Status Update: The 2026 HIPAA Security Rule is currently a proposed rule (NPRM), published January 6, 2025. A final rule has not yet been issued — but the time to prepare is now, before the compliance window opens.

2026 HIPAA Security Rule — Proposed Rule

The Flexibility You Relied On
Is About to Be Gone.

For the first time in over a decade, HHS has proposed sweeping changes to the HIPAA Security Rule. The "addressable" safeguard designation is proposed for elimination. Documentation requirements would expand significantly across new written policies, procedures, and assessments. And the compliance window — once the final rule drops — will be shorter than most organizations expect.

Book Your Free 30-Minute Briefing

HIPAA · SOC 2 · HITRUST

Practices · Startups · PE-Backed Companies

Former CEO turned CISO

What the Proposed Rule Means

Three Proposed Changes That Would Affect Every Covered Entity and Business Associate

In January 2025, HHS published the most significant proposed update to the HIPAA Security Rule since 2013. If finalized as proposed, these changes would fundamentally alter how your compliance program operates — and organizations that wait for the final rule to begin preparing will already be behind.

Required Technical Controls

MFA, encryption of ePHI at rest and in transit, and network segmentation are proposed to become required for all regulated entities. The rule retains narrow documented exceptions — for example, when a technology asset does not support MFA or encryption — but those exceptions require implementing compensating controls and thorough documentation. The days of simply noting a safeguard as "not reasonable and appropriate" are over.

Expanded Documentation Requirements

The proposed rule would require a technology asset inventory reviewed and updated on an ongoing basis, but at least once every 12 months and whenever there is a change in the environment or operations that may affect ePHI. It would also require a detailed network map of all systems handling ePHI, and written disaster recovery procedures. Critically, those procedures must include a plan to restore critical electronic information systems and data within 72 hours of a disruption.

Vendor Accountability

The proposed rule would require covered entities to obtain annual written verifications from their Business Associates confirming that the required technical safeguards have been deployed. Business Associates would face the same obligation toward their subcontractors. A BA's security gaps — or a subcontractor's — would become your compliance exposure.

Projected Compliance Timeline

When the Final Rule Drops, the Clock Starts Immediately

The NPRM was published January 6, 2025. Under the proposed rule, the effective date is 60 days after publication of a final rule. All regulated entities — regardless of size or type — then have 180 days from that effective date to comply. That means the total window from publication to the compliance deadline is 240 days for every covered entity and business associate, with no size-based distinction.

Jan 6, 2025

NPRM published in Federal Register. Comment period opened.

Final Rule

HHS issues final rule. Effective date is 60 days after publication.

+60 Days

Rule takes effect. The 180-day compliance period begins for all regulated entities.

+240 Days

Standard compliance required for all covered entities and business associates, regardless of size or type.

The final rule has not yet been issued — but that is not a reason to wait. The organizations that will meet the compliance deadline are the ones that begin their gap assessment before the clock starts.

Tier 1 — Complimentary Strategy Briefing

A 30-Minute Conversation That Tells You Where You Actually Stand

This is not a sales call. It is a practitioner-led strategy conversation — the kind where you walk away with a clearer framework for thinking about your compliance exposure than you had before you called.

5 minutes: Your context — org type, size, current posture, and what is driving the call right now.
15 minutes: A walk through the three proposed rule changes and where organizations in your segment are typically exposed.
5 minutes: Two or three specific observations based on your intake — a framework for thinking about your gaps, not a gap analysis.
5 minutes: If it makes sense, a description of the paid gap assessment and whether it is the right next step for your organization.

The briefing is led by Melissa Thornton directly — not a junior associate, not a pre-recorded webinar.

Free — 30 Minutes

Book Your 2026 HIPAA Strategy Briefing

Tell me a little about your organization so I can make this conversation as useful as possible for you.

Organization Type

Organization Size

Current Compliance Posture

What Is Driving This Conversation Now?

No pressure. No jargon. I will send a short 5-minute intake form after booking so we can use our time well.

Tier 2 — Paid Engagement

The Full Gap Assessment: Fixed Scope. Fixed Fee. Fixed Timeline.

If the free briefing confirms you have meaningful exposure — and most organizations do — the next step is a structured gap assessment that gives you a written, defensible record of where you stand and a prioritized plan to get compliant before the enforcement deadline.

What Is Included

60–90 minute stakeholder interview with your leadership and technical team
Focused document review: current policies, technical control inventory, BAA list, and prior risk assessments
15–25 page written report mapped section by section to the proposed mandatory technical controls and documentation requirements
Prioritized remediation roadmap with 30/60/90-day milestones
60-minute readout call with leadership to walk through findings and answer questions

Optional Add-Ons

Board Presentation (findings + risk narrative) $1,500

BAA Portfolio Review (up to 25 Business Associates) $2,500

Incident Response Tabletop Exercise $3,500

Productized Service

$3,500

Fixed fee · 10 business days · No scope creep

Stakeholder interview (60–90 min)
Focused document review
15–25 page written report
Prioritized 30/60/90-day roadmap
Leadership readout call (60 min)

Start with the Free Briefing

Risk Reversal: The $3,500 assessment fee is 100% credited toward any engagement of $10,000 or more within 90 days.

Why Melissa

Security Leadership Built for Business Reality

Most security consultants think in terms of frameworks, audits, and controls. I think in terms of risk, revenue, and operational reality. Because before I was a CISO, I was a CEO.

That experience changes how I work with you. I do not just identify security gaps. I help you understand what they cost, how to prioritize them against your other business priorities, and how to build a program that protects your patients without slowing down your team.

I translate cyber risk into business language. I speak fluently to your board, your leadership team, and your auditors. And I build security programs designed to scale with your organization, not fight against it.

HIPAA HITRUST SOC 2 NIST CSF Former CEO

Book Your Free Briefing

Don't Wait for the Final Rule

The Organizations That Are Ready
Started Before the Clock.

Book your free 30-minute strategy briefing today. Walk away with a clear framework for where your organization stands — before the final rule drops and the compliance clock starts.

Book My Free 30-Minute Briefing