All Posts Next

HIPAA Security Rule 2026 Update: Q3 Deadlines for CEs

Posted: April 15, 2026 to Compliance.

HHS issued proposed changes to the HIPAA Security Rule in December 2024, and covered entities now face a set of Q3 2026 implementation targets that tighten encryption, audit logging, and — for the first time explicitly — AI and third-party vendor controls. This guide walks through what changed, who's affected, and the twelve actions every covered entity should complete before the end of Q3.

Petronella Technology Group has served healthcare covered entities and business associates since 2002. Our team includes four CMMC-Registered Practitioners and our founder Craig Petronella wrote the HIPAA Compliance Guide available on Amazon. We work with hospital systems, physician groups, ambulatory surgery centers, and the business associates who support them across the Eastern US. This analysis reflects our reading of the proposed rule plus what we're seeing auditors focus on in actual 2026 engagements.

What Changed in the Proposed Rule

The proposed 45 CFR 164 Subpart C update moves several previously "addressable" implementation specifications to "required" and introduces new specifications in three areas: encryption, contingency planning, and third-party risk management. The effective date for most provisions is 180 days after the final rule publishes. Industry expectation is a Q2 2026 final rule, which places the compliance deadline squarely in Q3-Q4 2026.

Encryption at rest and in transit becomes required

Under the current rule, encryption is an "addressable" specification — meaning you can document why you chose a compensating control instead. The proposed rule makes encryption of electronic Protected Health Information (ePHI) required at rest and in transit, with limited exceptions. Covered entities relying on network-segmentation-only controls must plan for full encryption coverage.

Multi-factor authentication becomes required

MFA moves from best practice to required for all access to ePHI. SMS-based 2FA is not acceptable under the proposed rule guidance — HHS references NIST SP 800-63B Authenticator Assurance Level 2 or higher, which excludes SMS.

Audit log retention tightens

The current rule requires audit logs without specifying a retention period. The proposed rule sets a minimum retention of 12 months for audit logs tied to ePHI access, modification, or export events. Several covered entities we work with are currently at 90 days.

New: third-party and AI vendor oversight

This is the most consequential change for mid-market covered entities. The proposed rule adds specific obligations around "new or emerging technology" vendors including generative AI services. Covered entities must document:

  • The specific ePHI data categories that flow to each vendor.
  • The vendor's Business Associate Agreement (BAA) coverage of that data flow.
  • The vendor's ability to produce audit logs on demand.
  • Contingency procedures if the vendor suffers a breach or ceases operations.

In practice this means ChatGPT Team, Google Gemini, and Microsoft Copilot without an appropriate BAA and without audit log access are not compliant vendors for ePHI-touching workflows. We've written extensively on private AI alternatives that do meet this bar.

New: contingency planning drills

Written contingency plans are not enough under the proposed rule. Covered entities must conduct tabletop exercises at least annually, with documented results and corrective actions for identified gaps.

New: vulnerability scanning cadence

Quarterly vulnerability scanning of the ePHI boundary is proposed as a required specification. Annual penetration testing is also referenced, though still addressable in the draft text.

Who Has To Act

The proposed rule applies to all covered entities (health plans, health care clearinghouses, and most healthcare providers) and all business associates that handle ePHI on their behalf. Small practices are not exempt — HHS specifically addressed the small-practice burden in the Regulatory Impact Analysis and declined to create a size-based carve-out.

In our client base the typical mid-market covered entity is a 10-200 provider practice, a regional hospital system, or a physician-managed network. The typical business associate is a billing company, a health-IT SaaS firm, a managed IT services provider, or a revenue cycle management firm.

Twelve Actions Before Q3 2026

1. Encrypt everything

Every workstation: BitLocker with TPM and recovery keys in your key management. Every server: full-volume encryption. Every backup: encrypted with keys distinct from production. Every transit: TLS 1.2 minimum, TLS 1.3 preferred, no legacy SSL anywhere.

2. Remove SMS MFA

Audit your ePHI-accessing systems for SMS-based 2FA. Replace with FIDO2 hardware keys (YubiKey, Google Titan) or TOTP (Microsoft Authenticator, Google Authenticator, Duo). Budget roughly $50-80 per employee for hardware keys.

3. Inventory AI and LLM usage

Survey every department. Identify every generative AI tool in active use — sanctioned and unsanctioned. For each, determine whether ePHI has flowed to the tool, whether a BAA exists, and whether the vendor can produce audit logs on demand. Most practices find at least three unsanctioned tools.

4. Extend audit log retention to 12 months

Check your SIEM, EHR audit module, and identity provider log retention. Extend as needed. If storage cost is a concern, consider tiered retention (hot 90 days, warm 9 months, cold archive) rather than cutting coverage.

5. Run a tabletop exercise

Pick a realistic scenario — ransomware hitting your EHR, an insider exfiltrating records, a business associate breach. Run a 90-minute facilitated walkthrough with your IT, compliance, legal, and executive leadership. Document gaps. Assign owners.

6. Quarterly vulnerability scan cadence

If you're currently at annual scanning, schedule quarterly scans for the ePHI boundary. Use authenticated scans where possible — network-only scans miss application-layer vulnerabilities.

7. Update your risk analysis

45 CFR 164.308(a)(1)(ii)(A) already requires periodic risk analysis. Update yours to reflect the proposed rule changes. Document data flows, vendor relationships, and new AI-related risks explicitly.

8. Revise BAA templates

Existing BAAs may not cover new AI vendor requirements. Work with counsel to revise templates and flag existing BAAs that need amendments before Q3.

