The HIPAA Security Rule is undergoing its most significant update since the original rule took effect. With a final rule expected in May 2026, the updated requirements eliminate ambiguity, raise the technical bar, and shift the compliance conversation from "addressable" to mandatory. For MSPs managing healthcare clients, this changes everything about how you deliver and document security services.
What's Driving the Update
The healthcare sector has become the most targeted industry for ransomware and data breaches. The existing Security Rule—largely unchanged since 2013—was designed for a different threat landscape. The update reflects the reality that healthcare organizations face sophisticated, persistent threats and that the security controls needed to defend against them have evolved significantly.
The updated rule also responds to a clear enforcement pattern: organizations that suffered breaches often had policies in place but hadn't implemented the technical controls those policies described. The new rule closes that gap by making implementation mandatory, not optional.
The Biggest Changes
1. "Addressable" Becomes Mandatory
Under the current rule, certain controls are classified as "addressable"—meaning organizations can evaluate whether the control is reasonable and appropriate and, if not, document an alternative. In practice, many organizations used "addressable" as permission to skip controls entirely.
The updated rule eliminates this distinction. Controls that were previously addressable—including encryption and multi-factor authentication—become mandatory requirements. The hipaa rule changes 2026 represent significant updates that MSPs must understand. For a detailed breakdown, see our analysis of the biggest changes coming in 2026.
2. Multi-Factor Authentication Required
MFA moves from best practice to baseline requirement for every system that accesses electronic protected health information (ePHI). The hipaa mfa requirement 2026 applies to remote access, cloud applications, EHR systems, and any administrative tools that touch patient data.
3. Encryption of ePHI at Rest and in Transit
Encryption is no longer addressable. ePHI must be encrypted both at rest and in transit. Organizations that haven't deployed encryption across their environments will need to close this gap before the compliance deadline.
4. Annual Penetration Testing
The updated rule requires annual penetration testing and scheduled vulnerability scanning, establishing a clear, measurable cadence for security testing that moves beyond the current "periodic" evaluation requirement.
5. Asset Inventory and Network Mapping
Organizations must maintain a complete inventory of all technology assets that create, receive, maintain, or transmit ePHI, along with network diagrams showing how data flows through the environment.
6. Written Security Policies with Scheduled Reviews
Written security policies covering every aspect of ePHI protection are mandatory, and those policies must be reviewed and updated on a documented schedule. Evidence of review must be maintained—not just evidence that a review was planned.
Timeline and Enforcement
The final rule is expected in May 2026. Organizations will have a compliance window following publication—typically 180 days to one year. However, HHS has signaled that the updated rule reflects the current standard of care. Organizations that experience breaches will be evaluated against these standards regardless of formal deadline status.
What MSPs Need to Do Now
Assess Current State Against New Requirements
Audit every healthcare client against the updated requirements. Where is MFA deployed—and where isn't it? Is ePHI encrypted at rest on every device? When was the last penetration test? Does an asset inventory exist? The gap between current state and the new requirements defines your remediation roadmap.
Build the Encryption Foundation
Full-disk encryption on endpoints, encryption for data in transit, encrypted backups, and encrypted email for ePHI. MSPs should audit encryption coverage across every client environment. Building a hipaa compliant security stack starts with getting the encryption layer right.
Implement MFA Everywhere
Every system that touches ePHI needs MFA. Cloud applications, remote access, EHR systems, administrative tools, and email. This is non-negotiable under the updated rule.
Automate Compliance Documentation
The documentation requirements are significant: written policies with scheduled reviews, annual risk analyses, asset inventories, network maps, pen test results, and evidence of control effectiveness. HIPAA compliance automation is the only sustainable way for MSPs to manage this across multiple healthcare clients.
The Risk Analysis Cornerstone
The Security Risk Analysis remains the cornerstone of HIPAA compliance—but with updated hipaa risk analysis requirements that make it more rigorous and more prescriptive about what the analysis must cover. Annual completion with a documented risk management plan is now expected.
HIPAA in the Broader Compliance Context
HIPAA doesn't exist in isolation. The controls required—MFA, encryption, access controls, audit logging, incident response—overlap substantially with CMMC, FTC Safeguards, NIST 800-171, and other frameworks. MSPs who implement controls once and document them against multiple frameworks create efficiency for clients in regulated industries facing multiple compliance obligations.
The MSP Opportunity
The updated HIPAA Security Rule raises the bar—and raises the value of MSPs who can help healthcare organizations clear it. The technical requirements are services MSPs already deliver. The documentation requirements are services MSPs can systematize with the right compliance automation tools.
Healthcare organizations that can't meet the new requirements internally will look for partners who can. MSPs who position themselves as HIPAA compliance partners—not just IT vendors—will capture a growing share of the healthcare market.
Explore the Full Series
Dig deeper into each aspect of the updated HIPAA requirements:
Take the Next Step
Beachhead Solutions provides the security and compliance tools MSPs need to help healthcare clients meet the updated HIPAA Security Rule requirements. Schedule An Eval to see how ComplianceEZ™ and BeachheadSecure® support HIPAA compliance across your healthcare client base. Visit our Downloads & Resources library for compliance tools and guides.
Learn more about ComplianceEZ™ and BeachheadSecure®.
