare technology environment.

These updates are expected to strengthen systems and incident responses, resulting in better end-user experience, increased confidence, and a decrease in negative impact on patients. It's all we can ever truly hope for, isn't it?

When evaluating business associates and vendors, the question is no longer whether they follow security best practices in principle, but whether they can demonstrate it end-to-end.

Building software comes with many verticals, and understanding security, disaster recovery, SLAs, and SLOs is at least a shining light of long-term strategic success. At Light-it, security and compliance are built into how we architect, build, and maintain healthcare software. Not added at the end.