9. Review breach notification procedures

The 60-day notification window is unchanged, but HHS has signaled tighter enforcement on timeliness. Ensure your procedure has a named 24/7 on-call, a drafted notification template, and a legal-review SLA under 48 hours.

10. Document the "contingency vendor" list

If your current SaaS vendor fails or breaches, who's your fallback? The proposed rule expects this to be documented.

11. Staff training refresh

Annual HIPAA training with a measurable completion rate is expected. Add a specific module on AI and generative-tool usage with respect to ePHI.

12. Fund the work

The HHS Regulatory Impact Analysis estimates first-year compliance cost at $9 billion industry-wide, or roughly $30K-$80K per mid-market covered entity for the year one lift. Budget now.

Penalty Tiers in 2026

The HIPAA civil penalty structure adjusts annually for inflation. For 2026, HHS updated the four-tier structure:

  • Tier 1 (Unknowing): $137 to $68,928 per violation, up to $2.067M per identical violation per year.
  • Tier 2 (Reasonable Cause): $1,379 to $68,928 per violation.
  • Tier 3 (Willful Neglect, Corrected): $13,785 to $68,928 per violation.
  • Tier 4 (Willful Neglect, Not Corrected): $68,928 to $2,067,813 per identical violation per year.

The OCR's 2026 settlement schedule shows median mid-market covered-entity settlements running $250,000 to $800,000. These numbers are why the $9B industry cost estimate is considered conservative by every compliance counsel we've asked.

Three Questions for Your Compliance Officer This Week

1. "Can we produce every ePHI access event for a named patient over the past 12 months in under 4 hours?" If no, audit log coverage is inadequate.

2. "Which generative AI tools have our staff used with patient data in the past 90 days?" If you don't have a confident answer, you need an inventory now.

3. "Have we run a ransomware tabletop in the past 12 months, and do we have the written after-action?" If no, schedule one this quarter.

How Petronella Technology Group Can Help

Three engagement paths for the Q3 2026 deadline:

HIPAA Quick Scan — $497. A 3-business-day review of your Security Rule posture against the proposed-rule requirements. Written findings letter with a red/yellow/green score across the twelve actions above. Ideal for a first-pass readiness check or a board-level briefing. Start Quick Scan.

HIPAA Audit — $1,997. Full 45 CFR 164 Subpart C audit including Security Rule, Privacy Rule, and Breach Notification Rule coverage. Risk analysis update, BAA review, and 90-minute leadership readout. Satisfies 164.308(a)(1)(ii)(A) risk analysis requirement. Start full Audit.

Free HIPAA Compliance Guide. A 24-page playbook covering the Security Rule, the proposed 2026 changes, and practical remediation steps. Download the guide.

Petronella Technology Group, 5540 Centerview Dr, Raleigh NC 27606. Founded 2002. BBB A+ since 2003. Craig Petronella holds the CMMC-RP, CCNA, CWNE, and DFE #604180. Questions: (919) 348-4912 or contact our compliance team.

Need help implementing these strategies? Our cybersecurity experts can assess your environment and build a tailored plan.
Get Free Assessment
Explore Our Services
Cybersecurity AI Services Compliance HIPAA CMMC Managed IT

Related Articles

CMMC Level 2 Checklist: 14 Controls Most Primes Fail NIST Compliance Checklist: Complete Framework Guide for 2026 NIST Compliance Checklist: Complete Framework Guide for 2026 FedRAMP Compliance Checklist: Authorization Guide FedRAMP Compliance Checklist: Authorization Guide HIPAA Security Risk Assessment HIPAA Security Risk Assessment

About the Author

Craig Petronella, CEO and Founder of Petronella Technology Group
CEO, Founder & AI Architect, Petronella Technology Group

Craig Petronella founded Petronella Technology Group in 2002 and has spent more than 30 years working at the intersection of cybersecurity, AI, compliance, and digital forensics. He holds the CMMC Registered Practitioner credential (RP-1372) issued by the Cyber AB, is an NC Licensed Digital Forensics Examiner (License #604180-DFE), and completed MIT Professional Education programs in AI, Blockchain, and Cybersecurity. Craig also holds CompTIA Security+, CCNA, and Hyperledger certifications.

He is an Amazon #1 Best-Selling Author of 15+ books on cybersecurity and compliance, host of the Encrypted Ambition podcast (95+ episodes on Apple Podcasts, Spotify, and Amazon), and a cybersecurity keynote speaker with 200+ engagements at conferences, law firms, and corporate boardrooms. Craig serves as Contributing Editor for Cybersecurity at NC Triangle Attorney at Law Magazine and is a guest lecturer at NCCU School of Law. He has served as a digital forensics expert witness in federal and state court cases involving cybercrime, cryptocurrency fraud, SIM-swap attacks, and data breaches.

Under his leadership, Petronella Technology Group has served 2,500+ clients, maintained a zero-breach record among compliant clients, earned a BBB A+ rating every year since 2003, and been featured as a cybersecurity authority on CBS, ABC, NBC, FOX, and WRAL. The company leverages SOC 2 Type II certified platforms and specializes in AI implementation, managed cybersecurity, CMMC/HIPAA/SOC 2 compliance, and digital forensics for businesses across the United States.

CMMC-RP NC Licensed DFE MIT Certified CompTIA Security+ Expert Witness 15+ Books
Related Service
Achieve Compliance with Expert Guidance

CMMC, HIPAA, NIST, PCI-DSS — we have 80% of documentation pre-written to accelerate your timeline.

Learn About Compliance Services
All Posts Next
Free cybersecurity consultation available Schedule Now