Home / Guides / HIPAA Security Rule 2026 Checklist
Compliance 12 min read Updated May 31, 2026

The HIPAA Security Rule 2026: A Practical Checklist for Small Practices

A friendly, plain-language HIPAA compliance checklist for 2026 covering the rising security bar: MFA, encryption, business-associate agreements, network segmentation, tested backups, vulnerability scans, and incident-response planning.

Why the Bar Is Rising for 2026

If it feels like everyone in healthcare is suddenly talking about cybersecurity again, there is a good reason. In January 2025, the HHS Office for Civil Rights (OCR) published a notice of proposed rulemaking in the Federal Register that would substantially overhaul the HIPAA Security Rule, and the proposal has stayed on the federal regulatory agenda right through 2026. It is worth being precise here, because sources disagree: as we write this, the update is best described as the 2025 proposal to modernize the HIPAA Security Rule, not a fully finalized rule with a locked deadline. Even so, it signals clearly where OCR expects covered entities and business associates to be heading, and many of the practices it describes are simply good hygiene you should not wait for a final rule to adopt.

What makes this proposal notable is the shift in tone. The old Security Rule let practices treat many safeguards as "addressable," which a lot of small offices quietly read as optional. The proposed update removes that flexibility for several controls and would make them required across the board. So whether or not you are tracking the rulemaking line by line, the direction of travel for small practice cybersecurity is unmistakable, and a sensible hipaa compliance checklist for 2026 looks meaningfully stronger than the one you may have built a few years ago.

The good news is that none of this requires a hospital-sized IT department. Most of the work involves turning on protections you probably already have access to, writing a few things down, and rehearsing them so they work when you need them. Let's walk through the checklist the way we would talk it through with a colleague over coffee.

Turn On Multi-Factor Authentication Everywhere

If you do only one thing from this entire list, make it this one. The proposed Security Rule update would require multi-factor authentication for systems that access electronic protected health information (ePHI), and healthcare mfa encryption is the foundation everything else sits on. A stolen or guessed password is the most common way attackers get into a practice, and MFA means a password alone is not enough to get in.

Turn it on for your EMR, your email, your billing portal, your patient communication tools, your cloud storage, and any remote access you use to log in from home. Authenticator apps and hardware keys are generally stronger than text-message codes, but any second factor is dramatically better than none. The few seconds it adds at login are a bargain compared to a breach.

Encrypt Your Devices and Your Email

The proposed update would also make encryption of ePHI both at rest and in transit a firm requirement rather than something a practice could reason its way out of. In plain terms, "at rest" means the data sitting on your laptops, desktops, phones, and backup drives, and "in transit" means data moving across the internet, including email.

Device encryption is usually a built-in feature you just need to switch on, and it turns a lost or stolen laptop from a reportable breach into a non-event because the thief cannot read anything. For email, use a service or setting that encrypts messages containing patient information so they are protected on the way to the recipient. Make encryption the default rather than something a staff member has to remember to enable, because anything that depends on memory will eventually be forgotten on a busy day.

Review Every Business-Associate Agreement

Here is a step practices love to skip, and it matters more than ever. Any vendor that touches your patient data, your EMR host, your billing service, your cloud backup provider, your email platform, even some scheduling and messaging tools, is a business associate, and you need a signed business-associate agreement (BAA) with each one. The proposed rule leans harder on vendor oversight, so 2026 is a good year to take inventory.

Make a simple list of every vendor that stores, processes, or transmits ePHI on your behalf. For each, confirm you have a current BAA on file and that the vendor can back up its security promises. If a vendor will not sign a BAA or gets vague when you ask how they protect data, treat that as a warning sign. You remain responsible for the patient information you hand to others, so a little diligence now saves a lot of grief later.

Segment Your Network

Network segmentation sounds technical, but the idea is simple: do not let everything on your network talk freely to everything else. The proposal calls for separating systems so that a problem in one area cannot spread across your whole practice. A classic example is keeping your guest or waiting-room Wi-Fi completely separate from the network your EMR and workstations use.

For a small office, this often means asking your IT support to put clinical systems on one segment and general or guest traffic on another, and to limit which devices can reach the systems that hold ePHI. If an infected personal phone hops onto your guest Wi-Fi, segmentation keeps it from wandering into your clinical systems.

Set Up Backups You Have Actually Tested

Ransomware is the nightmare scenario for a small practice, and reliable backups are your way out of it. The goal is to be able to restore your data quickly without paying anyone. Keep backups that are isolated from your main network, so that an attacker who encrypts your live systems cannot reach and encrypt your backups too.

The part people forget is testing. A backup you have never restored from is really just a hope, not a plan. Pick a quiet afternoon, try restoring a sample of data, and confirm it comes back intact and usable. The proposed rule emphasizes the ability to restore systems within defined timelines, and the only way to know you can hit a timeline is to have practiced it.

Run Vulnerability Scans and Plan for Testing

The proposed update introduces a cadence of technical checks, including vulnerability scanning roughly twice a year and penetration testing on an annual basis. You do not have to interpret the results yourself. The point is to schedule regular checkups so you find the weak spots before someone else does.

A vulnerability scan is an automated sweep that looks for known security holes, like outdated software or misconfigured settings. Penetration testing is more hands-on, where a security professional safely tries to break in the way a real attacker would and reports what they found. For most small practices, a managed IT or security partner can handle both; the practical takeaway is to put these on the calendar so they happen predictably rather than never.

Write and Rehearse an Incident-Response Plan

When something goes wrong, the worst time to figure out what to do is in the middle of the crisis. The proposed rule calls for a written incident-response plan that is tested every year, along with defined timelines for reporting and restoration, including a 72-hour element for acting on certain incidents. That makes a clear, rehearsed plan one of the most valuable items on any hipaa compliance checklist for 2026.

Your plan does not need to be a hundred pages. It needs to answer the basics in plain language: who is in charge during an incident, who they call, how you contain the problem, how you restore from backup, and how and when you notify the people you are required to notify. Then rehearse it at least once a year with a simple tabletop exercise where your team talks through a realistic scenario. The first time you read your plan should never be the day you need it.

Train Your Staff and Document the Whole Thing

Most breaches start with a person, not a machine. A convincing phishing email, a reused password, or a file sent to the wrong address causes far more incidents than sophisticated hacking. Regular, friendly security training for everyone on your team is one of the highest-return investments you can make. Keep it short, make it relatable, and repeat it so it sticks.

Finally, write things down. The proposed update reflects OCR's growing expectation of documented, periodic compliance reviews, including annual audits of your own safeguards. Document your policies, training, BAAs, backup tests, and scans. If OCR ever comes knocking, the practice that can show a tidy paper trail is in a far better position than the one that did the work but can prove none of it.

A Sane Way to Tackle This

Looking at this list all at once can feel like a lot, so do not try to do everything in a single weekend. Start with the highest-impact, lowest-effort items: turn on MFA everywhere and switch on device and email encryption this month. Next, take inventory of your vendors and chase down any missing BAAs. Then schedule your backup tests and your scans, and block out an afternoon to write and rehearse your incident-response plan.

The whole point of the 2025 update that is reshaping HIPAA Security Rule expectations for 2026 is not to punish small practices. It is to raise the floor so patient data stays safe even when resources are tight. Tackle it steadily, lean on a trusted IT or security partner where you need to, and you will end the year not just more compliant but genuinely safer.