VRC: HIPAA 2026 Preparation

The Biggest Security Rule Update in Over a Decade

Author

Junie Talisay
March 11, 2026

New Podcast Episode:

A major shift is coming to healthcare cybersecurity.

For the first time in over 15 years, the HIPAA Security Rule is receiving a significant update, and the changes could reshape how healthcare organizations, SaaS platforms, and business associates manage security and compliance.

In this episode, Rob breaks down the upcoming regulation expected to take effect in 2026, explaining why the government is strengthening the rule and what organizations must start preparing for now. The goal is simple: modernize HIPAA for today’s technology landscape including cloud computing, AI systems, telehealth platforms, and the growing threat of ransomware targeting healthcare providers.

With healthcare data now stored across SaaS tools, AI transcription services, and third-party platforms, regulators are moving to eliminate ambiguity and raise the baseline security expectations for everyone handling electronic protected health information (ePHI).

For organizations that rely on outdated “check-the-box” compliance practices, this update signals a major shift. The new rule emphasizes real cybersecurity maturity, documented evidence, and ongoing security testing not just policies sitting in a binder.

In This Episode:

  • Mandatory Security Controls — why previously “addressable” safeguards like multi-factor authentication are becoming required

  • Asset & Data Inventory Requirements — documenting every system, platform, and vendor touching ePHI

  • Stronger Encryption Expectations — protecting data in transit, at rest, and across devices

  • Required Security Testing — vulnerability scans, penetration tests, malware protection, and network segmentation

  • Expanded Incident Response Requirements — tested recovery plans and system restoration timelines

  • Vendor & Supply Chain Accountability — stricter expectations for third-party platforms and partners

  • Preparing Before Enforcement — practical steps organizations should take before the rule becomes fully enforceable

If your organization handles healthcare data in any capacity, this episode provides a clear overview of what’s changing and how to begin preparing before enforcement begins. Listen now!

Featured Article

In partnership with

For years, HIPAA compliance has often been viewed as a documentation exercise. Organizations built policies, checked required boxes, and assumed they were meeting the standard.

That approach is about to change.

The upcoming update to the HIPAA Security Rule, expected to be finalized in May 2026, represents the most significant shift in healthcare cybersecurity expectations in more than a decade. As Rob discussed in this week’s VRC Podcast, regulators are moving the industry away from a policy-driven model and toward a cybersecurity maturity model where organizations must demonstrate how they actually protect electronic protected health information (ePHI).

In short, the question regulators will ask is no longer “Do you have a policy?”
The question will be “Can you prove your systems are secure?”

HIPAA Is Changing Now

The healthcare technology landscape looks very different today than when many HIPAA standards were written.

Organizations now rely heavily on:

  • cloud-based platforms

  • telehealth systems

  • third-party SaaS vendors

  • AI tools and automated data processing

At the same time, ransomware attacks targeting hospitals and healthcare providers have increased dramatically. Healthcare records remain one of the most valuable data assets on the black market, making the industry a constant target for cybercriminals.

These realities are forcing regulators to strengthen cybersecurity expectations across the entire healthcare ecosystem.

Evidence Matters More Than Policies

The biggest change organizations will feel is the shift from written policies to operational proof.

Under the upcoming updates, healthcare organizations will need to demonstrate that real security practices are in place across their environments. That includes things like:

  • complete inventories of systems and data that handle ePHI

  • multi-factor authentication across critical platforms

  • stronger encryption practices

  • regular vulnerability scanning and penetration testing

  • documented and tested incident response plans

  • stronger oversight of vendors and business associates

These requirements bring HIPAA closer to the cybersecurity maturity standards seen in frameworks like NIST and SOC-based programs.

The expectation is simple: security controls must be implemented, monitored, and tested, not just written down.

Preparing for the Next Phase of HIPAA

The upcoming HIPAA Security Rule update reflects a broader industry reality: cybersecurity has become inseparable from healthcare operations.

Organizations that begin preparing now will not only meet regulatory expectations when the rule becomes effective but will also strengthen their overall security posture and protect the trust patients place in them.

VanRein Compliance is already helping healthcare organizations prepare for the upcoming HIPAA changes through updated risk assessments, cybersecurity program reviews, vendor oversight guidance, and readiness planning.

If your organization wants to be ready before the new rules take effect, now is the time to start the conversation with Team VRC.

The sooner preparation begins, the easier the transition will be.

Sponsor Spotlight

The Future of AI in Marketing. Your Shortcut to Smarter, Faster Marketing.

Unlock a focused set of AI strategies built to streamline your work and maximize impact. This guide delivers the practical tactics and tools marketers need to start seeing results right away:

  • 7 high-impact AI strategies to accelerate your marketing performance

  • Practical use cases for content creation, lead gen, and personalization

  • Expert insights into how top marketers are using AI today

  • A framework to evaluate and implement AI tools efficiently

Stay ahead of the curve with these top strategies AI helped develop for marketers, built for real-world results.

Here's how I use Attio to run my day.

Attio's AI handles my morning prep — surfacing insights from calls, updating records without manual entry, and answering pipeline questions in seconds. No searching, no switching tabs, no manual updates.

Podcast Essentials

YOUR WEEKLY PODCAST FEATURE

Rob, Dawn, & Dr. Howard explore how businesses can move beyond fear, hype, and check-the-box governance to build responsible, human-centered AI strategies that protect trust, accountability, and long-term resilience.

Rob, Dawn, & Bennie unpack what AI governance means in practice, why regulators are now asking how organizations govern AI, and how businesses can stay secure, compliant, and audit-ready as AI adoption accelerates.

Newsletter Features

COMPLIANCE DISCOVERIES

Article 1:

AI Governance & Tabletop Exercises

Article 2:

ISO Insights and Human-In-The-Loop Reality

Article 3:

Governance, Training, and Real Compliance in 2026

A VanRein Compliance Reminder

Reply

or to participate.