he updated HIPAA Security Rule—expected to finalize in May 2026—represents the most significant overhaul of healthcare cybersecurity requirements in over a decade. For MSPs managing healthcare clients, five changes stand out as the most impactful.
1. Multi-Factor Authentication Becomes Mandatory
MFA has been a cybersecurity best practice for years, but under the current rule it's an "addressable" specification—organizations could evaluate whether it was reasonable and many concluded it wasn't necessary.
The updated rule changes this. MFA becomes mandatory for any system accessing electronic protected health information. EHR systems, cloud applications, remote access, email—everything that touches ePHI.
MSP action: Audit MFA deployment across every healthcare client. Identify systems accessing ePHI without MFA. Prioritize deployment—this is the most scrutinized control in post-breach investigations. See MFA and Encryption Under the New HIPAA Rule for implementation guidance.
2. Encryption Is No Longer "Addressable"
Like MFA, encryption has been addressable—organizations could opt out with documentation. The updated rule eliminates this. ePHI must be encrypted at rest on all devices, servers, and storage media, and in transit across all communication channels.
MSP action: Inventory every location where ePHI is stored and every channel through which it's transmitted. Deploy full-disk encryption on endpoints, enable encrypted email, ensure encrypted connections for data transfers, and verify backup encryption. Building a HIPAA-compliant security stack with encryption at every layer is now baseline.
3. Annual Penetration Testing Required
The current rule requires "periodic" technical evaluations without defining cadence. The updated rule specifies annual penetration testing and scheduled vulnerability scanning.
This aligns HIPAA with other frameworks—CMMC, FTC Safeguards, and PCI DSS all require regular security testing.
MSP action: Establish annual pen testing schedules for healthcare clients. Build vendor relationships with qualified testing firms. Budget for the cost and position it as a required compliance expense.
4. Asset Inventory and Network Mapping Become Explicit
You can't protect what you don't know exists. The updated rule requires a complete inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with network diagrams documenting data flows.
MSP action: Create asset inventories covering endpoints, servers, network devices, cloud services, and mobile devices. Map ePHI flows through each environment. Update these documents as environments change. This is foundational to the updated risk analysis requirements.
5. Written Security Policies with Scheduled Reviews
The updated rule mandates written security policies covering every aspect of ePHI protection—and requires those policies to be reviewed on a documented schedule. Organizations must demonstrate reviews actually occurred, not just that they were planned.
MSP action: Audit existing policies for every healthcare client. Identify gaps—missing policies, outdated policies, policies that don't reflect current practices. Establish review schedules and create processes for documenting reviews.
The Common Thread: Proof Over Policy
Every change reflects the same shift: HIPAA is moving from accepting policies and risk decisions to demanding implementation evidence. Having a policy that says "we encrypt ePHI" is no longer sufficient. You must prove encryption is deployed, configured correctly, and actively maintained.
The MSPs who build compliance automation into their service delivery will scale this efficiently. The MSPs who rely on manual documentation will struggle under the new requirements.
Explore the Full Series
Learn more about the comprehensive changes in the 2026 HIPAA update:
Take the Next Step
Beachhead Solutions helps MSPs meet the updated HIPAA Security Rule requirements with layered security tools and automated compliance documentation. Schedule An Eval to see how ComplianceEZ™ supports your healthcare compliance practice. Visit our Downloads & Resources library for compliance tools and guides.
Learn more about ComplianceEZ™.
